CIS-4080 Homework #6: Using Snort in IDS Mode

Due: Friday, May 5, 2023

Reading: ...

Part 1

In this part you will configure snort to detect certain traffic on the experimental network and demonstrate that it can detect that traffic. The snort documentation describes how to write rules.

Proceed as follows:

1. Create a snort rules file on Mu (in the student home directory) that looks for the conditions defined below. Be sure to use your Lemuria username when naming the rules file to avoid conflict with other files. For example: jjones.rules

   • Any attempt made by the machine Alpha (at 192.168.0.98) to SSH to the machine Beta (at 192.168.3.98).
   • Any packets using the IP address range 155.42.0.0/16 as either the source or destination address.
   • Any attempt to use traceroute to find a route to Mu.

2. Use the run-snort.sh shell script in student's bin folder to launch snort. Be sure to provide the -R option followed by the name of your rules file so Snort will load your rules. In a separate session (or sessions) perform whatever operation is necessary to trigger your rules and observe that Snort does detect the "intrusion."

Submit to Canvas a document that describes what you did (what rules you wrote), how you tested the, and what you observed.

Last Revised: 2023-04-20
© Copyright 2023 by Peter Chapin <pchapin@vtc.edu>