Building an ethichal hacking lab on your laptop with VirtualBox – Part 5 Linux Mint Snort IDS – Testing Snort

Now comes the joy of using the pfsense system created in the first tutorial as we now have our own little internal cut off system from the rest of the world contained on our machine, I used to use host-only networking here but that leaks and you can actually see the connections going through your system with tools like tcpview for example.

I noticed the internal adapter did not show up so I have stuck with it ever since, at the end of the day it’s like using a hub except it’s virtual if you use the host only adapter.

So let’s get to testing with a local ICMP rule to check and alert you when someone ping’s your system.

Navigate to:

sudo vi /etc/snort/rules/local.rules

48 - Testing snort ICMP local rule

48 – Testing snort ICMP local rule

Paste in the following rule and then save the file

alert icmp any any -> $HOME_NET any (msg:”ICMP test”; sid:10000009; rev:001;)

49 - Saving snort ICMP local rule

49 – Saving snort ICMP local rule

Run the snort test again and make sure it saved with:

sudo snort -T -c /etc/snort/snort.conf

50 - Testing snort ICMP local rule saved

50 – Testing snort ICMP local rule saved

Looking through the output you should then see the following showing that one rule has been loaded and it is an ICMP rule

51 - Snort ICMP rule loaded

51 – Snort ICMP rule loaded

Now run the following command in order to test your configuration so far before you go further down the rabbit hole:

sudo /usr/local/bin/snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth1

And on your pfsense box ping your snort IDS IP and you should then see some activity here after you have done this

52 - Ping from pfsense to snort box

52 – Ping from pfsense to snort box

On your snort machine you will see the following result which matches the source and destination IP’s of our pfsense machine and our snort machine

53 - Snort ICMP test success

53 – Snort ICMP test success

That’s it for this tutorial, well done for getting this far, it’s wise to make a snapshot now before we install and create the MYSQL database and install baryard2.

 

 

Leave a Reply