Northern Kentucky University



CIT 480: Securing Computer SystemsLab #11: SnortName: _____________________1: IntroductionIn this lab, we will learn about network intrusion detection with the open source tool, snort. We will also use tshark, the text interface to Wireshark, to examine captured packets. The first step for this lab is to install snort and tshark on your server (Metasploitable) VM.# apt-get update# apt-get install snort tsharkDuring the install process, you will be asked to set the value of the HOME_NET variable, which is the network that snort will watch for attacks. Enter IP_ADDRESS/32 for HOME_NET, replacing IP_ADDRESS with the IP address of your Metasploitable VM, so that snort will detect activities directed at your server from anywhere on the network.Snort should be running once the above commands complete. Verify that is true by checking the process list:# ps auxw | grep snortWe will identify intrusions from snort's alerts as logged in /var/log/snort/alert. On a production network, snort typically sends its logs to a database, which are then viewed using a web interface such as ACID or snortreport.You can find the user manual, FAQ, and install guide for snort at . Test the default snort configuration with the -T selftest option. Pipe the long output through less.# snort -c /etc/snort/snort.conf -T 2>&1 | lessThis command should produce a large amount of detailed output about the status of your snort configuration. The line you want to see is “Snort successfullly loaded all rules and checked all rule chains!” This line will appear in the middle of the output, not at the very end. If you do not see this line, run the command dpkg-reconfigure snort to redo the configuration you did when installing snort. Be sure that your HOME_NET and other variables are set correctly this time.Test your live snort configuration by visiting from your Linux server. The HTTP response from this host contains the following text, uid=0(root) gid=0(root) groups=0(root), which will trigger a snort alert.# wget cat /var/log/snort/alertThe alert should be of type “attack responses” and look like the following snort alert, with the appropriate substitutions on the third line for the timestamp, IP addresses, and port number.[**] [1:498:6] ATTACK-RESPONSES id check returned root [**] [Classification: Potentially Bad Traffic] [Priority: 2] DATE-HH:MM:SS.FFFFFF SOURCE_IP:80 -> YOUR_SERVER_IP:RANDOM_PORTTCP TTL:51 TOS:0x0 ID:40714 IpLen:20 DgmLen:355 DF ***AP*** Seq: 0xF3FA8C0C Ack: 0xA9F8CC1 Win: 0x73 TcpLen: 20 2: Detecting Network ScansBoot your Kali VM so that you can ping and scan your Linux server host. In the questions below, if multiple alerts are generated of the same type, indicate the number of alerts of that type. In one terminal window on your server, run the following command to watch for alerts. This command will continually monitor the specified file and print any new data that is added to that file.# tail -f /var/log/snort/alert2.1: From the client, ping the Linux server three times using ping's -c (count) option. Does anything show up in the snort alert log? If there is an alert, list the snort alert name (found in the first line of the alert) and the classification, which is found in the second line, in the box below. If nothing, just write “no alert.”# ping -c 3 LINUX_SERVER_IP22860679452286067945 2.2: Scan the open ports on your Linux server. What alerts show up in the snort alert log (in the window where you left the tail -f command running)? List the snort alert name (found in the first line of the alert) and the classification, which is found in the second line, in the box below. # nmap -sT LINUX_SERVER_IP228601250952.3: Use a stealthy FIN scan to identify open ports on your Linux server. How many alerts show up in the snort alert log? Is the FIN (-sF) scan more or less stealthy than the TCP connection (-sT) scan? Include one of the alerts in the box below, along with answers to the questions. If there are no alerts, write “no alerts”.# nmap -sF LINUX_SERVER_IP2286067945 2.4: Use a stealthy XMAS scan to identify open ports on your Linux server. How many alerts appear in the snort alert log? Is the XMAS (-sX) scan more or less stealthy than the TCP connection (-sT) scan? Include one of the alerts in the box below, along with answers to the questions. If there are no alerts, write “no alerts”.# nmap -sX LINUX_SERVER_IP2286067945 2.5: Attempt to make a scan more stealthy by using IP fragmentation. Try the null scan (no TCP flags set). Does anything show up in the snort alert log? If there is an alert, list the snort alert name (found in the first line of the alert) and the classification, which is found in the second line, in the box below. If nothing, just write “no alert.”# nmap -f -sN LINUX_SERVER_IP2286067945 3: Testing snort with pcap filesPacket sniffers like Wireshark and snort can save sniffed packets in a pcap (packet capture) file. These files can then be used for a variety of purposes, including testing that your network intrusion detection system correctly alerts on malicious traffic. We will test snort with the following command line:# snort -A console -q -c /etc/snort/snort.conf -S HOME_NET=10.0.0.0/8 -r filename.pcapwhere filename.pcap is replaced with the name of the file that contains the packets that we plan to use for testing snort. Before answering the questions below, you will need to download the test files from kosh:# wget --no-check-certificate tar xjvf lab11-files.tar.bz23.1: Run snort using the command line above on both slammer1.pcap and slammer2.pcap. What output is generated for each pcap file? Write “no output” if no output is produced, indicating that snort did not alert on that pcap file.2286067945 3.2: Why does snort alert on only one of the two slammer pcap files examined above? The bodies of both packets include the Slammer worm, but the headers differ. Examine the packet headers of both pcap files with tshark to find the answer. # tshark -r slammer1.pcap# tshark -r slammer2.pcap22860679454: Submitting the LabBring a printed copy with your name on it to class on the class period after which this lab was assigned. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download