I am focusing on Snort at the moment as this is something that has been consuming my life recently and I have got to know it a bit more intimately and in depth, I know it can be bypassed but at the same time it is a very powerful tool when no Antivirus or Malware detection is currently detecting threats on your local system, I find it fantastic for tracking down the source of Ransomware infections too as some people can think they were just infected by Cryptowall for example when they had actually been hit by the Angler Exploit kit a second earlier exploiting a Flash zero day from a compromised website or advertising service and it can often be overlooked, you can also see some strange things you would not expect to see too! With the advantage of creating your own custom signatures as well as having the option to go for the paid or community route you have a lot of signatures available to you for free also and they are kept up to date. Being able to go back in time with some of the GUI front-ends and some other tools turns snort into a powerful network incident response forensic tool but for now we will be using BASE to analyze the alerts coming from the Snort IDS.
I take it you have already downloaded and installed VirtualBox and the extension pack for whatever platform you are using and are following along from the previous tutorial where this is outlined and explained.
Download Linux Mint, you can use Ubuntu, Centos or any other linux distro but YMMV if you choose a different path to what I have outlined here.
Now it’s time to create your Virtual Machine, up the top left click on the New Button
Next give it a name and select the following type and version and click next
Select some RAM that you have free to spare and click next
Select next to create the Hard Drive now
Leave it at VDI for VirtualBox Disk Image, feel free to change it but I currently have no need to do this so leave as is and click next
Leave the disk as dynamically allocated unless you want to assign the full disk space to your virtual machine now, this takes more time and dynamic has always worked for me so just click on next
Now you need to decide how much space you want to allocate to your virtual machine, I have chosen 20GB’s as this should be more than sufficient to carry out tests but feel free to add some more if you like and click on Create
You will now see the following created, either right click on it and select settings or just click on settings up the top left
The following window then opens where you can modify settings you just selected or make further changes to the environment of the virtual machine you are about to create, you can even come back later and make changes once you have shut the virtual machine down.
When creating and playing around in a virtual environment you can often make a mistake or get to a point where what you were doing has stopped working altogether or you break the machine, don’t fear though as there is an option called ‘Create a Snapshot’ which you guessed it allows you to create a snapshot of the current system state. You can move the location of the snapshot folder for example and in this case I moved it to a drive with loads of free space as I am a bit snapshot happy and you can really fill up your host hard drive very quickly, I also took the opportunity to enable the shared clipboard from host to guest now (This is where the VirtualBox extension pack comes in handy and I take it you have already installed it at this point, if not just double click on it after and it will be installed quickly)
In the system settings remove the floppy as you don’t need it and arrange the CD/DVD and Hard Disk as you see them below
Next you need to select your Linux Mint ISO you already downloaded and select it for booting, click on where it says empty and then click on the disc icon over on the right next to where it says ‘IDE Secondary Master’
Once selected it should look like the following
The last things we need to change now are the NIC’s on the system, select Network and you should already have NAT configured for you which is fine for now and will provide you with an Internet connection necessary for updating the system as well as installing and configuring everything else along the way, this will change throughout the tutorial. If you require an Internet connection, turn NAT on, if not use the internal NIC.
Click on Adapter 2 too and tick the box to enable the network adapter, for testing I will be mainly using my internal lab but feel free to choose your physical Ethernet or wireless adapter for this too by selecting bridged here and choosing the correct adapter from the drop down, in my case it looks like below. You can see I have changed the adapter Type and also see Promiscuous mode which is important for sniffing to Allow VM’s, if you were on a physical NIC you could change this to allow all to capture outside of the virtual environment in the physical network
Click OK and that’s it you are good to go!
Start your virtual machine now by clicking on the Start button up the top left or alternatively right click and do this
You will get a warning about capture of the mouse etc just accept it and remember right CTRL will remove you from the virtual guest environment and take you back into the host again
Now it’s time to install Linux Mint by double clicking on the Install Linux Mint icon on the desktop
Choose your language and click continue
If you followed all the steps so far you should see the same ticks so just click on continue
Just click Install Now to erase the disk and install Linux Mint
Yep you are aware things are going to be wiped, just click on continue to start things off and format the drive
Select your country and click continue
Do the same for the keyboard layout and click continue
Pick your name, computer name, username and enter a password and click on continue
Wander off and do something for a few minutes depending on the speed of your machine and then come back to it
You should then get a screen like below and can hit Restart Now
Up the top left click on devices and install Guest additions
Navigate to the mounted disc
Enter yes if given a warning like below and press enter to continue
Once complete you should see no errors, reboot and login again
You will notice now that you can go full screen after the reboot
Now to update the system fully before continuing any further, use the following command in the terminal:
sudo apt-get update && sudo apt-get upgrade -y && sudo apt-get dist-upgrade -y
Enter your password once and leave to run for a while and come back later and it should be fully up to date for you
Once finished without errors you should be back at the prompt again in the terminal
You will also see a tick in the system tray on the shield now as you are fully up to date
You don’t have to but I like to reboot after any changes are made to the system, also might be wise to take a snapshot if you haven’t taken any already.
Set some easy firewall rules with UFW
sudo ufw default deny
sudo ufw logging high
sudo ufw enable
sudo ufw status verbose
That’s it for today, tomorrow we will install snort and get this really moving!