Question

Write a snort rule that will fire when you browse to craigslist.org from the machine Snort is running on; it should look for any outbound TCP request to craigslist.org and alert on it.

Answer 1

1. Install Snort into your operating system.
    >> sudo apt-get install snort

2. Read through Snort's configuration guide and edit /etc/snort/snort.conf as needed for your machine

3. When you run snort you'll see many errors/warnings in the output. Warnings about duplicate rules are okay, but others aren't.

4. Read about Snort's rule syntax and configuration

Trigger some alerts
    Find two different rules in the /etc/snort/rules/*.conf files and read about them, understand them. Now try to trigger the rules. Some of the simpler rules to trigger are based on finding bad data in web requests. Many inbound tests need incoming requests on established connections. You can start a simple webserver like this: sudo python -m SimpleHTTPServer 80

    Once triggered, view the alert in /var/log/snort. It will be in binary, so you'll need to convert it from Snort's unified2 format into human readable using:

    gmu@gmu-virtual-machine:/var/log/snort$ u2spewfoo snort.log
   
    Turn in: - The alert signature (from the rules file)
                  - A description of how you triggered the alert
                  - The alert itself from the log file (after converting it to readable text)

    Do this for two Snort rules.

Problem 2: Writing your own rules
In this part you need to write a rule that will fire when you browse to craigslist.org from the machine Snort is running on. So it should look for any outbound TCP request to craigslist.org and alert on it. The alert should also fire for any of the pages under the main page for example. You should add your rule into /etc/snort/rules/local.rules. Make sure to pick a SID 1000000 . Make sure your rule does NOT trigger when you go to other .org sites.

    Turn in: - The alert signature (from the rules file)
                  - The alert itself from the log file (after converting it to readable text)