S N O R T I D S B L A S T C O U R S E

Transcription

1 S N O R T I D S B L A S T C O U R S E

2 General Description In this course, we will use the Security Onion operating system. Security Onion is based on Ubuntu Linux distro. It contains the Snort IDS, Suricata, Bro, OSSEC, Sguil, Squert, ELSA, Xplico, NetworkMiner, and many other security tools. We will use the Snort IDS application for the majority of this blast course. The target learning objective for this course is to introduce the student with to the Snort IDS. We will learn how to setup IP and Port variables for ease of management followed by being acquainted with basic Snort rules. We will then move to define our own custom rules. Finally, we will advance our learning by crafting complex Snort rules to enhance our network IDS capabilities and streamline process powers. This course is streamlined for advanced users who wish to add to their knowledge about IDS capabilities using Snort. Course Starting Date: November

3 What will the student learn? The student will learn different methodologies of dissecting IP packets with the Snort IDS. By doing so, it allows the student to implement granular control over what will gain or be denied access to the internal or external network. What skills will the student learn? The student will learn how to effectively implement an IDS solution that preserves processing power, trim log file output to what is only necessary as well as setup log trap threshold for IDS alerts. What are the student requirements? The student needs to understand how to compute in hexadecimal format, ASCII format and binary calculations. The student also needs to be familiar with IP subnetting (both classful and classless). What will the students need: Host workstation capable of handling at least two VM's simultaneously Security Onion - Wire Shark - Packet Generator (To be determined)

4 Curriculum Module 1: Getting acquainted with Snort IDS In this module, we will cover the basics of Snort and what it provides to network administrators. A general overview will be provided to the students on Snort's capabilities and functions. For this course, it is recommended that the student is familiar with the functions of an IDS and IP access control lists. There will be three tasks to complete for this module. Task 1: Setup IP variables with the internal and external network. Task 2: Setup Port variables with internal and external network. Task 3: Setup log messages to output to a destination file for record.

5 Module 2: Setting up basic Snort rules This module will cover on dissecting snort rule configurations which compose of the Rule Header and the Rule Body. The Rule Header consists of an action, a Source IP and Port, direction indicator, destination IP and Port. The Rule Body consists of the security identifier. This module will consist of three tasks to complete. Task 1: Setup a Snort incoming packet rule to alert the network administrator. Task 2: Setup a Snort rule to drop an outgoing packet. Task 3: Setup a Snort rule to alert for outbound web site request that is prohibited. Task 4: Setup a Snort rule to to inspect contents of a packet in both binary and ASCII format.

6 Module 3: Configure Detect Offset (DOE) End Pointer (EP) and Byte Offset In this module, we will conclude our course by setting up Snort to dissect packets by using the Detect Offset End Pointer and by inspecting packets using Byte Offset. These two functions allow the Snort IDS to discriminate with precision for known threats. This allows the IDS to process packets much faster than the previous Snort Rules because of its precision capability. Task 1: Dissecting an incoming packet using DOE EP with a content match. Task 2: Creating Snort rule using DOE EP with distance modifier. Task 3: Setup Snort Rule DOE EP with relative offset with the ending position after another DOE advancement.