Lab 8: Firewall & Intrusion Detection Systems - GitHub Pages
CSC 5991 Cyber Security PracticeLab 8: Firewall & Intrusion Detection SystemsIntroductionIn this lab students will explore the Snort Intrusion Detection Systems. The students willstudy Snort IDS, a signature based intrusion detection system used to detect networkattacks. Snort can also be used as a simple packet logger. For the purpose of this labthe students will use snort as a packet sniffer and write their own IDS rules.Software RequirementsAll required files are packed and configured in the provided virtual machine image.-The VMWare spark.aspx-The Ubuntu 14.04 Long Term Support (LTS) t: A signature-based Intrusion Detection Systemhttps://www.snort.org/#get-startedFengwei Zhang - CSC 5991 Cyber Security Practice1
Starting the Lab 8 Virtual MachineIn this lab, we use Ubuntu as our VM image. Select the VM named “Lab8.Login the Ubuntu image with username csc5991-student, and password [TBA in theclass]. Below is the screen snapshot after login.Fengwei Zhang - CSC 5991 Cyber Security Practice2
Installing Snort into the Operating SystemIn our Lab 8 Ubuntu VM image, the snort has been installed and setup for you. If youwant to use your own version of the image, you need to install snort into the operatingsystem. To install the latest version of the snort, you can follow the installationinstruction from the snort website. Note that installation instructions are vary from OSes.The instruction below shows how to install snort from its source code on Linux.You can find more information here:https://www.snort.org/#get-startedWhile you install the snort, you system may miss some libraries. You need to install therequired libraries, too.Fengwei Zhang - CSC 5991 Cyber Security Practice3
Configuring and Starting the Snort IDSAfter installing the Snort, we need to configure it. The configuration file of snort is storedat /etc/snort/snort.conf. The screenshot below shows the commands to configure theSnort. You need to switch to root to gain the permission to read the snort configurationsfile.After configuring the Snort, you need to start the Snort. You can simply type thefollowing command to start the service. service snort startor /etc/init.d/snort startFengwei Zhang - CSC 5991 Cyber Security Practice4
Snort RulesSnort is a signature-based IDS, and it defines rules to detect the intrusions. All rules ofSnort are stored under /etc/snort/rules directory. The screenshot below shows the filesthat contain rules of Snort.The screenshot below shows a real rule in the /etc/snort/rules/web-misc.rules. Theslides of Lab 8 has more information about Snort rules including syntax and format.Fengwei Zhang - CSC 5991 Cyber Security Practice5
Writing and Adding a Snort RuleNext, we are going to add a simple snort rule. You should add your own rules at/etc/snort/rules/local.rules. Add the following line into the local.rules filealert icmp any any - any any (msg:"ICMP Packet found"; sid:1000001; rev:1;)Bascailly, this rule defines that an alert will be logged if an ICMP packet is found. TheICMP packet could be from any IP address and the rule ID is 1000001. Make sure topick a SID greater 1000000 for your own rules. The screenshot below shows thecontents of the local.rules file after adding the rule.To make the rule become effective, you need to restart the snort service by typing thefollowing command. service snort restartor /etc/init.d/snort restartFengwei Zhang - CSC 5991 Cyber Security Practice6
Triggering an Alert for the New RuleTo trigger an alert for the new rule, you only need to send an ICMP message to the VMimage where snort runs. First, you need to find the IP address of the VM by typing thefollowing command. ifconfigFor instance, the screenshot shows the execution result on my VM image, and the IPaddress is 172.16.108.242.Next, you can open a terminal in your host. If you host is a Windows OS, you can useone of the following two ways to open a terminal1. Press "Win-R," type "cmd" and press "Enter" to open a Command Promptsession using just your keyboard.2. Click the "Start Program Files Accessories Command Prompt" to open aCommand Prompt session using just your mouse.After you have a terminal, you can just type the following command to send pingmessages to the VM. ping 172.16.108.242After you send the ping messages, the alerts should be trigged and you can find the logmessages in /var/log/snort/snort.log. However, the snort.log file will be binary format.You need to use a tool, called u2spewfoo, to read it. The screenshot below shows theresult of reading the snort alerts.Fengwei Zhang - CSC 5991 Cyber Security Practice7
