log inhelp

 | 

  • If you are citizen of an European Union member nation, you may not use this service unless you are at least 16 years old.

  • You already know Dokkio is an AI-powered assistant to organize & manage your digital files & messages. Very soon, Dokkio will support Outlook as well as One Drive. Check it out today!

View
 

Assignment 4

Page history last edited by Philip Craiger 9 years ago

Assignment 4

Implementing an Intrusion Detection System

CET4663

Dr. Philip Craiger

Spring 2015

 

Goal:

 

Write and test several IDS rules that implement a security policy.  You will use the pcap from Assignment 2 (network analysis).

 

Download PCAP file here.

 

Background:

You are the intrusion detection specialist for ABC Security, Inc.  Farnsworth's company has asked you to create a set of intrusion detection rules based on a policy his security team created.   Your task is to create a set of intrusion detection rules based on the security policy.

 

The specific security policy questions are described below.  Based on your work in assignment 2, Farnsworth is keen about finding out more about the employee using the computer with IP address 172.16.136.128.  Most of the policies below apply to that IP address, and the server.

 

Requirements:

 

1. Install Snort under Ubuntu or Mint as I demonstrated in the video. Actually you can install it under ANY Linux, I don't care. It should run the same.

2. Create the rules as I demonstrated in the video based on the policies below.

3. Download the file packet capture file. Unzip it.

4. Run Snort using your rules as demonstrated in the video.  I show specifically how I would do the assignment below. READ AND FOLLOW.  It will save you a lot of heartache.

 

HERE ARE THE SPECIFIC REQUIREMENTS FOR YOUR INTRUSION DETECTION RULES:

 

You are to create several intrusion detection rules.  Create these in a text file called '<firstname.lastname>.rules' located under /etc/snort/rules. Develop rules that implement the following policies:

 

       1. alert on any incoming pings to the server from .128.  Your message should indicate: ".128 pinging the server."

 

       2. alert on any ftp traffic with the SYN flag set, from .128 to the server.  Message should read: ".128 attempt to FTP to server."

 

       3. alert on any telnet traffic with the SYN flag set,  from .128 to the server. Message should read: ".128 attempt to telnet to server."

 

       4. alert on any ssh traffic containing the keyword "SSH-2", from .128 to the server.  Message should read: ".128 attempt to SSH to server."

 

       5. alert on any http traffic from .128 with the SYN flag set, from .128 to the server. Message should read: .128 attempt to the web server."  

 

       6.  alert on any http traffic with the SYN flag set from the CLASS A private network (10.0.0.0/8) to the server.  Message should read "Possible DDOS."

 

       7.   alert on any DNS traffic from 172.16.136.130 to the local DNS server (172.16.136.1) that contains the keyword "ubuntu."  Message should read "DNS Query Ubuntu."

 

       8.  alert on any packets from .128 to the server containing the text "supersecret.txt"  (note this is the first time I didn't mention a service!) 

 

       9. alert on any ftp traffic from the .128 to the server that contains the keyword "pfarnsworth". Message should read "Pfarnsworth over ftp".

 

       10.  alert on any ssh traffic from .128 to the server with the FIN and ACK flags set.  Message should read "F/A for SSH teardown."

 

    -----------

 

How I would do the assignment

 

1. Modify your snort.conf so that you've defined your SERVER, BADGUY (.128), and CLASS_A networks. Mine looked like this:

 

ipvar HOME_NET 172.16.136.0/16

ipvar SERVER 172.16.136.129

ipvar CLASS_A 10.0.0.0/8

ipvar BADGUY 172.16.136.128

 

2. Remove or comment out all of the rules in the snort.conf file.  Add your rule inclusion to the bottom. Mine looks like this:

 

include $RULE_PATH/myrules.rules (Yours should be named <first>.<last>.rules).

 

3. Create your rules file (<first>.<last>.rules).  Create ONE RULE AT A TIME. Create the first one. Save the rule file.

 

4. Run snort like this:

 

sudo snort -d -l /var/log/snort -c /etc/snort/snort.conf -r <name of pcap file>  -A console > RULE1

 

The RULE1 file will contain the alerts for the first IDS rule.

 

5. Open the RULE1 file (vim, nano, less, cat, etc.)  Count the number of rules.  Is the file empty? Your rule is wrong.  Every policy has at least one hit.  If you had at least one hit and you followed the policy above (and hints below) then proceed.  Just because you had hits does NOT mean your rule is correct though.

