Question 1: Snort Rules Case Study

Scenario

A small company has a network set up behind a NAT router. The router is connected to the Internet via a single ISP provided dynamic IP address. The ISP provided access address may change over short periods of time.

The internal network is RFC 1918 Category 2 compliant, and uses the private address space 192.168.3.0/24. The gateway router is configured to use DHCP allocated IP addresses to internal hosts as they connect. However, a record is kept within the router of what IP addresses have previously been allocated to specific MAC addresses. Whenever those MAC addressed hosts disconnect from and later reconnect to the network they are reallocated the same IP address. It is only if the router has a power off episode, or is manually reset, that allocation of different IP addresses may occur (and even then, the same addresses may be allocated as before).

The company operates an approved internal web server at 192.168.3.21:80, to facilitate in-house development of web pages and web sites that will later be deployed to an external server for public access. It is a company policy that only one approved internal web server is to be in operation on the network.

You are the company IT Manager.

It has come to your notice that a company employee has set up a rogue web server on the internal network, using a personal laptop. The employee is using that web site to provide undesirable material to a small clique of employees, to whom the web server address has been provided secretly.

The company CEO has requested you to:

Obtain hard evidence that an employee is in fact using a personal laptop to set up a rogue web server. Find out what other employees are accessing the rogue web site.

Considerations

The rogue web server may be on any internal IP address, and will be using any of the ephemeral ports. It will not be using a well-known port. The clients accessing the rogue web server may come from any internal IP address using any ephemeral port. The MAC addresses of all company host devices are on record. The MAC address of the device being used to host the rogue web server, and the MAC addresses of all devices that connect to the rogue server, need to be obtained for later use as evidence.

Technical Approach to the Solution

To carry out the CEO's request you have decided to:

A)     Use Wireshark to capture packet data on the internal network.

B)     Use snort to monitor for any internal network HTTP traffic destined for any internal host on any port address other than the authorised company internal web server and produce an alert message.

The snort monitoring will identify when breaches have occurred. The Wireshark pcap file containing the captured packets can be time correlated with the logged snort alerts to obtain MAC addresses for source and target.

Your Task

You are to write a .conf file containing the snort rule(s) that will accomplish the technical approach to a solution.

Hint

For this question, make sure you do the Snort Project - Week 8 (Intrusion Detection Concepts), located in the course Moodle Site.