Snort rules | Computer Science homework help

Lab #3 

Our third lab builds on the “unacceptable site” detection we worked on in Lab #2. In this exercise, we will attempt to accomplish the same goal using the new reputation preprocessor in Snort. The documentation on the reputation preprocessor and the available configuration options are in section 2.2.20 (starting on p. 122) of the Snort Manual, which is posted under General Information under Content for your reference. The basic function of the reputation preprocessor is similar in many ways to basic firewall operation: the preprocessor evaluates source and destination IP addresses in network packets to see if they appear on either a “whitelist” of approved/acceptable addresses or a “black list” of prohibited addresses. Packets containing IP addresses on the blacklist are dropped. The overall intent for this assignment is to block access to the “bad” site you selected for Lab#2 (or a different site chosen for this assignment) by adding the site to a blacklist and enabling the reputation preprocessor in snort.conf.

Please note: If you are using the Virtual Lab, the reputation preprocessor is already configured properly, and the supporting whitelist and blacklist files are stored in /etc/snort/rules. All you need to do is identify the IP address(es) to use and add them to the black.List file.

To complete this assignment successfully using Snort on Windows, you may need to first edit the “snort.conf” file as follows if you did not already configure these items when you first installed Snort:

  • At the end of Step #1, either set the path to the reputation preprocessor file location or comment out these two lines (you can declare the blacklist file directly in the preprocessor configuration settings if you don’t want to use a variable reference).
  • At the end of Step #5, configure the reputation preprocessor. The default configuration should work fine for most students, as long as the file paths and names are accurate for the local installation. Look at the first configuration example on page 120 of the Snort Manual as a guide, which simply includes the preprocessor declaration and the specification of the blacklist and whitelist files. You can run the preprocessor with either or both of these files, so for our purposes, you might just specify a blacklist file. Where the configuration designates a file (such as “black.list” or “white.list”), the file must exist in the location specified, or Snort will generate an error at start-up.
  • Save the “snort.conf” file.

Now, create a blacklist file and put it in the proper directory (such as /etc/snort/rules on Linux or C:Snortetcrules on Windows). A blacklist file is just a plain text file with one IP address (or address range, using CIDR notation) per line. The blacklist file name and file location should match what you specified in the preprocessor configuration in snort.conf. Then startup Snort as you would normally, open a browser, and visit the site corresponding to the IP address(es) in the blacklist file.

 

Vitual lab link https://umucvda.aeronomy.net/portal/webclient/index.html#/

 

For this assignment, compose a short write-up for submission to your Assignments folder that includes the following:

  1. The “unacceptable” site you selected in Lab #2 (you can pick a new one for this assignment if you prefer).
  2. The IP address (individual, multiple, or range) associated with that site. If you don’t know the IP address, you can either open a command shell and ping the site (e.g. “ping www.facebook.com“), which will return the primary IP address on screen, or you can look up the site on Netcraft.com to find one or more IP addresses used by the site.
  3. The contents of the blacklist file the reputation preprocessor references.
  4. A brief summary comparing the rule-based and preprocessor-based approaches used in Labs #2 and #3, with an emphasis on identifying any strengths or weaknesses associated with each approach.
  5. If you can get Snort to run successfully with the reputation preprocessor active, include the output produced (a copy of the ASCII log file is sufficient).

 

Not sure if this helps:

 

o to the rules folder where you downloaded the VRT certified rules during your Snort install (by default on Windows, this will be C:Snortrules). If you have not yet installed these rules, please do so. If you have any trouble downloading the current VRT rules release package, you can retrieve them from http://polaris.umuc.edu/~sgantz/files/snortrules-2982.tar.gz on my UMUC Polaris server. In the compressed (zipped) package, you are looking for the files that end in “.rules” extensions.

Pick one of the named rules files, open it, and choose a rule. If this is your first exposure to Snort rule syntax, please note that the rules are the sometimes-cryptic looking items starting with the word “alert”. Copy the rule you pick into your response and describe what the rule means in your own words.

Order a unique copy of this paper
(550 words)

Approximate price: $22

Basic features
  • Free title page and bibliography
  • Unlimited revisions
  • Plagiarism-free guarantee
  • Money-back guarantee
  • 24/7 support
On-demand options
  • Writer’s samples
  • Part-by-part delivery
  • Overnight delivery
  • Copies of used sources
  • Expert Proofreading
Paper format
  • 275 words per page
  • 12 pt Arial/Times New Roman
  • Double line spacing
  • Any citation style (APA, MLA, Chicago/Turabian, Harvard)

Our guarantees

We value our customers and so we ensure that what we do is 100% original..
With us you are guaranteed of quality work done by our qualified experts.Your information and everything that you do with us is kept completely confidential.

Money-back guarantee

You have to be 100% sure of the quality of your product to give a money-back guarantee. This describes us perfectly. Make sure that this guarantee is totally transparent.

Read more

Zero-plagiarism guarantee

The Product ordered is guaranteed to be original. Orders are checked by the most advanced anti-plagiarism software in the market to assure that the Product is 100% original. The Company has a zero tolerance policy for plagiarism.

Read more

Free-revision policy

The Free Revision policy is a courtesy service that the Company provides to help ensure Customer’s total satisfaction with the completed Order. To receive free revision the Company requires that the Customer provide the request within fourteen (14) days from the first completion date and within a period of thirty (30) days for dissertations.

Read more

Privacy policy

The Company is committed to protect the privacy of the Customer and it will never resell or share any of Customer’s personal information, including credit card data, with any third party. All the online transactions are processed through the secure and reliable online payment systems.

Read more

Fair-cooperation guarantee

By placing an order with us, you agree to the service we provide. We will endear to do all that it takes to deliver a comprehensive paper as per your requirements. We also count on your cooperation to ensure that we deliver on this mandate.

Read more

Calculate the price of your order

550 words
We'll send you the first draft for approval by September 11, 2018 at 10:52 AM
Total price:
$26
The price is based on these factors:
Academic level
Number of pages
Urgency