 

6.  If your first rule is correct, you should be done with that rule.  Now open your rules file (/etc/snort/rules/myrules.rules).  Comment out that first rule.  Next, create your second rule based on the policy.  Save the rules file.

 

7.  Run snort again:

 

sudo snort -d -l /var/log/snort -c /etc/snort/snort.conf -r <name of pcap file>  -A console > RULE2

 

8. Open the RULE2 file (vim, nano, less, cat, etc.)  Count the number of rules.  Is the file empty?  Your rule is wrong.  Every policy has at least one hit.  If you had at least one hit and you followed the policy above (and hints below) then proceed. 

 

9.  GOTO 6 until you are done.

 

10. If there are any bugs in your rules that will be shown at the bottom of the screen (as demonstrated in the videos). Debug your rules then rerun them.

 

 

Hints

 

1. Most of the above rules are targeting a specific protocol.  So what protocols will you use (icmp? ip? tcp? udp?)  Each of those is used at least ONCE in the policies.  

 

2. If I DON'T mention a service, then the port DOESN'T matter.  icmp doesn't use a port.

 

3. If I DO mention a service in the policy THEN the port DOES matter. DO NOT use 'any' if I mention a service! (ftp = 21, telnet = 23, etc. are tcp.  DNS uses udp. Hint.)

 

4. The "Class_A" policy above will have a ton of hits.  Over a thousand.  Don't count by hand!  Be smart. Remember Linux?  wc -l RULE6

 

Deliverables

 

There are two:

 

1. Your <firstname.lastname>.rules file.  At the top of the rules file you should list the rules by 'message, along with the number of hits. It should look something like this:


1.  .128 attempt to FTP to server. = <#> 

2.  .128 attempt to telnet to server = <#> 

3.  .128 attempt to SSH to server = <#> 

etc.

 

2. Your ten RULES<#> files that contain the alerts.  I want 10 separate files. I don't want to see ANY unnecessary alerts , meaning you implemented poorly your rules, I will count off for that.   

 

Grading

 

You will be graded on the accuracy of your rules and how well you followed these directions.

 

Create a folder/directory called "<first>.<last>.4". Copy your rules and your ten RULE<#> files to that folder/directory. Zip up that directory.  Make sure your zip file is named <firstname>.<lastname>.4.zip and upload to the Dropbox.

 

Questions? Post them to the Ask the Professor Discussion Group.

 

Have fun!

 

Videos:

 

 

_______________

Here are some hints for using Wireshark to check and see what is in the packet capture.  No, you aren't using Wireshark for this assignment specifically, but it's good to check what you find with Snort against what's in the packet capture.

 

Filter hints from: http://www.lovemytool.com/blog/2010/04/top-10-wireshark-filters-by-chris-greer.html

 

The filtering capabilities of Wireshark are very comprehensive. You can filter on just about any field of any protocol, even down to the HEX values in a data stream. Sometimes though, the hardest part about setting a filter in Wireshark is remembering the syntax! So below are the top 10 display filters that I use in Wireshark. Please comment below and add any common ones that you use as well.

1.       ip.addr == 10.0.0.1 [Sets a filter for any packet with 10.0.0.1, as either the source or dest]

2.       ip.addr==10.0.0.1  && ip.addr==10.0.0.2 [sets a conversation filter between the two defined IP addresses]

3.       http or dns [sets a filter to display all http and dns]

4.       tcp.port==4000 [sets a filter for any TCP packet with 4000 as a source or dest port]

5.       tcp.flags.reset==1 [displays all TCP resets]

6.       http.request [displays all HTTP GET requests]

7.       tcp contains traffic [displays all TCP packets that contain the word ‘traffic’. Excellent when searching on a specific string or user ID]

8.       !(arp or icmp or dns) [masks out arp, icmp, dns, or whatever other protocols may be background noise. Allowing you to focus on the traffic of interest]

9.       udp contains 33:27:58 [sets a filter for the HEX values of 0x33 0x27 0x58 at any offset]

10.   tcp.analysis.retransmission [displays all retransmissions in the trace. Helps when tracking down slow application performance and packet loss]

 

So there are a few of my favorite Wireshark filters (which does not include the Follow TCP Stream filter). How about you? What are your most commonly used filters?

 

 

 

Comments (0)

You don't have permission to comment on this page.

Printable version