Using BackTrack v2.0 and Snort for the Rapid Deployment of Network Intrusion Detection System

Part One - Background    

Backtrack is a live distribution of Linux and is the result of a merger between two widespread distributions, Auditor Security Collection and Whax, a stand-alone penetration testing live CD based on Knoppix. The OS itself is based on a Slackware Linux distribution. BackTrack includes a wide array of security tools, including metasploit" title="Metasploit article, videos, and tutorials" class="simply_intern">Metasploit, John the Ripper (password cracking tool) and Snort. The distribution is designed to provide security professionals and enthusiast with a superior set of security tools in an easy to use interface.

Backtrack2, released in October 2006 introduces some interesting new features, including:

• Updated Kernel-Running 2.6.20, with several patches.
• Broadcom based wireless card support
• Redesigned menu structure to assist the novice as well as the pro
• Metasploit2 and Metasploit3 framework integration
• Most wireless drivers are built to support raw packet injection

Figure 1.0 - BackTrack2 in Fluxbox Desktop Manager

What is Snort?

Snort is an open source network intrusion detection system. Snort supports network inspection based on signature, protocol and anomaly. The security tool performs analysis on real-time network traffic and can detect potential intrusions based on a ruleset. Snort can be used to detect a variety of suspicious activity, including signs of viral outbreak, stealth port scans, OS fingerprinting and server message block (SMB) probes. Snort’s functions are supported by a host of command line options that may seem overwhelming for a new user. However, snort is well documented and there are numerous avenues for new users to gain knowledge about the inner workings of snort on the web.

Figure 1.1 - Snort Man Page

2.  Boot up the virtual machine and hit enter at the "boot: " prompt to start up BackTrack2

3.  Login as "root" and start the Linux X-window system by typing "startx."

Note: startx will load KDE, a very sleek and comprehensive Linux window manager; however, if system resources (memory) are scarce, running fluxbox by typing "flux" will provide a less bulky, more streamlined window manager.


4. Once the window manager has loaded and you have browsed around to familiarize yourself with the various controls, open the Linux shell, Konsole. You may do this by clicking on the KDE icon in the lower left corner and selecting system > Konsole from the menu.

Snort can be configured to run in three basic modes:

Sniffer Mode - This mode enables snort to read the packets transmitted across the network and prints them to standard output (your screen).
Packet Logger Mode - The functionality of packet logger mode and sniffer mode are essentially the same, except in pack logger mode, the packets are logged to disk.
Network Intrusion Detection System (NIDS) Mode - For the purposes of this tutorial, this mode is the one we are mostly interested in. NIDS mode can be considered the most complex and configurable of the three modes snort offers. In NIDS mode snort analyzes network traffic for matches against the rule set that you have defined for it. It then performs based on what it sees.

5. Snort.conf is the snort configuration file. It contains vital information that tells snort how to run. Use a text editor to read and familiarize yourself with this file, as it is an important part of snort NIDS.

Use the following command:
vi /etc/snort/snort.conf

6. Once you’ve had a good look at the config file, you can start up Snort. Snort has a myriad of switches that unlock various functionalities.
Example:
-l = This switch indicates to snort that you want to log packets

Use the following command:

snort -A fast -K ascii -l /var/log/snort -i eth0

After typing in the previous command, you should see the following screen. This indicates that snort is running and currently logging specific packets.

7. Now that snort is started, we can send some ICMP packets to the IP address of the network interface that snort is currently monitoring and check the logs to see if they were captured. If you’re using Vmware, you can just switch over to your host computer and ping the IP address.

f you don’t know what your IP address is, use the following command in a new linux shell console:

> ifconfig 

8. Next we’ll have a look at the snort logs. You should end your snort session by using ctrl+c (it may take a moment or two to stop).
We can start by looking at our log directory. Use the following commands:

> ls /var/log/snort
As illustrated in the screenshot we can see that we have an IMCP_ECHO log in the 192.168.213.1 directory and an IMCP_ECHO_REPLY log in the 192.168.213.128 directory.

You can now use your text editor to view the logs.

Use the following commands:

> vi /var/log/snort/192.168.213.1/ICMP_ECHO
  **Substitute with your directory name**

Here we can see that an ICMP reply packet was sent from 192.168.213.128 to 192.168.213.1 on 06/13-19:00:01.
The following screenshot will show the actual ICMP ECHO packet. Sent from 192.168.213.1 to 192.168.213.128.

Conclusion

What you should now know

What BackTrack2 and Snort are
How to boot up BackTrack2 Using Vmware
The different modes of Snort
A cursory knowledge of the Snort Configuration File 

A general idea of how to read snort logs 

How to start snort up to capture packets of interest

Words from the Author

Please remember that this is a introductory tutorial and covered very basic aspects of BackTrack2 and snort. Snort is an extreme extensive tool and it’s best to start off at a novice level and work your way up.

Want to Know More?

  BackTrack v2.0 and MS Vista, Dual Boot Guide

  BackTrack v2.0 The New User