SNORT 3.0 -Intrusion Detection System on ubuntu 20.04

Subscribe to " FACEITNET " Youtube channel for more interesting videos 

FaceITNet Youtube Channel

IDS using SNORT

 

Install and Configure Snort 3 on Ubuntu 20.04

 

Ubuntu comes with built in SNORT, Check the version by using the following command

apt show snort

Mostly you will see version 2.9

In order to install and configure Snort 3 on Ubuntu 20.04, you need to build it from the source.

Firstly run system package cache update

Sudo apt update

Sudo apt upgrade

Install Required Build Tools

For a successful build and installation of Snort 3 on Ubuntu 20.04, there are a number of build tools and dependencies that needs to be installed prior to the build process as outlined on the Dependencies page.

sudo apt install build-essential libpcap-dev libpcre3-dev libnet1-dev zlib1g-dev luajit hwloc libdnet-dev libdumbnet-dev bison flex liblzma-dev openssl libssl-dev pkg-config libhwloc-dev cmake cpputest libsqlite3-dev uuid-dev libcmocka-dev libnetfilter-queue-dev libmnl-dev autotools-dev libluajit-5.1-dev libunwind-dev

Download and install latest version of the Snort DAQ (Data Acquisition library) . DAQ is not available on the default Ubuntu repos and hence, you need to build and install it from the source.

mkdir snort-source-files

cd snort-source-files

git clone https://github.com/snort3/libdaq.git

Run the command again

cd libdaq

./bootstrap

./configure

make

sudo make install

 

Download and install google’s thread-caching malloc, Tcmalloc, a memory allocator optimized for high concurrency situations which will provide better speed for the trade-off of higher memory usage. This is an optional dependency but highly recommended.

 

cd ../

wget https://github.com/gperftools/gperftools/releases/download/gperftools-2.8/gperftools-2.8.tar.gz

tar xzf gperftools-2.8.tar.gz

cd gperftools-2.8/

./configure

make

sudo make install

 

 

Install Snort 3 from Source Code on Ubuntu 20.04

Now that we have all required dependencies in place, download and install Snort 3 on Ubuntu 20.04;

Clone Snort 3 Github source code;

cd ../

git clone git://github.com/snortadmin/snort3.git

Navigate to Snort 3 source directory, compile and install it;

cd snort3/

./configure_cmake.sh --prefix=/usr/local --enable-tcmalloc

Navigate to the build directory and compile and install Snort 3 on Ubuntu 20.04;

cd build

make (this will take time to complete. Be patient)

make install

Once the installation completes, update shared libraries;

ldconfig

Verify Snort 3 Installation by checking the version;

snort -V

The above confirms that Snort 3 installation is successful and is working fine.

Configuring Snort 3 NIDS on Ubuntu 20.04

Configure Network Interface Cards

First off, put the interface on which Snort is listening for network traffic on promiscuous mode so that it can be able to see all of the network traffic sent to it rather than seeing only the traffic originating from within the Snort 3 server alone.

ip link set dev ens33 promisc on

Verify

Disable Interface Offloading to prevent Snort from truncating large packets larger than 1518 bytes. You can check if this feature is enabled;

ethtool -k ens33 | grep receive-offload ( need to install ethtool )

generic-receive-offload: on

large-receive-offload: off [fixed]

GRO is enabled while LRO is fixed and hence cannot be changed.

Then disable;

ethtool -K ens33 gro off lro off

The two NIC changes are temporary. To ensure the changes persists across system reboot, create and enable a systemd service unit to implement the changes;

sudo vim /etc/systemd/system/snort3-nic.service ( Need to install vim  - sudo apt install vim)

Add the below in the newly opened file.

[Unit]

Description=Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot

After=network.target

 

[Service]

Type=oneshot

ExecStart=/usr/sbin/ip link set dev ens33 promisc on

ExecStart=/usr/sbin/ethtool -K ens33 gro off lro off

TimeoutStartSec=0

RemainAfterExit=yes

[Install]

WantedBy=default.target

Reload systemd configuration settings;

systemctl daemon-reload ( Enter the password)

Start and enable the service on boot;

systemctl enable --now snort3-nic.service ( Enter the password)

 

Install Snort 3 Rulesets on Ubuntu 20.04

Rulesets is the main artery for Snorts intrusion detection engine. There are three types of Snort Rules:

·         Community Rules

·         Registered Rules

·         Subscriber Rules

In this tutorial, we will install the community Snort rules;

Create Snort Rules directory. In the /usr/local/etc/snort/snort_defaults.lua config file, the default rules path (RULE_PATH), is defined as /usr/local/etc/rules.

mkdir /usr/local/etc/rules

Download Snort 3 community rules from Snort 3 downloads page;

wget https://www.snort.org/downloads/community/snort3-community-rules.tar.gz

Extract the rules and store them on Snort rules directory;

tar xzf snort3-community-rules.tar.gz -C /usr/local/etc/rules/

ls /usr/local/etc/rules/snort3-community-rules/

AUTHORS  LICENSE  sid-msg.map  snort3-community.rules  VRT-License.txt

Now that we have the rules to get us started in place, you need to configure Snort 3. Open the main configuration file for editing;

sudo vim /usr/local/etc/snort/snort.lua

Set the networks to protect against attacks as the value for the HOME_NET variable. For simplicity, i just set this to the subnet of Snort 3 interface. The EXTERNAL_NET is anything other than our HOME_NET;i

...

