csec 630 lab2 - intrusion detection system and...
TRANSCRIPT
Page 1
CSEC 630 Lab2 - Intrusion Detection System and Protocol Analysis Lab
Your Faculty Advisor/ Teaching Assistant should have provided you with the following
information before you started the lab exercise:
• Cisco VPN Username
• Cisco VPN Password
• Virtual Machine (VM) IP Address
• VM Username (works with the Remote Desktop Connection)
• VM Password
A. DOWNLOADING THE VPN CLIENT
1. In your browser, enter the following URL (do not forget the “s” in
https): https://vpn.csvcl.net
2. If needed, select “Continue to this website (not recommended).”
3. Be sure that the GROUP is OOB-anyconnect. Enter the Logon name
and VPN password given to you.
4. Click on the Start AnyConnect link.
5. For some operating systems, there may be a warning bar just below the
menus asking whether you wish to install the VPN client. Click the bar and
proceed to install the ActiveX Control.
For other operating systems, you may receive a warning message re: “A
website wants to open web content…”, click Allow.
6. You may see a window asking you to proceed since the website’s
certificate cannot be verified. Select Yes. (Note: If the system locks up,
click another window, then click Yes.)
7. Install the AnyConnect VPN Client. This will take a few moments.
If prompted, allow the program from an unknown publisher make changes
to the computer. Select Yes.
Eventually, you should see “Connection Established.”
Note: You just need to download this client just once.
8. This step is for future sessions. You will access the Cisco VPN client
this way: Select the “Cisco AnyConnect VPN” from your Start Menu, or
choose:
Start > All Programs > Cisco > Cisco AnyConnect VPN Client > Cisco
AnyConnect VPN Client
In response to the question on proceeding, click Yes.
Click the Connections tab. If you are not connected, click the “Connect”
button and enter your logon name and password. Once connected,
minimize the window.
B. ACCESSING THE REMOTE DESKTOP CONNECTION
1. Enter https://10.0.4.50/cloud/org/csec630 in the browser and click on
“Continue to this website (not recommended)”
2. Type your logon name and password and click on Login.
3. Click on Add Cloud Computer System.
4. Select CSEC630 and click Next.
Page 2
5. Type your username in the Name field to uniquely identify your virtual
image.
6. Next click Finish.
7. Wait a few minutes for the system to create the virtual machine image.
8. The word “Stopped” will appear.
9. Click on the green Start button to power on the virtual machine.
10. Wait a few moments for the virtual machine to completely start.
11. Once its status changes to Running, double click on the virtual machine
image icon (it has a miniature Windows image).
If the pop-up is blocked, click the highlighted bar and select “Always
Allow Pop-ups from This Site…”. Confirm with a Yes. You may have to
re-login again.
In response to a warning message “A website wants to open web
content…”, click on Allow to install the web application.
If presented with an invalid certificate, check “Always trust the host with
this certificate”. Click Ignore.
If there is a problem with the certificate, select “Continue to this website
(not recommended)”
13. Run the Vmware executable file.
Allow the program to make changes to the computer, if prompted.
If presented with an invalid certificate, check “Always trust the host with
this certificate”. Click Ignore.
14. Install theVMware Remote Console Plug-In. If necessary close all
Internet Explorer windows. When done, click Finish.
Open the browser and re-enter https://10.0.4.50/cloud/org/csec630 and
click on “Continue to this website (not recommended)”.
Again, type your logon name and password and click on Login.
15. Double click the virtual machine icon. Allow the website to open web
content. If presented with an invalid certificate, check “Always trust the
host with this certificate”. Click Ignore.
Click on VMWare Remote Console button on the top bar of the window
and select “Send Ctrl+Alt+Del” from the dropdown menu.
16. Click OK to the opening window warning.
17. In the “Log On to Windows” box, type in the username student1 and
the password Csec630 then click OK to log in.
C. EXITING THE APPLICATIONS
1. Log off the cloud application window by closing the window (click the
X on the upper right hand corner of the window). Click the Stop button to
terminate the cloud application from running. Click Yes to the prompt.
Click Logout on the upper right hand side of the window.
2. Access the VPN client window via the Start Menu or use
Start > All Programs > Cisco > Cisco AnyConnect VPN Client > Cisco
AnyConnect VPN Client
Under the Connection button, click the Disconnect button.
3. Close all windows. This should return your computer to normal.
Page 3
Note: There are 10 questions you are to answer after completing this lab found on pp. 17-18
Please submit a Word document that contains your answers
to all 10 questions to Web Tycho Gradebook Lab2 Assignment Week 6.
Source: http://www.snort.org/snort
“Snort is a free, open source network intrusion detection and prevention system capable of performing
real-time traffic analysis and packet logging on IP networks. Initially called a “lightweight” intrusion
detection technology, Snort has evolved into a mature, feature-rich IPS technology that has become the
de facto standard in intrusion detection and prevention. With nearly 4 million downloads and
approximately 300,000 registered users Snort, it is the most widely deployed intrusion prevention
technology in the world.