You can see that the SID is 1000001, and the alerts are generated by the ICMPmessages.Fengwei Zhang - CSC 5991 Cyber Security Practice8
Assignments for Lab 81. Read the lab instructions above and finish all the tasks.2. Answer the questions in the Introduction section, and justify your answers.Simple yes or no answer will not get any credits.a. What is a zero-day attack?b. Can Snort catch zero-day network attacks? If not, why not? If yes, how?c. Given a network that has 1 million connections daily where 0.1% (not10%) are attacks. If the IDS has a true positive rate of 95% what falsealarm rate do I need to achieve to ensure the probability of an attack,given an alarm is 95%? (You may use the math approach from the slides.)3. Write and add another snort rule and show me you trigger it.a. The rule you added (from the rules file)b. A description of how you triggered the alertc. The alert itself from the log file (after converting it to readable text)Extra Credit (10pt): Write a rule that will fire when you browse to craigslist.org fromthe machine Snort is running on; it should look for any outbound TCP request tocraigslist.org and alert on it.Happy Hacking!Fengwei Zhang - CSC 5991 Cyber Security Practice9
Lab 8: Firewall & Intrusion Detection Systems Introduction In this lab students will explore the Snort Intrusion Detection Systems. The students will study Snort IDS, a signature based intrusion detection system used to detect network attacks. Snort can also be used as a simple packet logger. For the purpose of this lab
PSI AP Physics 1 Name_ Multiple Choice 1. Two&sound&sources&S 1∧&S p;Hz&and250&Hz.&Whenwe& esult&is:& (A) great&&&&&(C)&The&same&&&&&
Intrusion Prevention: Signature Policies 201 Intrusion Prevention: Signature Policies - New 203 Intrusion Prevention: Sensors 204 Intrusion Prevention: Sensor - New 205 Intrusion Prevention: Sensor - Associating Sensor to a Firewall Policy 206 Intrusion Prevention: Alerts and Reports 208 Intrusion Prevention: View Rule File 210
The process of identifying and responding to intrusion activities Intrusion prevention The process of both detecting intrusion activities and managing responsive actions throughout the network. 23 Overview of IDS/IPS Intrusion detection system (IDS) A system that performs automatically the process of intrusion detection.
Argilla Almond&David Arrivederci&ragazzi Malle&L. Artemis&Fowl ColferD. Ascoltail&mio&cuore Pitzorno&B. ASSASSINATION Sgardoli&G. Auschwitzero&il&numero&220545 AveyD. di&mare Salgari&E. Avventurain&Egitto Pederiali&G. Avventure&di&storie AA.&VV. Baby&sitter&blues Murail&Marie]Aude Bambini&di&farina FineAnna
Intrusion Detection System Objectives To know what is Intrusion Detection system and why it is needed. To be familiar with Snort IDS/IPS. What Is Intrusion Detection? Intrusion is defined as “the act of thrusting in, or of entering into a place or state without invitation, right, or welcome.” When we speak of intrusion detection,
c. Plan, Deploy, Manage, Test, Configure d. Design, Configure, Test, Deploy, Document 15. What are the main types of intrusion detection systems? a. Perimeter Intrusion Detection & Network Intrusion Detection b. Host Intrusion Detection & Network Intrusion Detection c. Host Intrusion Detection & Intrusion Prevention Systems d.
The program, which was designed to push sales of Goodyear Aquatred tires, was targeted at sales associates and managers at 900 company-owned stores and service centers, which were divided into two equal groups of nearly identical performance. For every 12 tires they sold, one group received cash rewards and the other received
The Project Gutenberg EBook of First Course in the Theory of Equations, by Leonard Eugene Dickson This eBook is for the use of anyone anywhere at no cost and with almost no restrictions whatsoever. You may copy it, give it away or re-use it under the terms of the Project Gutenberg License included with this eBook or online at www.gutenberg.org Title: First Course in the Theory of Equations .