-- HOME_NET and EXTERNAL_NET must be set now

-- setup the network addresses you are protecting

HOME_NET = '192.168.57.3/32'

-- set up the external network addresses.

-- (leave as "any" in most situations)

-- EXTERNAL_NET = 'any'

EXTERNAL_NET = '!$HOME_NET'

...

You can edit Snort defaults in the /usr/local/etc/snort/snort_defaults.lua configuration file.

Under IPS section, define the location to your rules;

 

ips =

{

    -- use this to enable decoder and inspector alerts

    --enable_builtin_rules = true,

    -- use include for rules files; be sure to set your path

    -- note that rules files can include other rules files

    include = '/usr/local/etc/rules/snort3-community-rules/snort3-community.rules'

}

...

Save and exit the configuration file. 

Create Snorts Log directory;

mkdir /var/log/snort

 

Next, run syntax checking;

snort -c /usr/local/etc/snort/snort.lua

 

Create Custom local rules for the purposes of testing our Snort setup.

vim /usr/local/etc/rules/local.rules

 

Create a rule to detect ping tests;

alert icmp any any -> $HOME_NET any (msg:"ICMP connection test"; sid:1000001; rev:1;)

 

Save and exit the local rules file. Check the syntax;

snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules

Next, run the test by executing the command below;

snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules -i ens33 -A alert_fast -s 65535 -k none

 

On another terminal, ping your Snort server. While the ping runs, you should see the alert lines written to standard output;

Challenge Task

 write your own rules to detect SSH, Telnet, FTP, HTTP traffic

Write a rule to detect Facebook Traffic like below

Finished.

How to type in Tamil on Apple Mac computers.

How to type in Tamil on Apple Mac computers. 

Go to System Preferences 

Then click Keyboard from System Preference. 

Then Go to Input Source tab in the menu and Click the Little + at the bottom left corner. 

Now Select Tamil from the left-hand side menu and then on the other side select Tamil Anjal and Click Add to setup the Tamil Phonetic Keyboard. 

To Type in Tamil, use the same shortcut Alt + 2. That’s all now you can type in Tamil phonetic keyboard. 

.

Tamil Phonetic Typing

How to use NHM Writer to Type in Tamil ( Windows )

Download the NHM Writer from below given link or google it to download.

https://en.freedownloadmanager.org/Windows-PC/NHM-Writer-FREE.html

Once the application is downloaded install it on your Laptop.

Double click the downloaded the file and click Yes for User Access Control  

Then Click Next, 

Then, Tick I Accept the Agreement and Click Next and again Next. 

Now you need to select the language in this screen Click the Drop Down and select Tamil

Then Click Next, Next, Next and Install. 

Once installation finished make sure to tick Launch NHM Writer

Click Finish. 

Now, Let see how we can type in Tamil 

Confirm the application is running , you can see a Bell icon ( NHM Writer)

If you click on this Bell you will see the following 

To type in Tamil, we need to select Alt+2 Tamil Phonetic Unicode  , you can do this just by a mouse click or use the Keyboard Shortcut  Alt+2

Once you select Alt+2 Tamil Phonetic Unicode you will see the Bell will be in Gold color

Now Go to Google form / Word or any application and type. You can see it type in Tamil. If you can’t see Tamil press Alt+2 it will change to Tamil

How to Delete a User Profile from the Registry

If you wish to delete a user profile that you have created is corrupted or got malware and you want to delete that profile completely and recreate a new profile. 

following steps will guide you step by step to delete and create a new profile. 

1) First find the user SID

From a command prompt type: wmic useraccount get name,sid 

2) Make sure the profile folder in C:\Users was completely gone ( deleted) 

then open registry edit 

3) Expand HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ProfileListand find the key named with the SID of the desired user. Right clicking on the key, export to the desktop (you’ll need this in the next step). Right click on the folder and delete the key.

4) Using Notepad, I open the registry exported from the previous step. Find the GUID for the desired user. In the registry expand HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ProfileGuid and find the key named with the GUID of the desired user. Right-click on the folder and deleted the key.

5) Delete the GUID: 

Thats all Now when you login as that user, Windows should automatically create the local profile.

