Skip to main content

Setting up a NIDS

Hands-On Lab

 

Photo of Michael Christian

Michael Christian

Course Development Director in Content

Length

01:30:00

Difficulty

Advanced

In this hands-on lab, you will set up Snort as an NIDS and have it alert, via a log, any traffic (bi-directional) to Server2. Likewise, it should also alert on any incoming web requests (port 80). Developing an understanding of a NIDS is fundamental to becoming familiar with the role they play in the network as it pertains to security.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Setting up a NIDS

Introduction

In this hands-on lab, you will set up Snort as an NIDS and have it alert, via a log, any traffic (bi-directional) to Server2. Likewise, it should also alert on any incoming web requests (port 80).

Developing an understanding of a NIDS is fundamental to becoming familiar with the role they play in the network as it pertains to security.

Solution

  1. Begin by logging in to the lab server using the credentials provided on the hands-on lab page:

    ssh cloud_user@PUBLIC_IP_ADDRESS
  2. Become the root user:

    sudo su -

Install Snort on Server1

  1. You'll need to install EPEL to be able to install the dependency libdnet:

    yum install -y epel-release
    yum install libdnet
  2. Now you can install Snort DAQ (data acquisition) by pulling the RPM direct from snort.org:

    yum install https://www.snort.org/downloads/archive/snort/daq-2.0.6-1.f21.x86_64.rpm
  3. Then install Snort itself in a similar manner:

    yum install https://www.snort.org/downloads/archive/snort/snort-2.9.9.0-1.centos7.x86_64.rpm
  4. Finally, create the following symlink:

    ln -s /usr/lib64/libdnet.so.1.0.1 /usr/lib64/libdnet.1

Configure Snort

  1. Modify the SO_RULE_PATH and PREPROC_RULE_PATH in /etc/snort/snort.conf, then comment out the variables WHITE_LIST_PATH and BLACK_LIST_PATH as follows:

    vim /etc/snort/snort.conf
    # Path to your rules files (this can be a relative path)
    # Note for Windows users:  You are advised to make this an absolute path,
    # such as:  c:snortrules
    var RULE_PATH  /etc/snort/rules
    var SO_RULE_PATH /etc/snort/so_rules
    var PREPROC_RULE_PATH /etc/snort/preproc_rules
    
    # If you are using reputation preprocessor set these
    # Currently there is a bug with relative paths, they are relative to where snort is
    # not relative to snort.conf like the above variables
    # This is completely inconsistent with how other vars work, BUG 89986
    # Set the absolute path appropriately
    #var WHITE_LIST_PATH /etc/snort/rules
    #var BLACK_LIST_PATH /etc/snort/rules
  2. Move down to Step #6 in the configuration file. Just above that, comment out the Reputation Preprocessor lines as follows:

    #preprocessor reputation: 
    #   memcap 500, 
    #   priority whitelist, 
    #   nested_ip inner, 
    #   whitelist $WHITE_LIST_PATH/white_list.rules, 
    #   blacklist $BLACK_LIST_PATH/black_list.rules
  3. A few lines beneath that, uncomment unified logging:

    # Additional configuration for specific types of installs
    # output alert_unified2: filename snort.alert, limit 128, nostamp
    output log_unified2: filename snort.log, limit 128, nostamp
  4. Finally, move down to Step #7 and either comment out or delete all of the includes under Step #7. Add include $RULE_PATH/local.rules. Step #7 in the config file should look like this:

    ###################################################
    # Step #7: Customize your rule set
    # For more information, see Snort Manual, Writing Snort Rules
    #
    # NOTE: All categories are enabled in this conf file
    ###################################################
    
    # site specific rules
    include $RULE_PATH/local.rules
  5. Create the local.rules file:

    touch /etc/snort/rules/local.rules
  6. Fix the Dynamic Rules path (not created by RPM):

    mkdir -p /usr/local/lib/snort_dynamicrules
    chown -R snort:snort /usr/local/lib/snort_dynamicrules 
    chmod -R 700 /usr/local/lib/snort_dynamicrules
  7. Validate the configuration:

    snort -T -c /etc/snort/snort.conf

Create local rules

  1. Now we can create the local rules we need by modifying the /etc/snort/rules/local/rules file:

    vim /etc/snort/rules/local.rules
  2. Add the following entries:

    alert tcp 10.0.4.10 any  <> $HOME_NET any (msg:"BAD ACTOR CONNECTION"; sid:10000001; rev:001;)
    alert tcp any any -> $HOME_NET 80 (msg:"Incoming web request"; sid:10000002; rev:001;)
  3. Validate the configuration:

    snort -T -c /etc/snort/snort.conf
  4. Start the service:

    systemctl start snortd
  5. Test the first rule:

    curl 10.0.4.10
  6. Test the second rule from Client1 (10.0.2.11):

    curl 10.0.1.10
  7. Look in the snort alert logs on Server1:

    cat /var/log/snort/alert

Conclusion

Congratulations — you've completed this hands-on lab!