CSEC630 Lab2- IDS Revised 20110614
Content
CSEC 630 Lab2 - Intrusion Detection System and Protocol Analysis Lab Your Faculty Advisor/ Teaching Assistant should have provided you with the following information before you started the lab exercise: • • • • • Cisco VPN Username Cisco VPN Password Virtual Machine (VM) IP Address VM Username (works with the Remote Desktop Connection) VM Password
A. DOWNLOADING THE VPN CLIENT 1. In your browser, enter the following URL (do not forget the “s” in https): https://vpn.csvcl.net 2. If needed, select “Continue to this website (not recommended).” 3. Be sure that the GROUP is OOB-anyconnect. Enter the Logon name and VPN password given to you. 4. Click on the Start AnyConnect link. 5. For some operating systems, there may be a warning bar just below the menus asking whether you wish to install the VPN client. Click the bar and proceed to install the ActiveX Control. For other operating systems, you may receive a warning message re: “A website wants to open web content…”, click Allow. 6. You may see a window asking you to proceed since the website’s certificate cannot be verified. Select Yes. (Note: If the system locks up, click another window, then click Yes.) 7. Install the AnyConnect VPN Client. This will take a few moments. If prompted, allow the program from an unknown publisher make changes to the computer. Select Yes. Eventually, you should see “Connection Established.” Note: You just need to download this client just once. 8. This step is for future sessions. You will access the Cisco VPN client this way: Select the “Cisco AnyConnect VPN” from your Start Menu, or choose: Start > All Programs > Cisco > Cisco AnyConnect VPN Client > Cisco AnyConnect VPN Client In response to the question on proceeding, click Yes. Click the Connections tab. If you are not connected, click the “Connect” button and enter your logon name and password. Once connected, minimize the window. B. ACCESSING THE REMOTE DESKTOP CONNECTION 1. Enter https://10.0.4.50/cloud/org/csec630 in the browser and click on “Continue to this website (not recommended)” 2. Type your logon name and password and click on Login. 3. Click on Add Cloud Computer System. 4. Select CSEC630 and click Next. Page 1
5. Type your username in the Name field to uniquely identify your virtual image. 6. Next click Finish. 7. Wait a few minutes for the system to create the virtual machine image. 8. The word “Stopped” will appear. 9. Click on the green Start button to power on the virtual machine. 10. Wait a few moments for the virtual machine to completely start. 11. Once its status changes to Running, double click on the virtual machine image icon (it has a miniature Windows image). If the pop-up is blocked, click the highlighted bar and select “Always Allow Pop-ups from This Site…”. Confirm with a Yes. You may have to re-login again. In response to a warning message “A website wants to open web content…”, click on Allow to install the web application. If presented with an invalid certificate, check “Always trust the host with this certificate”. Click Ignore. If there is a problem with the certificate, select “Continue to this website (not recommended)” 13. Run the Vmware executable file. Allow the program to make changes to the computer, if prompted. If presented with an invalid certificate, check “Always trust the host with this certificate”. Click Ignore. 14. Install theVMware Remote Console Plug-In. If necessary close all Internet Explorer windows. When done, click Finish. Open the browser and re-enter https://10.0.4.50/cloud/org/csec630 and click on “Continue to this website (not recommended)”. Again, type your logon name and password and click on Login. 15. Double click the virtual machine icon. Allow the website to open web content. If presented with an invalid certificate, check “Always trust the host with this certificate”. Click Ignore. Click on VMWare Remote Console button on the top bar of the window and select “Send Ctrl+Alt+Del” from the dropdown menu. 16. Click OK to the opening window warning. 17. In the “Log On to Windows” box, type in the username student1 and the password Csec630 then click OK to log in. C. EXITING THE APPLICATIONS 1. Log off the cloud application window by closing the window (click the X on the upper right hand corner of the window). Click the Stop button to terminate the cloud application from running. Click Yes to the prompt. Click Logout on the upper right hand side of the window. 2. Access the VPN client window via the Start Menu or use Start > All Programs > Cisco > Cisco AnyConnect VPN Client > Cisco AnyConnect VPN Client Under the Connection button, click the Disconnect button. 3. Close all windows. This should return your computer to normal.
