C:\snort\bin\ *.conf *.rules *.pcap dir

PCAP file opened in Wireshark Wire shark TCP only filter

Snort cmd run Alert file after modifying Snort rules. Renamed alert file. Alert 2

1. When running Snort IDS why might there be no alerts?

There could be several different reasons for Snort not seeing any alerts. The number one reason, is that Snort has not been configured properly to listen for traffic. Snort needs to be configured properly on specific port for it too listen to traffic. Another reason according to the Snort FAQ, no alerts can be due to “the result of a checksum offloading issue.” (Snort FAQ, 2016) The use of –k none should be added in the cmd line to solve the issue of no alerts.

2. If you only went to a few web sites, why are there so many alerts?
Snort is an open-source intrusion detection system (IDS). Intrusion detection systems are able to analyze many different types of network traffic to detect abnormalities. Snort analyzes packets on a network depending on the traffic traversing the network. Traffic can include TCP, UDP, and HTTP traffic to name a few. Depending on which protocols where used when going to the website, different types of alerts can be produced by Snort.
3. What are the advantages of logging more information to the alerts file?
Advantages to logging more information to the alerts files is that one, it can be more useful to a system administrator trying to figure out what type of malware or attack is being carried on. The more information he or she has, the better to make an informed decision on what type of traffic to look for to better protect the network.
4. What are the disadvantages of logging more information to the alerts file?
The biggest disadvantage of logging more information is that as a system administrator going through the alerts is more work. It is more work because you have more information to sift through to get to real information needed. This delay in getting information leaves the network vulnerable longer till the information can be deciphered. Another disadvantage is that if an attacker were able to compromise the information gathered, he or she would know what specific ports and protocols you are monitoring. This would give an attacker the knowledge to use different ports and protocols that are not being monitored.
5. What are the advantages of using rule sets from the snort web site?

According to the Snort FAQ, Snort “Rules are a different methodology for performing detection, which bring the advantage of 0-day detection to the table. Unlike signatures, rules are based on detecting the actual vulnerability, not an exploit or a unique piece of data.” (Snort FAQ, 2016) Advantages of using the rule sets from the snort web site is that the rule sets have been specifically created for Snort. This means that these rules sets have been written to work with snort and have less issues than using a third party or homegrown rule set.

6. Describe (in plain English) at least one type of ruleset you would want to add to a high level security network and why?
The following rules sets from the snort website would be something to have in a high level security network.
• blacklist.rules – This category contains URI, USER-AGENT, DNS, and IP address rules that have been determined to be indicators of malicious activity. These rules are based on activity from the Talos virus sandboxes, public list of malicious URLs, and other data sources. (Snort.org, 2016) This rule set identifies known malicious activity that you would not want on your network.
7. If a person with malicious intent were to get into your network and have read/write access to your IDS log or rule set how could they use that information to their advantage?
If a person with malicious intent were to get read/write access to the IDS, he or she can do a number of things. The biggest advantage they would have, is have access to the IDS log and rule sets gives an attacker intimate knowledge of your network. It opens up the network to the attacker. An attacker could re-write or modify rule sets to stop monitoring specific traffic on which he or she can come in and out of your network undetected.
8. An intrusion prevention system can either wait until it has all of the information it needs, or can allow packets through based on statistics (guessed or previously known facts). What are the advantages and disadvantages of each approach?

Advantages
• Can detect malicious signatures and stopping any detected malicious signatures before they enter the network.
• IPS can help to prevent exposure in software that would allow hackers to damage data.
• Allows for the use of stream normalization techniques. ("Ubiquity: Intrusion prevention systems", 2005)
Disadvantages
• False positive and false negatives- Legitimate activity being blocked and malicious activity being let through.
• Having multiple IPS on the network to better protect the network drives cost of appliance. Can be expensive.
• If IPS is overwhelmed with too much traffic, it can have a negative impact on the network by slowing it down. ("Ubiquity: Intrusion prevention systems", 2005)

9. So, the “bad guy” decides to do a Denial of Service on your Intrusion Prevention System. At least two things can happen, the system can allow all traffic through (without being checked) or can deny all traffic until the system comes back up. What are the factors that you must consider in making this design decision?
If an administrator would let all traffic through without being checked, it could let the attacker into the network. This could allow an attacker into the network to launch further attacks. Denying all traffic would block any attacker from coming into the network, the downside of that is that all legitimate traffic going out of the network would also be denied from leaving the network. It’s a catch 22 scenario for an administrator.

10. What did you find particularly useful about this lab (please be specific)? What if anything was difficult to follow? What would you change to make it better?
What I found useful about this lab was the use of Snort. I have not used Snort much, and having the ability to use and to modify rule-sets was very enlightening. The instructions were pretty well written and found them easy to follow. The only thing I could think of expanding in this lab would be the rule set portion. Give more instruction on what you are actually modifying, or why a particular rule set is useful.
References
Explanation of Rules. (2016). snort.org. Retrieved 27 June 2016, from https://www.snort.org/rules_explanation
Snort FAQ. (2016). Snort.org. Retrieved 26 June 2016, from https://www.snort.org/faq/i-m-not-receiving-alerts-in-snort
Ubiquity: Intrusion prevention systems. (2005). Ubiquity.acm.org. Retrieved 27 June 2016, from http://ubiquity.acm.org/article.cfm?id=1071927