217 | | 1. We need to first install our own Snort rule on Snort, so that it can detect the intrusion traffic specified in our rule. |
218 | | |
219 | | To install our own rule and configure Snort, in separate windows for VNF1 and VNF2, execute the following commands: |
220 | | |
221 | | - ''' cd ~ ''' |
222 | | - ''' wget !http://csr.bu.edu/rina/grw-bu2016/nfv_ryu/snort/config_snort.sh ''' |
| 217 | 1. We need to first configure Snort so that we can use our rules, or snort’s build-in rules to detect the intrusion traffic. |
| 218 | To configure Snort, in separate windows for VNF1 and VNF2, execute the following commands |
| 219 | |
| 220 | For VNF1: |
| 221 | - ''' cd ~/VNF1/SnortSetup ''' |
224 | | - ''' ./config_snort.sh ''' |
225 | | |
226 | | Here we use a simple rule where all ICMP traffic to the ''destination'' node is considered as intrusion traffic, and the rule is specified as follows: |
227 | | |
228 | | ''' alert icmp any any -> 10.10.1.5 any (msg:"ICMP traffic found to Destination";sid:1000001;) ''' |
229 | | |
230 | | in the file ''' /etc/snort/rules/my.rules'''. |
231 | | |
232 | | |
233 | | 2. We then run Snort IDS on VNF1 and VNF2. In separate windows for VNF1 and VNF2, execute the following command: |
| 223 | - ''' ./config_snort.sh ''' |
| 224 | |
| 225 | For VNF2: |
| 226 | - ''' cd ~/VNF2/SnortSetup ''' |
| 227 | - ''' chmod 755 config_snort.sh ''' |
| 228 | - ''' ./config_snort.sh ''' |
| 229 | |
| 230 | 2. We will use a simple rule where all the ICMP traffic to the ''destination'' node is considered as intrusion traffic. To add the rule, open '' /etc/snort/rules/my.rules '' and add the rule specified below |
| 231 | To open file: |
| 232 | - ''' nano /etc/snort/rules/my.rules ''' |
| 233 | |
| 234 | Add the following rule to '' my.rules '' |
| 235 | - ''' alert icmp any any -> 10.10.1.5 any (msg:"ICMP traffic found to Destination";sid:1000001;) ''' |
| 236 | |
| 237 | 3. We then run Snort IDS on VNF1 and VNF2. In separate windows for VNF1 and VNF2, execute the following command: |
239 | | ''' Note: this command is different from [wiki:GENIExperimenter/Tutorials/NFV/Ryu/LoadBalancePIwithRyu Experiment 2], where the file ''/etc/snort/snort.conf '' specifies which rule files to load. ''' |
240 | | |
241 | | When Snort detects intrusion traffic, it will save the alert messages into the file '' /var/log/snort/alert''. The RINA distributed application keeps reading this alert file, and pass any intrusion information to the Ryu controller which will block the intrusion traffic. |
242 | | |
243 | | ''' Note: If you want to re-run this experiment, make sure to remove both files: '' /var/log/snort/alert'' on both VNF nodes, and ''/tmp/attacker.txt'' on the controller node. ''' |
| 243 | ''' Note: this command is different from [wiki:GENIExperimenter/Tutorials/NFV/Ryu/LoadBalancePIwithRyu Experiment 2]. Here we specify the file ''/etc/snort/snort.conf '' to indicate which rule files to load. ''' |
| 244 | |
| 245 | When Snort detects intrusion traffic, it will save the alert messages into the file '' /var/log/snort/alert''. The RINA distributed application keeps reading this alert file, and passes any intrusion information to the Ryu controller which will block the intrusion traffic. |
| 246 | |