In a Terminal window, execute this command to find its IP address:
Make a note of your IP address, as shown below.
A blue screen appears asking for the address range of the local network.
sudo apt update sudo apt install snort -y
Enter your network's subnet, as shown below, press Tab to highlight OK and press Enter.
Several screens of messages scroll by, ending with "Commencing packet processing", as shown below.
snort -c /etc/snort/snort.conf -i eth0 -A full
In the new window, execute this command:
Leave this window running, as shown below.
tail -f /var/log/snort/alert
Open a Command Prompt and execute this command, replacing the IP address with the IP address of your Linux machine.
You should see replies, as shown below. If you do not, you need to troubleshoot your networking before proceeding with this project.
In Server Manager, click "2 Add roles and features", as shown below.
In the "Before you Begin" box, click Next.
In the "Installation Type" box, click Next.
In the "Server Selection" box, click Next.
In the "Server Roles" box, click Next.
In the "Select features" box, check "TFTP Client", as shown below, and click Next.
In the "Confirm installation selections" box, click Install.
Wait a few seconds for the installation to finish.
Windows says the request failed, as shown below, but it still sends the traffic to the Linux server.
tftp 192.168.225.130 GET /etc/shadow
The Linux terminal should show a Snort alert detecting this traffic, as shown below.
The Snort configuration file is shown, as shown below.
Press the SPACEBAR to move down a screen at a time, and/or the up-arrow and down-arrow keys to move one line at a time, until you find the tftp.rules entry as shown below.
The TFTP alerts come from this file. To see it, press Q to exit "less" and execute this command:
Scroll down and find the TFTP rule for "GET shadow", as shown below.
Notice the format of the rule--this is the famous "Snort Rule" format, used by many IDS products.
The pattern used by this rule is
which is a simple pattern match.
Windows returns the same error message, as shown below.
tftp 192.168.225.130 GET /theshadowknows
Snort sends an alert again, as shown below.
As you can see, this Snort rule is really stupid--it will trigger on any request containing the word "shadow". This is a simple, primitive form of defense.
Snort sends an alert again, as shown below. Find the alert numbered "1:1941", and note the text that is covered by a green box in the image below.
tftp 192.168.225.130 GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Use the form below to record your score in Canvas.
If you don't have a Canvas account, see the instructions here.
tail command corrected 9-29-18