Snort can perform protocol analysis and content searching/matching. It can be used to detect a variety
of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS
fingerprinting attempts, and much more. It uses a flexible rules language to describe traffic that it
should collect or pass, as well as a detection engine that utilizes a modular plug-in architecture. Snort
has a real-time alerting capability as well, incorporating alerting mechanisms for syslog, a user
specified file, a UNIX socket, or WinPopup messages to Windows clients. Snort has three primary
uses: a straight packet sniffer like tcpdump, a packet logger (useful for network traffic debugging, etc),
or a full-blown network intrusion”
DOS CHEAT SHEET
COMMANDLINE: EXPLANATION:
. current directory
.. parent directory (up one directory)
../ parent directory (up one directory)
* zero or more of any characters
? any one character
dir directory_to_view list directory_to_view
cd directory_to_go_to change to directory_to_go_to
copy source_file dest_file copy source_file to dest_file
ren old_name new_name rename file from old_name to new_name
move dir1\file1 dir2\file2 move dir1\file1 to dir2\file2
edit /R file1 view file1 (read only)
edit file1 edit file1
Examples:
dir list current directory
dir . list current directory
dir .. list parent directory
Page 4
dir *rules list current directory where name ends w/ "rules"
dir log list current directory where name=”log”
cd change to default user directory
cd .. change to parent directory
cd c:\snort\bin change to the bin directory in c:\snort
copy csec630.rules csec630.rules.original make backup copy in current directory
ren alert alert1 rename "alert" file to "alert1" in same directory
move log\alert log2\alert1 move "alert" file in "log" directory to "alert1" in "log2" directory
edit /R csec630.rules view the file "csec630.rules" from the current directory read-only
edit csec630.rules open the file "csec630.rules" from the current directory for editing
edit /R log\alert* view file starting with “alert” in the log directory
SNORT OPTIONS
-c config_filename use supplied filename as the configuration/rule file
-l log_directory use supplied directory to log alerts
-r pcap_filename read supplied filename for processing by snort ruleset
-T Test run, don't actually trigger alerts
Page 5
GETTING ORIENTED
First of all, connect via VPN and start your remote desktop client.
/*** PANIC***/
Notice the “SNORT PANIC” icon on the desktop of the virtual machine. You will be editing the snort
rules file during this lab. Clicking this icon will run a script that will refresh certain configuration and
rules files, in case they have been corrupted. It's a good idea to click this icon before and after you
work on your lab, or in case you make a mistake editing the snort rules file for the lab.
/*** END PANIC***/
The Command Prompt
In the virtual machines we will work from the command prompt. To get to the command prompt, press
the start button within the virtual machine's window, and click “Run...”, and then type “cmd.exe” in the
entry box and click “ok”
Our Working Directory
Let's go to the directory where we have loaded the Snort files. Type the following commands in the
command console (for clarity, we will use monospaced type for code that is typed into the command
prompt):
cd c:\snort\bin
Page 6
Now that we are in the “c:\snort\bin” directory, let's take a look. Type “dir” and press enter.
dir
Note that there’s a lot of files. Let's take a look at a list of some of the configuration files that are here.
They end in “.conf”. These files configure snort's operation.
dir *.conf
Your output may be slightly different, but you should see “snort630.conf” in the list.
Let's take a look at what rules files are here in the “c:\Snort\bin” directory. Snort uses rules files to
define the type of network traffic that will generate an alert. We happen to have the rules files in this
directory. They end in “.rules”, so enter the following command to view files that end with “.rules”
dir *.rules
This command-line will make dir look in the directory we are in for anything that has "rules" at the end
of its name. (“csec630.rules” is the file we will be examining; it contains our own rules for this lab.)
Now let's see what pcap files are here (.pcap files are packet capture files)
dir *.pcap
For this lab, we will open “CSEC630.pcap” in WireShark and then we will run it through Snort to see if
any of Snort's IDS rules are triggered.
Finally, there is a log directory within “c:\Snort\bin”; let's change to that directory and have a look. We
are already in “c:\Snort”, so we only need to change to the “log” directory.
cd log dir
Page 7
RUNNING WIRESHARK
Introduction to Wireshark
Source: http://www.wireshark.org/faq.html#sec1
“Wireshark® is a network protocol analyzer. It lets you capture and interactively browse the traffic
running on a computer network. It has a rich and powerful feature set and is world's most popular tool
of its kind. It runs on most computing platforms including Windows, OS X, Linux, and UNIX.
Network professionals, security experts, developers, and educators around the world use it regularly. It
is freely available as open source, and is released under the GNU General Public License version 2.
