Lab2 Snort
Lab2- Snort and Wireshark
Samba Lompo
CSEC630
1. When running Snort IDS why might there be no alerts?
There are couple reasons when running Snort IDS there might be no alerts. The first one could be related to settings because the administrator has to set Snort IDS to its optimum settings in order to get any alerts. Since Snort works by ruleset, it can be mistakenly set up to a port other than what the network is using. The mistake can be done by either keeping the Snort default settings, or when users try to adjust them to their own network requirements. The point is when changing Snort default settings to rules other than what the website provided, the administrator might have disabled a packet sniffing on a specific port that needed to be enabled, therefore producing no alerts on that specific port. Also the ranges of ports that are set by the administrator to be scanned by Snort IDS for sniffing and incoming traffic may not be passing through any of those ports, therefore causing no alerts on the network.
2. If we only went to a few web sites, why are there so many alerts?
Typically, an Intrusion Detection System (IDS) is designed to monitor all inbound and outbound network activity and identify any suspicious patterns using techniques such as packet sniffing. There would be a lot of alerts because Snort is public domain intrusion detection system which would monitors traffic by examining every packet on a network using a process called packet sniffing. Since Snort is a rule-based IDS, when a packet comes in, its source and destination IP addresses and ports are then compared to the rules in the ruleset. If any of them are applicable to the packet, then the options are compared to the packet. If all of these comparisons return a match, then the specified action is taken
3. What are the advantages of logging more information to the alerts file?
The advantage of logging more information in the alerts file is that it would lay out in details the
Samba Lompo
CSEC630
1. When running Snort IDS why might there be no alerts?
There are couple reasons when running Snort IDS there might be no alerts. The first one could be related to settings because the administrator has to set Snort IDS to its optimum settings in order to get any alerts. Since Snort works by ruleset, it can be mistakenly set up to a port other than what the network is using. The mistake can be done by either keeping the Snort default settings, or when users try to adjust them to their own network requirements. The point is when changing Snort default settings to rules other than what the website provided, the administrator might have disabled a packet sniffing on a specific port that needed to be enabled, therefore producing no alerts on that specific port. Also the ranges of ports that are set by the administrator to be scanned by Snort IDS for sniffing and incoming traffic may not be passing through any of those ports, therefore causing no alerts on the network.
2. If we only went to a few web sites, why are there so many alerts?
Typically, an Intrusion Detection System (IDS) is designed to monitor all inbound and outbound network activity and identify any suspicious patterns using techniques such as packet sniffing. There would be a lot of alerts because Snort is public domain intrusion detection system which would monitors traffic by examining every packet on a network using a process called packet sniffing. Since Snort is a rule-based IDS, when a packet comes in, its source and destination IP addresses and ports are then compared to the rules in the ruleset. If any of them are applicable to the packet, then the options are compared to the packet. If all of these comparisons return a match, then the specified action is taken
3. What are the advantages of logging more information to the alerts file?
The advantage of logging more information in the alerts file is that it would lay out in details the
References: CSEC 630 Lab2 -Intrusion Detection System and Protocol Analysis Lab (n.d.). University of Maryland University College. Retrieved from: https://learn.umuc.edu/d2l/common/viewFile.d2lfile/Database/NzkyMzkw/CSEC630_lab2_LEO.pdf?ou=33745 Caswell, Brian. “Snort-The Open Source Network IDS : More info about Snort” URL: http://www.snort.org/about.htm Cisco Systems, Inc. Cisco IOS Intrusion Prevention System (IPS): Cisco IOS IPS Supported Signature List in 4.x Signature Format, http://www.cisco.com/en/US/partner/products/ps6634/products_white_paper0900aecd8039e2e4.shtml The NSS Group “Snort 1.8.1. Questionnaire” 25 November 2001 URL:http://www.nss.co.uk/ids/snort/snort_questionnaire.htm Andrew R. Baker “Deploying Snort” 17 April 2000. URL:http://www.dpo.uab.edu/~andrewb/snort/deploying.html