INFA 630--Lab #3

Lab Provision #3

Our third and ultimate lab provision builds on the "unacceptconducive locality" defiance we worked on in

provision #2. In this lab we procure endeavor to shape the corresponding motive using the new capacity

preprocessor in Snort. The documentation on the capacity preprocessor and the available

shape options are in singularity 2.2.19 (starting on p. 119) of the Snort Manual, which is

posted lower General Information lower Course Content for your allusion. The basic function

of the capacity preprocessor is homogeneous in abundant ways to basic firewall operation: the

preprocessor evaluates cause and summit IP orationes in network packets to see if they

appear on either a "whitelist" of approved/acceptconducive orationes or a "blacklist" of prohibited

addresses. Packets containing IP orationes on the blacklist are dropped. The overall urgent for

this provision is to arrest approximation to the "bad" locality you chosen for Lab #2 by adding the locality to a

blacklist and enabling the capacity preprocessor in snort.conf.

To consummate this provision happyly, you procure scarcity to primeval edit the snort.conf refine as

follows:

 At the end of Step #1, either set the method to the capacity preprocessor refine dregs or

comment out these two courses (you can defend the blacklist refine at-once in the

preprocessor shape settings if you don't absence to use a fickle allusion).

 At the end of Step #5, configure the capacity preprocessor. Look at the primeval

shape specimen on page 119 of the Snort Manual as a pilot, which simply

includes the preprocessor avowal and the demonstration of the blacklist and whitelist

files. You can run the preprocessor delay either or twain of these refines, so for our resolves

you capacity honorconducive particularize a blacklist refine. The shape could be as homely as:

"preprocessor capacity: blacklist /etc/snort/black.list"

 Save the snort.conf refine.

Now, produce a blacklist refine and put it in the constitutional directory (such as /etc/snort/rules on Linux or

C:Snortetcrules on Windows). A blacklist refine is honorconducive a unembellished extract refine delay one IP oration (or

oration collocate, using CIDR notation) per course. The blacklist refine indicate and refine dregs should of

course equality what you specific in the preprocessor shape in snort.conf. Then startup

Snort as you would normally, unreserved a browser, and mark the locality corresponding to the IP

address(es) in the blacklist refine.

For this provision, draw-up a incompetent writeup for surrender to your Assignments folder that

includes the following:

1. The "unacceptable" locality you chosen in Lab #2 (you can extract a new one for this provision if you advance).

2. The IP oration (individual, multiple, or a collocate) associated delay that locality. If you don't comprehend the IP oration, you can either unreserved a charge shell and ping the locality (e.g. "ping

www.facebook.com"), which procure repay the earliest IP oration on shade, or you can

look up the locality on Netcraft.com to confront one or over IP orationes used by the locality.

http://www.netcraft.com/

3. The solution of the blacklist refine the capacity preprocessor allusions. 4. A illiberal abstract comparing the rule-based and preprocessor-based approximationes used in

Lab #2 and #3, delay an marrow on identifying any strengths or weaknesses associated

delay each approximation.

5. If you are conducive to get Snort to run happyly delay the capacity preprocessor erratic, embody the output produced (a vision of the ASCII log refine is competent).

As in Lab Provision #2, the happy total of this use does not exact you to use

an objective irrelevant locality. The earliest resolve of this use is not to effect you an quick in

the capacity preprocessor, but to represent the summit that there are repeatedly multiple viable

approaches to shapeing the corresponding intervention defiance objectives.