Recently, I deployed Snort on a cloud-based network to act as an Intrusion Detection System (IDS). The installation process and compiling Snort on a cloud server with CentOS 5.7 is an adventure on its own! But testing it properly was my main challenge.
The project’s team leader decided to use Snort IDS after my recommendation. Using Snort allowed the project to comply with the client’s security baseline and save $800/month by not using the IDS solution offered by the hosting company.
The only way that I could test the Snort installation’s functionality and configuration was through real world attack simulations. I tried to simulate attacks by using penetration testing tools.
First Test – Port Scanning
Most of the time penetration testing starts with a port scan which allows the tester to probe the target and attempt to discover any open ports, running services and to detect the operating system. To do this I used nmap.
After running nmap, the Snort box was able to detect the port scan. In addition to a TCP port scan, I used nmap to make a UDP port scan to see how well Snort reacted. The Snort installation was able to detect the UDP port scan without problem.
Second Test – Attack to Apache Server
I decided to take my Snort test to a higher level by using Metasploit to launch some actual attacks to see if Snort would be able to detect the attacks.
The first attack I used from Metasploit was an Apache Range DoS attack (auxiliary/dos/http/apache_range_dos) which is known as Apache Killer. I knew the Apache version installed was not vulnerable, but I just wanted to see if Snort was able to detect the attack. Snort was able to detect this attack and log it as an alert. Then, I used an attack against mod_isapi extension in Apache from Metasploit (auxiliary/dos/http/apache_mod_isapi). Snort was able to detect this and log it without problem.
Third Test – Protocol Anomaly
I tried to play with SSH to establish SSH connections to unconventional ports to check if Snort is able to detect SSH protocol anomalies. After a bit of trial and error, Snort was able to detect the SSH Port mismatches and log the issue as an alert.
Fourth Test – Web Application Fuzzer
I used Webshag as a web application fuzzer (a tool designed to send random data to a web application) to see if Snort would be able to detect the attack. Within a few seconds of launching the attack, Snort started to log Webshag requests and issues alerts for them. However, in this time, Snort was not able to clearly identify the type of suspicious traffic or attack. It just issued thousands of alerts without any further information about the type or the nature of the attack. However this was sufficient for our needs.
Using the above tests, I was confident that Snort was installed and configured correctly.