It is developed and maintained by a global team of protocol experts, and it is an example of a disruptive
technology.”
Packet capture files in .pcap format may be examined with tools like tcpdump and Wireshark. For this
lab we will use Wireshark to examine a packet capture session from previous network activity that have
been saved on our virtual machine.
Start Wireshark on your virtual machine from the start menu.
Next, click on the “Open” option under the “Files” header in the middle of the screen, and select
“c:\snort\bin\CSEC630.pcap” in the open dialog.
Page 8
WireShark will display the packets in the packet capture (.pcap) file listed in rows in three panes. The
top pane contains an overview of captured network traffic. The middle pane shows details for the
particular selected row. Notice the triangles at the left of “Frame 1”, “Ethernet II”, “Internet Protocol”,
and “Transmission Control Protocol”; each of these may be expanded so that you may examine the
contents. The pane at the bottom of the screen displays the raw data in a column of hexadecimal side-
by-side a column of the data in ASCII format; this is useful in identifying suspicious packet contents, as
some content will be easily viewed in ordinary ASCII characters, but some suspicious content may not
be represented in ASCII characters at all but will be able to be identified in the corresponding
hexadecimal representation.
Scroll a bit through the capture file by using the scroll-bar in the top pane that has the colored rows of
network traffic. That's a lot of information! Thankfully, we can filter the results.
Click the “Filter” button. A dialog will pop up. Select “TCP only”, and then click “OK”.
Page 9
Now we can see the filtered results. In the “Protocol” column we can see “TCP” as well as other
protocols which are encapsulated within “TCP” segments.
Again, note the triangle to the left of “Transmission Control Protocol” in the middle pane. Click it; it
will expand to show the contents of the TCP segment's header. The corresponding raw data (in
hexadecimal alongside an ASCII representation) will be highlighted in the bottom pane. Notice that in
the bottom pane to the right, there are a lot of “.” characters, but on the left there are various
hexadecimal values representing the binary contents which is not represented in ASCII. A signature for
potentially suspicious activity or for a known attack may compare the header or payload contents of a
TCP segment to a hexadecimal sequence, or a signature may look for a specific ASCII sequence.
Feel free to look around. Scroll down in the top pane until you encounter an HTTP request. You can
click on the HTTP information in the middle pane and view the contents of the HTTP header in detail.
Page 10
You can also click on the “Filter” button and select “HTTP” (or type “http” in the drop-down box and
click the “Apply” button) to see only packets with encapsulated HTTP content within the TCP payload.
Click the “Clear” button, to again see all the captured packets.
Page 11
RUNNING SNORT
#1) Snort is run from the command line, so let's open up the command prompt. Before we run snort,
first let's make sure we are in the right directory. Let's change the directory to “c:\snort\bin”
cd c:\snort\bin #2) Now let's test run snort on our pcap file
We will use several options when running snort:
-T do a test run w/o triggering alerts/logging results
-c snort630.conf use “snort630.conf” as the configuration/rules file
-l log\ we want to use “log” as the log directory for alerts
-r CSEC630.pcap read/process the “CSEC630.pcap” file
Type the following at the command prompt, and then press the enter/return key:
snort -T -c snort630.conf -l log\ -r CSEC630.pcap
We get a lot of output. At the end we see:
"Snort successfully validated the configuration"
"Snort exiting"
3) Let's look in the “log” directory cd log dir Snort will store alerts here. Since this was a test run (we used the -T option), no new alerts were
Page 12
created on this run. To make sure we are starting with a clean slate, let's clean up this directory if there
are any alert files in it.
del alert* 4) Really run snort on the pcap file.
We are still in “c:\snort\bin\log”, so let's change back to the parent directory, which is “c:\snort\bin”.
We can type “cd c:\snort\bin” or we can simply type “cd ..” which is a shortcut to go up to the parent
directory.
cd c:\snort\bin Now let's really run the .pcap file through our snort ruleset. We'll use the same command-line as
before, just without the -T option.
snort -c snort630.conf -l log\ -r CSEC630.pcap We told snort to log any results to the “log” directory, and this was a real run, so there may be an alert.
Let's look in the log directory.
cd log dir If there is an alert file, look at it. For a file named “alert.ids”, we can look at the file by entering:
edit /R alert.ids
The command “edit /R” opens a file in read-only mode. The file is empty. We can exit the editor by
selecting “File” with our mouse, or by clicking “Alt-F”, and then we can either click “exit” or type “x”
Page 13
Let's go up a directory, that is, to the the parent directory of "log", where we were before we typed "cd
log"... to do this, we can use the shortcut "..", which represents the parent directory.
cd .. We were previously in c:\snort\bin\log, so now we are in the parent directory c:\snort\bin. We are ready
to look at some rules.
