{"id":209,"date":"2025-06-22T23:42:07","date_gmt":"2025-06-22T23:42:07","guid":{"rendered":"https:\/\/epbrtcybersecurityportfolio.xyz\/?p=209"},"modified":"2025-06-22T23:42:07","modified_gmt":"2025-06-22T23:42:07","slug":"running-snort","status":"publish","type":"post","link":"https:\/\/epbrtcybersecurityportfolio.xyz\/?p=209","title":{"rendered":"Running Snort"},"content":{"rendered":"\n

Purpose<\/strong>
This lab is an introduction to Snort and its output. It focuses on helping a new user get comfortable with the tool.<\/p>\n\n\n\n

Exercise 1<\/strong><\/p>\n\n\n\n

1)Start by exploring Snort\u2019s available command-line options. Run the following command to view help information and understand what parameters are available:<\/p>\n\n\n\n

    <\/ol>\n\n\n\n
    \"\"<\/figure>\n\n\n\n

    2)Which command-line option should you use to specify a particular configuration file when running Snort?<\/p>\n\n\n\n

    Going through the above list of available parameters, we find the below option<\/p>\n\n\n\n

    \"\"<\/figure>\n\n\n\n

    Exercise 2<\/strong><\/p>\n\n\n\n

    1)Which Snort command-line option can be used to check the current configuration and generate a report?<\/p>\n\n\n\n

      <\/ol>\n\n\n\n
      \"\"<\/figure>\n\n\n\n
        <\/ol>\n\n\n\n

        2)Launch Snort using the correct option to validate the configuration and generate a report, pointing to the snort.lua<\/code> configuration file located in \/sec503\/Exercises\/Day3\/snort\/<\/code>.<\/p>\n\n\n\n

        Using the 2 questions above, we can easily answer this question:<\/p>\n\n\n\n

        \"\"<\/figure>\n\n\n\n

        3) After running Snort, you\u2019ll see a stream of initialization messages. Does the snort.lua<\/code> configuration file pass validation?<\/p>\n\n\n\n

        \"\"<\/figure>\n\n\n\n

        4) How many rules did Snort confirm it loaded?<\/p>\n\n\n\n

        \"\"<\/figure>\n\n\n\n

        5) Run Snort again with the -T<\/code> option to test the configuration, but this time use snort-broken.lua<\/code> as the config file. Add the -q<\/code> option to reduce clutter by hiding the usual startup messages\u2014this will make the error message easier to spot.<\/p>\n\n\n\n

        \"\"<\/figure>\n\n\n\n

        6) In which file is the error located? What is the specific error message?<\/p>\n\n\n\n

        The error is located in file called local.rules. Two variables are undefined in this file. <\/p>\n\n\n\n

        7) Use the diff<\/code> command to compare the contents of snort.lua<\/code> and snort-broken.lua<\/code>. What differences do you observe?<\/p>\n\n\n\n

        \"\"<\/figure>\n\n\n\n

        The main difference is that snort.lua<\/code> defines two variables that are commented out in snort-broken.lua<\/code>. Specifically, HOME_NET<\/code> is set to the 10.121.0.0\/16 network, while EXTERNAL_NET<\/code> is defined as any network not included in HOME_NET<\/code> (using the exclamation mark !<\/code> for negation). These variables help Snort distinguish between IP addresses inside the monitored network and those outside of it. In snort-broken.lua<\/code>, these variable definitions are disabled using comment markers (--<\/code>), so they aren\u2019t loaded. Snort 3 requires that both HOME_NET<\/code> and EXTERNAL_NET<\/code> be properly set.<\/p>\n\n\n\n

        Exercise 3<\/strong><\/p>\n\n\n\n

        This task is about running Snort in IDS mode. You\u2019ll be using a configuration file and analyzing traffic from a packet capture file instead of live network data. For this, use the file named sample.pcap<\/code>, located in the \/sec503\/Exercises\/Day3<\/code> folder. <\/p>\n\n\n\n

        1) The goal is to run Snort using the snort.lua<\/code> configuration file and see alerts on your console. To make this work, you\u2019ll need to use a few options that haven\u2019t been covered yet.<\/p>\n\n\n\n

        To accomplish this task, I ran snort with the below options:<\/p>\n\n\n\n

        \"\"<\/figure>\n\n\n\n

        2) Looking at the alert output, you\u2019ll notice that after the GID, SID, and revision number, there\u2019s a message, followed by a priority level. After that, it shows the protocol, the source IP address and port, and then the destination IP address and port (shown with the arrow symbol “->”). What are the values for the protocol, source IP and port, and destination IP and port?<\/p>\n\n\n\n

        The protocol is TCP. The source IP address is 10.121.70.151. The source port is 21 (FTP). The destination IP address is 10.234.125.254 and the destination port is 2217.<\/p>\n\n\n\n

        Exercise 4<\/strong>
        Task:<\/strong> Run Snort in IDS mode and make sure logging is enabled.<\/p>\n\n\n\n

        1) In the previous exercise, you saw that Snort does not show alerts by default unless it’s specifically told to. Figure out how to configure Snort so it logs fast alerts to a file. The alerts should be saved in the logs<\/code> directory, located in the current folder or at \/sec503\/Exercises\/Day3\/snort\/logs<\/code>.<\/p>\n\n\n\n

        Wed can use the -l option to log a given file to a desired directory:<\/p>\n\n\n\n

        \"\"<\/figure>\n\n\n\n
          <\/ol>\n\n\n\n

          The file was correctly saved in the chosen directory:<\/p>\n\n\n\n

          \"\"<\/figure>\n\n\n\n

          2) Look at the content of this file<\/p>\n\n\n\n

          \"\"<\/figure>\n\n\n\n

          This is the same content as what we saw in the console output above. <\/p>\n\n\n\n

          3) Review the available logger plugins again and identify one that supports both event and packet logging.<\/p>\n\n\n\n

          The --help-plugins<\/code> option provides detailed information about the different plugins that are available. Looking at the list, the unified2 plugin appears to be a good choice. This plugin can be run with the -A option:<\/p>\n\n\n\n

          \"\"<\/figure>\n\n\n\n
            <\/ol>\n\n\n\n

            After the unified2 log file has been created, it can be read using tools such as u2spewfoo<\/code> and u2boat<\/code>. Running u2spewfoo<\/code> on the file will display the alert and a packet dump showing what triggered it.<\/p>\n","protected":false},"excerpt":{"rendered":"

            PurposeThis lab is an introduction to Snort and its output. It focuses on helping a new user get comfortable with the tool. Exercise 1 1)Start by exploring Snort\u2019s available command-line options. Run the following command to view help information and understand what parameters are available: 2)Which command-line option should you use to specify a particular […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-209","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/epbrtcybersecurityportfolio.xyz\/index.php?rest_route=\/wp\/v2\/posts\/209","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/epbrtcybersecurityportfolio.xyz\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/epbrtcybersecurityportfolio.xyz\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/epbrtcybersecurityportfolio.xyz\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/epbrtcybersecurityportfolio.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=209"}],"version-history":[{"count":5,"href":"https:\/\/epbrtcybersecurityportfolio.xyz\/index.php?rest_route=\/wp\/v2\/posts\/209\/revisions"}],"predecessor-version":[{"id":239,"href":"https:\/\/epbrtcybersecurityportfolio.xyz\/index.php?rest_route=\/wp\/v2\/posts\/209\/revisions\/239"}],"wp:attachment":[{"href":"https:\/\/epbrtcybersecurityportfolio.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=209"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/epbrtcybersecurityportfolio.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=209"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/epbrtcybersecurityportfolio.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=209"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}