Page 2
Note: There are 10 questions you are to answer after completing this lab found on pp. 17-18 Please submit a Word document that contains your answers to all 10 questions to Web Tycho Gradebook Lab2 Assignment Week 6. Source: http://www.snort.org/snort “Snort is a free, open source network intrusion detection and prevention system capable of performing real-time traffic analysis and packet logging on IP networks. Initially called a “lightweight” intrusion detection technology, Snort has evolved into a mature, feature-rich IPS technology that has become the de facto standard in intrusion detection and prevention. With nearly 4 million downloads and approximately 300,000 registered users Snort, it is the most widely deployed intrusion prevention technology in the world. Snort can perform protocol analysis and content searching/matching. It can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. It uses a flexible rules language to describe traffic that it should collect or pass, as well as a detection engine that utilizes a modular plug-in architecture. Snort has a real-time alerting capability as well, incorporating alerting mechanisms for syslog, a user specified file, a UNIX socket, or WinPopup messages to Windows clients. Snort has three primary uses: a straight packet sniffer like tcpdump, a packet logger (useful for network traffic debugging, etc), or a full-blown network intrusion” DOS CHEAT SHEET COMMANDLINE: . .. ../ * ? dir directory_to_view cd directory_to_go_to copy source_file dest_file ren old_name new_name move dir1\file1 dir2\file2 edit /R file1 edit file1 Examples: dir dir . dir .. list current directory list current directory list parent directory Page 3
EXPLANATION: current directory parent directory (up one directory) parent directory (up one directory) zero or more of any characters any one character list directory_to_view change to directory_to_go_to copy source_file to dest_file rename file from old_name to new_name move dir1\file1 to dir2\file2 view file1 (read only) edit file1
dir *rules dir log cd cd .. cd c:\snort\bin
list current directory where name ends w/ "rules" list current directory where name=”log” change to default user directory change to parent directory change to the bin directory in c:\snort make backup copy in current directory rename "alert" file to "alert1" in same directory
copy csec630.rules csec630.rules.original ren alert alert1 move log\alert log2\alert1 edit /R csec630.rules edit csec630.rules edit /R log\alert* SNORT OPTIONS -c config_filename -l log_directory -r pcap_filename -T
move "alert" file in "log" directory to "alert1" in "log2" directory view the file "csec630.rules" from the current directory read-only open the file "csec630.rules" from the current directory for editing view file starting with “alert” in the log directory
use supplied filename as the configuration/rule file use supplied directory to log alerts read supplied filename for processing by snort ruleset Test run, don't actually trigger alerts
Page 4
GETTING ORIENTED First of all, connect via VPN and start your remote desktop client. /*** PANIC***/ Notice the “SNORT PANIC” icon on the desktop of the virtual machine. You will be editing the snort rules file during this lab. Clicking this icon will run a script that will refresh certain configuration and rules files, in case they have been corrupted. It's a good idea to click this icon before and after you work on your lab, or in case you make a mistake editing the snort rules file for the lab. /*** END PANIC***/ The Command Prompt In the virtual machines we will work from the command prompt. To get to the command prompt, press the start button within the virtual machine's window, and click “Run...”, and then type “cmd.exe” in the entry box and click “ok”
Our Working Directory Let's go to the directory where we have loaded the Snort files. Type the following commands in the command console (for clarity, we will use monospaced type for code that is typed into the command prompt):
cd c:\snort\bin
Page 5
Now that we are in the “c:\snort\bin” directory, let's take a look. Type “dir” and press enter.
dir
Note that there’s a lot of files. Let's take a look at a list of some of the configuration files that are here. They end in “.conf”. These files configure snort's operation.
dir *.conf
Your output may be slightly different, but you should see “snort630.conf” in the list. Let's take a look at what rules files are here in the “c:\Snort\bin” directory. Snort uses rules files to define the type of network traffic that will generate an alert. We happen to have the rules files in this directory. They end in “.rules”, so enter the following command to view files that end with “.rules”
dir *.rules
This command-line will make dir look in the directory we are in for anything that has "rules" at the end of its name. (“csec630.rules” is the file we will be examining; it contains our own rules for this lab.) Now let's see what pcap files are here (.pcap files are packet capture files)
dir *.pcap
For this lab, we will open “CSEC630.pcap” in WireShark and then we will run it through Snort to see if any of Snort's IDS rules are triggered. Finally, there is a log directory within “c:\Snort\bin”; let's change to that directory and have a look. We are already in “c:\Snort”, so we only need to change to the “log” directory.
