-->
Home
Forensics

Detect DOS, PING etc.. using Snort

    Now a days, it is common to see that most websites are getting down due to DOS, DDOS attacks from Hackers. So, today let's start knowing how we can detect these attacks using an amazing network monitoring tool called Snort.

    Snort is a packet sniffer that monitors network traffic in real time, scrutinizing each packet closely to detect a dangerous payload or suspicious anomalies. Ok now lets setup our workspace. I'll be using Ubuntu OS particularly for this and my local ip address is 192.168.1.103

Lets make some changes in Snort's configuration file.

𝚜𝚞𝚍𝚘 𝚐𝚎𝚍𝚒𝚝 /𝚎𝚝𝚌/𝚜𝚗𝚘𝚛𝚝/𝚜𝚗𝚘𝚛𝚝.𝚌𝚘𝚗𝚏

Now, change HOME_NET IP address to your ip range. Like, 

𝚒𝚙𝚟𝚊𝚛 𝙷𝙾𝙼𝙴_𝙽𝙴𝚃 𝟷𝟿𝟸.𝟷𝟼𝟾.𝟷.𝟶/𝟸𝟺

Now go to the path given below and add the rules.

/𝚎𝚝𝚌/𝚜𝚗𝚘𝚛𝚝/𝚛𝚞𝚕𝚎𝚜/𝚕𝚘𝚌𝚊𝚕.𝚛𝚞𝚕𝚎𝚜

Detect PING scan:

So how you are going to detect is by adding rules in Snort's configuration file. This will be same for other attacks too.

Rule:
𝚊𝚕𝚎𝚛𝚝 𝚒𝚌𝚖𝚙 𝚊𝚗𝚢 𝚊𝚗𝚢 -> $𝙷𝙾𝙼𝙴_𝙽𝙴𝚃 𝚊𝚗𝚢 (𝚖𝚜𝚐:"𝙿𝚒𝚗𝚐 𝚍𝚎𝚝𝚎𝚌𝚝𝚎𝚍"; 𝚜𝚒𝚍:𝟷𝟶𝟶𝟶𝟶𝟶𝟷;
    𝚛𝚎𝚟:𝟷; 𝚌𝚕𝚊𝚜𝚜𝚝𝚢𝚙𝚎:𝚒𝚌𝚖𝚙-𝚎𝚟𝚎𝚗𝚝;)

Let me explain how this rule actually works,
alert ---> show alert 
ICMP ---> it's a protocol used to report error in ipv4
->  ---> to
$HOME_NET ---> destination IP
msg ---> shows message which you write
sid --->  keyword is used to uniquely identify Snort rules. This information allows output plugins to identify rules easily.
100 - 1,000,000 Rules already registered . So u need to use greater than this id like 1,000,123.
rev --->  keyword is used to uniquely identify revisions of Snort rules
classtype:icmp-event ---> Categorizes the rule as an “icmp-event”, one of the predefined Snort categories. This option helps with rule organization.

Now for detecting, just run the below code on your terminal. If someone tries to attack, then you will be able to see the message we set earlier in the rule. 

𝚜𝚞𝚍𝚘 𝚜𝚗𝚘𝚛𝚝 -𝙰 𝚌𝚘𝚗𝚜𝚘𝚕𝚎 -𝚚 -𝚌 /𝚎𝚝𝚌/𝚜𝚗𝚘𝚛𝚝/𝚜𝚗𝚘𝚛𝚝.𝚌𝚘𝚗𝚏 -𝚒 𝚎𝚑𝚝𝟶

-A console   ----> shows standard output alert
-q   ----> quite mode
-i    ----> interface
-c   ----> config

Detect TCP Scan:

Rule:
𝚊𝚕𝚎𝚛𝚝 𝚝𝚌𝚙 𝚊𝚗𝚢 𝚊𝚗𝚢 -> $𝙷𝙾𝙼𝙴_𝙽𝙴𝚃 𝚊𝚗𝚢 (𝚖𝚜𝚐: "𝚃𝙲𝙿 𝚂𝚌𝚊𝚗 𝙳𝚎𝚝𝚎𝚌𝚝𝚎𝚍";
    𝚜𝚒𝚍:𝟷𝟶𝟶𝟶𝟶𝟶𝟶𝟻; 𝚛𝚎𝚟:𝟸; )

Detect DOS Attack

Rule:
𝚊𝚕𝚎𝚛𝚝 𝚝𝚌𝚙 𝚊𝚗𝚢 𝚊𝚗𝚢 -> $𝙷𝙾𝙼𝙴_𝙽𝙴𝚃 𝟾𝟶 (𝚏𝚕𝚊𝚐𝚜: 𝚂; 𝚖𝚜𝚐:"𝙿𝚘𝚜𝚜𝚒𝚋𝚕𝚎 𝙳𝚘𝚂 𝙰𝚝𝚝𝚊𝚌𝚔
    𝚃𝚢𝚙𝚎 : 𝚂𝚈𝙽 𝚏𝚕𝚘𝚘𝚍"; 𝚏𝚕𝚘𝚠:𝚜𝚝𝚊𝚝𝚎𝚕𝚎𝚜𝚜; 𝚜𝚒𝚍:𝟹; 𝚍𝚎𝚝𝚎𝚌𝚝𝚒𝚘𝚗_𝚏𝚒𝚕𝚝𝚎𝚛:𝚝𝚛𝚊𝚌𝚔 𝚋𝚢_𝚍𝚜𝚝,
    𝚌𝚘𝚞𝚗𝚝 𝟸𝟶, 𝚜𝚎𝚌𝚘𝚗𝚍𝚜 𝟷𝟶;)

Extra references commands on how to do above scans
For Ping scan :- nmap 192.168.1.103
For Tcp scan :- nmap -sT 192.168.1.103
For DOS attack :- Use any tools like hammer, solaris, or your own tools.

This is how big companies detect attacks and scans. They will be running all sorts of rules, If someone tries to attack they will just block/restrict that IP on some constraints basics like, if they get 20 scans continuously from a particular IP like that. 

And this is from my old post on Digital Forensics course on telegram, and I lost some images related this topic. So, if I get my hands on that again, I'll make sure to write one more post on SNORT with images. 
Thank you.

Post a Comment