 Enable Network Based Discovery Services (Server 2016 And 2012 R2 )

I have experienced an interesting issue today. I was about to set up a network sharing path to an application which doesn't support full path as its a network ( client-server) application. 

When i tried to browse the path under network I wasn't able to see any shared files under network. 

After some search on google and personal help from my Network Guru , I fix it 

Let's see what we need to do to enable it. 

There is few services and needs to be enabled to browse the file under network. 

1)DNS Client - Make sure its running 

2) Function Discovery Resource Publication Property - Running /Started

3) SSDP Discovery - Running / Started 

4) UPnP Device Host - Running / Started 

in addition to this services make sure the network discovery is turn on as well. 

Now we need to enable the netBios as well in TCP/IP

Thats all we should be able to see the path 

Enable IPv6 on CISCO 2960 Switch - Packet Tracer

Subscribe to " FACEITNET " Youtube channel for more interesting videos 

FaceITNet Youtube Channel

Most of us have used Cisco Packet Tracer simulator to do our cisco CCNA practicals.

Packet Tracer is a free application by cisco and can be downloaded under netacad.com website
( Click the blow link ). Recently cisco has supported Packet Tracer to Mac computers too.

https://www.netacad.com/courses/packet-tracer

But we all knew we are moving to IPv6 world and hence we need to run the IPv6 most of the time.

Unfortunately, packet Tracer doesn't support IPv6 on Switch by default. I am going to do the step-by-step configuration to enable IPv6 on CISCO 2960 switch.

Let's do it.

First of all we need to setup a small network to upgrader the IOS version, We need IOS version 150-2 to enable IPv6

we need a switch and a server to do this upgrade.

Assign IPs to both server and switch ( int vlan 1)

TFTP server : 192.168.1.1

Switch : 192.168.1.2

once the IPs are assigned we must be able to ping each other. 

Then make sure the server has got TFTP and it has IOS version 15 as well. 

Now lets go ahead and start the upgrade

in switch enter the following commands.

Switch#copy tftp: flash: 

Address or name of remote host []? 192.168.1.1

Source filename []? c2960-lanbasek9-mz.150-2.SE4.bin

Destination filename [c2960-lanbasek9-mz.150-2.SE4.bin]?

once you confirmed you will see the following 

Accessing tftp://192.168.1.1/c2960-lanbasek9-mz.150-2.SE4.bin...

Loading c2960-lanbasek9-mz.150-2.SE4.bin from 192.168.1.1: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

[OK - 4670455 bytes] 4670455 bytes copied in 0.199 secs (1886872 bytes/sec)

Alright now we have got the 150-2 version ios file to flash drive.

reload the switch and change the boot file using the following command

Switch(config)#boot system c2960-lanbasek9-mz.150-2.SE4.bin

Again reload the device to load 150.2 ios image.

Now you could see

Loading "flash:/c2960-lanbasek9-mz.150-2.SE4.bin"... ##############################

This means the device is now loading the IOS version 15.

once its done with booting we need to enable the IPv6 Dual-stack configuration in the switch

use the following command to enable the dual-stack configuration

Switch(config)#sdm prefer dual-ipv4-and-ipv6 default

That's all we are done and we should be able to use the IPv6 configuration now, this will take place once we reload the device

so reload one more time, we can see the IPv6 commands enabled.

Thanks,

Create Email Distribution List in office 365 and add users to the group

In this document I am going to show how we can create an email distribution list in Office 365 cloud ( Cloud exchange) and add users in to the distribution list. 

Distribution list is a handy way to get a group email to an In e-mail applications, a distribution list is a group of mail recipients that is addressed as a single recipient. Distribution lists are used to send e-mail to groups of people without having to enter each recipient's individual address. A distribution list is different from an e-mail list in that members cannot reply to the distribution list's name to send messages to everyone else in the group. 

But in Exchange cloud has an option to sent email to distribution list from out side the group as well. 

Lets see how we can create it. 

First of all login to you office portal @ https://admin.microsoft.com/

Then go to your admin page and click Groups 

Click + Add a Group 

Click Type and select Distribution list.

Give the name of your distribution list and email address. You can notice at the bottom it says Allow people outside of my organisation to send email to this distribution list.

Should you wish to receive mail click this and make it on. 

Thats all we have now created a distribution list and it will take some time to appear in your group list. 

Once the list is in the groups we will go and add users to our distribution list. 

In exchange we can't add users from external domain to distribution list, so the option for us to do this is, Create the external users as contact in the exchange contact and then we can add them to the distribution list. 

Create Contact in Exchange server 

Create new contact 

Now go back to Groups and click the newly created Distribution list and add the users under the members 

Click Edit and search the newly created contact and add them all in to the group. 

Thats all , we are now ready to receive email to the listed users using distribution list. 

Thanks