cd log dir
Page 6
RUNNING WIRESHARK Introduction to Wireshark Source: http://www.wireshark.org/faq.html#sec1 “Wireshark® is a network protocol analyzer. It lets you capture and interactively browse the traffic running on a computer network. It has a rich and powerful feature set and is world's most popular tool of its kind. It runs on most computing platforms including Windows, OS X, Linux, and UNIX. Network professionals, security experts, developers, and educators around the world use it regularly. It is freely available as open source, and is released under the GNU General Public License version 2. It is developed and maintained by a global team of protocol experts, and it is an example of a disruptive technology.” Packet capture files in .pcap format may be examined with tools like tcpdump and Wireshark. For this lab we will use Wireshark to examine a packet capture session from previous network activity that have been saved on our virtual machine. Start Wireshark on your virtual machine from the start menu.
Next, click on the “Open” option under the “Files” header in the middle of the screen, and select “c:\snort\bin\CSEC630.pcap” in the open dialog.
Page 7
WireShark will display the packets in the packet capture (.pcap) file listed in rows in three panes. The top pane contains an overview of captured network traffic. The middle pane shows details for the particular selected row. Notice the triangles at the left of “Frame 1”, “Ethernet II”, “Internet Protocol”, and “Transmission Control Protocol”; each of these may be expanded so that you may examine the contents. The pane at the bottom of the screen displays the raw data in a column of hexadecimal sideby-side a column of the data in ASCII format; this is useful in identifying suspicious packet contents, as some content will be easily viewed in ordinary ASCII characters, but some suspicious content may not be represented in ASCII characters at all but will be able to be identified in the corresponding hexadecimal representation.
Scroll a bit through the capture file by using the scroll-bar in the top pane that has the colored rows of network traffic. That's a lot of information! Thankfully, we can filter the results. Click the “Filter” button. A dialog will pop up. Select “TCP only”, and then click “OK”.
Page 8
Now we can see the filtered results. In the “Protocol” column we can see “TCP” as well as other protocols which are encapsulated within “TCP” segments.
Again, note the triangle to the left of “Transmission Control Protocol” in the middle pane. Click it; it will expand to show the contents of the TCP segment's header. The corresponding raw data (in hexadecimal alongside an ASCII representation) will be highlighted in the bottom pane. Notice that in the bottom pane to the right, there are a lot of “.” characters, but on the left there are various hexadecimal values representing the binary contents which is not represented in ASCII. A signature for potentially suspicious activity or for a known attack may compare the header or payload contents of a TCP segment to a hexadecimal sequence, or a signature may look for a specific ASCII sequence. Feel free to look around. Scroll down in the top pane until you encounter an HTTP request. You can click on the HTTP information in the middle pane and view the contents of the HTTP header in detail.
Page 9
You can also click on the “Filter” button and select “HTTP” (or type “http” in the drop-down box and click the “Apply” button) to see only packets with encapsulated HTTP content within the TCP payload.
Click the “Clear” button, to again see all the captured packets.
Page 10
RUNNING SNORT #1) Snort is run from the command line, so let's open up the command prompt. Before we run snort, first let's make sure we are in the right directory. Let's change the directory to “c:\snort\bin”
cd c:\snort\bin
#2) Now let's test run snort on our pcap file We will use several options when running snort: -T do a test run w/o triggering alerts/logging results -c snort630.conf use “snort630.conf” as the configuration/rules file -l log\ we want to use “log” as the log directory for alerts -r CSEC630.pcap read/process the “CSEC630.pcap” file Type the following at the command prompt, and then press the enter/return key:
snort -T -c snort630.conf -l log\ -r CSEC630.pcap
We get a lot of output. At the end we see: "Snort successfully validated the configuration" "Snort exiting"
3) Let's look in the “log” directory
cd log dir
Snort will store alerts here. Since this was a test run (we used the -T option), no new alerts were Page 11
created on this run. To make sure we are starting with a clean slate, let's clean up this directory if there are any alert files in it.
del alert*
4) Really run snort on the pcap file. We are still in “c:\snort\bin\log”, so let's change back to the parent directory, which is “c:\snort\bin”. We can type “cd c:\snort\bin” or we can simply type “cd ..” which is a shortcut to go up to the parent directory.