5) INSPECT RULES FILE
Let's look at the rules file set up for this lab, but let's make sure we open the file read-only, so that we
don't accidentally mess up the file. We will use the /R option to edit so it is opened for reading only.
edit /R csec630.rules
Hmm, everything has a “#” character in front of it. Anything after a "#" character is a comment which
will be ignored by snort. That's ok for instructions, examples, notes, etc., but we want some rules to
Page 14
fire.
6) BACKUP RULES FILE
Let's make a backup of the “csec630.rules” file so we can safely edit it and test out our changes and
still fall back on the original if need be.
copy csec630.rules csec630.rules.original 7) EDIT RULES FILE
Now let's open up “csec630.rules” for editing. We won't include the "/R" (read-only) option this time.
edit csec630.rules Notice the lines that have two "#" characters at the beginning. These are comment lines. Notice the
first line that starts with a single "#" followed by "alert tcp" and then later “msg:” and “sid:” ... this is a
snort rule. Scroll through and take a look at this line. Let's remove the '#' character which is at the
beginning of that first snort rule. Use cursor keys or mouse, backspace or delete, etc.
Now let's save the file. You can use “Alt-F” or the mouse to select the “File” menu, and then you can
type “s” or click “save” to save the changes that we made.
To exit the file, again, press “Alt-f” and then “x”, or use the mouse to select “File” and “exit”.
8) RERUN SNORT
Let's run Snort again on our .pcap file.
snort -c snort630.conf -l log\ -r CSEC630.pcap
Page 15
Let's look at the “log” directory now.
dir log (Notice this time we did not need to change to the “log” directory. We simply typed "log" after the
“dir” command, telling "dir" to report on the contents of "log" which is a directory.)
9) INSPECT ALERT FILE
There's an alert file! Let's look at it.
edit /R log\alert.ids (Note that we are not in the log directory so we typed "log\alert.ids" to specify to edit that we wanted to
view the “alert.ids” file in the “log” directory.)
Now let's exit (“Alt-f” then “x”, or use the mouse to select “File” and “exit”.)
Since this is the alert on the first rule we are examining, let's rename the file "alert.ids" to "alert1"; we
will change to the “log” directory, and then we will rename “alert.ids” to “alert1”, and then we will
change back to the parent directory with “cd ..”
cd log ren alert.ids alert1 cd .. Let's look at the “log” directory to make sure we did it right.
dir log There is a file named "alert1" in the “log” directory, but there is no more "alert.ids" file in the log\
directory. When snort runs it will make a new "alert.ids" file containing any alerts from rules which are
triggered when we run snort next.
10) CONTINUE RUNNING SNORT WITH OTHER RULES
Before we run snort again, let's turn off the first rule and turn on the second rule. To accomplish this,
let's add a "#" (comment indicator) back to the beginning of the rule we just looked at and let's remove
the "#" character which precedes the second rule.
Page 16
Now let's re-run snort.
snort -c snort630.conf -l log -r CSEC630.pcap Again let's look at the alert file.
edit /R log\alert.ids Again, let's rename it. We are in the “c:\Snort\bin” directory so let's change to the “log” directory and
rename the “alert.ids” file “alert2”.
cd log ren alert.ids alert2 cd .. 11) Continue like this through the rest of the rules.
Now that we are done, let's move the original file back in place. Let's make sure we are in the
“c:\Snort\bin” directory, and then move the file.
cd c:\snort\bin move csec630.rules.original csec630.rules 12) Push the PANIC button!
Ok, now click PANIC
In case things are messed up, we can click on the SNORT PANIC icon on the desktop. This will put
back the original .config file, .pcap file, and .rules file.
When you are done with your lab, click SNORT PANIC anyhow, to clean up some things for next time.
Page 17
You are to include your answers for each the following 10 questions in a Word
document and submit the file in your WebTycho Gradebook Lab 2 Assignment
folder. Each question is worth 10 points.
1. When running Snort IDS why might there be no alerts?
2. If we only went to a few web sites, why are there so many alerts?
3. What are the advantages of logging more information to the alerts file?
4. What are the disadvantages of logging more information to the alerts file?
5. What are the advantages of using rule sets from the snort web site?
6. Describe (in plain English) at least one type of ruleset you would want to add to a high level security
network and why?
Page 18
7. If a person with malicious intent were to get into your network and have read/write access to your
IDS log or rule set how could they use that information to their advantage?
8. An intrusion prevention system can either wait until it has all of the information it needs, or can
allow packets through based on statistics (guessed or previously known facts). What are the
advantages and disadvantages of each approach?
9. So, the “bad guy” decides to do a Denial of Service on your Intrusion Prevention System. At least
two things can happen, the system can allow all traffic through (without being checked) or can deny all
traffic until the system comes back up. What are the factors that you must consider in making this
design decision?
10. What did you find particularly useful about this lab (please be specific)? What if anything was
difficult to follow? What would you change to make it better?