Catégorie : Securité

Snort open-source IDS (Intrusion detection system) Install Ubuntu 22.04

Required

  • 1 Local area network
  • 2 hosts one running Kali Linux (attacker) and one running Ubuntu 22.04(Snort IDS)
  • TCP/IP communication between hosts needs to be established before-hand
  • Clock and Date settings must be configured correctly

TCP/IP addressing table

Subnet nameIPv4 range
Virtual Network 2 (Vmnet2)192.168.200.0/24
NodeIPv4 Address
Kali Linux , the attackereth0 LAN 192.168.200.145/24
UbuntuServer, Snort IDSens33 LAN 192.168.200.148/24

Snort installation and analysis

  • From UbuntuServer open a Terminal window
    1. Type sudo su –
    2. Type apt install -y snort*
    1. Type systemctl restart snort , no error should happen
    2. Type systemctl status snort, must be active
    3. Type snort -D -A -i ens33 -c /etc/snort/snort.conf
  • Here are the following options explained
    1. -D , runs the IDS in daemon, it frees the terminal , you can close it without interrupting your analysis
    2. -A snort runs in alert mode
    3. -i sniff packets on this interface
    4. -c config file location

XMAS attack analysis

  • From Kali open a Terminal window
    1. Type sudo su –
    2. Type nmap -sX 192.168.200.148
  • -sX is a XMAS scan technique
  • From UbuntuServer, open a Terminal
    1. Type tail -f 10 /var/log/snort/snort.alert.fast
    2. You can clearly see the discovery of the XMAS attack on the Snort Intrusion Detection System
Install snort for APT
Try to restart , no error means OK
Look at the snort service status
Launch snort sniffer
Launch XMAS attack
Verify logging of the XMAS attack