cd c:\snort\bin
Now let's really run the .pcap file through our snort ruleset. We'll use the same command-line as before, just without the -T option.
snort -c snort630.conf -l log\ -r CSEC630.pcap
We told snort to log any results to the “log” directory, and this was a real run, so there may be an alert. Let's look in the log directory.
cd log dir
If there is an alert file, look at it. For a file named “alert.ids”, we can look at the file by entering:
edit /R alert.ids
The command “edit /R” opens a file in read-only mode. The file is empty. We can exit the editor by selecting “File” with our mouse, or by clicking “Alt-F”, and then we can either click “exit” or type “x”
Page 12
Let's go up a directory, that is, to the the parent directory of "log", where we were before we typed "cd log"... to do this, we can use the shortcut "..", which represents the parent directory.
cd ..
We were previously in c:\snort\bin\log, so now we are in the parent directory c:\snort\bin. We are ready to look at some rules. 5) INSPECT RULES FILE Let's look at the rules file set up for this lab, but let's make sure we open the file read-only, so that we don't accidentally mess up the file. We will use the /R option to edit so it is opened for reading only.
edit /R csec630.rules
Hmm, everything has a “#” character in front of it. Anything after a "#" character is a comment which will be ignored by snort. That's ok for instructions, examples, notes, etc., but we want some rules to Page 13
fire. 6) BACKUP RULES FILE Let's make a backup of the “csec630.rules” file so we can safely edit it and test out our changes and still fall back on the original if need be.
copy csec630.rules csec630.rules.original
7) EDIT RULES FILE Now let's open up “csec630.rules” for editing. We won't include the "/R" (read-only) option this time.
edit csec630.rules
Notice the lines that have two "#" characters at the beginning. These are comment lines. Notice the first line that starts with a single "#" followed by "alert tcp" and then later “msg:” and “sid:” ... this is a snort rule. Scroll through and take a look at this line. Let's remove the '#' character which is at the beginning of that first snort rule. Use cursor keys or mouse, backspace or delete, etc.
Now let's save the file. You can use “Alt-F” or the mouse to select the “File” menu, and then you can type “s” or click “save” to save the changes that we made. To exit the file, again, press “Alt-f” and then “x”, or use the mouse to select “File” and “exit”. 8) RERUN SNORT Let's run Snort again on our .pcap file.
snort -c snort630.conf -l log\ -r CSEC630.pcap
Page 14
Let's look at the “log” directory now.
dir log
(Notice this time we did not need to change to the “log” directory. We simply typed "log" after the “dir” command, telling "dir" to report on the contents of "log" which is a directory.) 9) INSPECT ALERT FILE There's an alert file! Let's look at it.
edit /R log\alert.ids
(Note that we are not in the log directory so we typed "log\alert.ids" to specify to edit that we wanted to view the “alert.ids” file in the “log” directory.) Now let's exit (“Alt-f” then “x”, or use the mouse to select “File” and “exit”.) Since this is the alert on the first rule we are examining, let's rename the file "alert.ids" to "alert1"; we will change to the “log” directory, and then we will rename “alert.ids” to “alert1”, and then we will change back to the parent directory with “cd ..”
cd log ren alert.ids alert1 cd ..
Let's look at the “log” directory to make sure we did it right.
dir log
There is a file named "alert1" in the “log” directory, but there is no more "alert.ids" file in the log\ directory. When snort runs it will make a new "alert.ids" file containing any alerts from rules which are triggered when we run snort next. 10) CONTINUE RUNNING SNORT WITH OTHER RULES Before we run snort again, let's turn off the first rule and turn on the second rule. To accomplish this, let's add a "#" (comment indicator) back to the beginning of the rule we just looked at and let's remove the "#" character which precedes the second rule.
Page 15
Now let's re-run snort.
snort -c snort630.conf -l log -r CSEC630.pcap
Again let's look at the alert file.
edit /R log\alert.ids
Again, let's rename it. We are in the “c:\Snort\bin” directory so let's change to the “log” directory and rename the “alert.ids” file “alert2”.
cd log ren alert.ids alert2 cd ..
11) Continue like this through the rest of the rules. Now that we are done, let's move the original file back in place. Let's make sure we are in the “c:\Snort\bin” directory, and then move the file.
cd c:\snort\bin move csec630.rules.original csec630.rules
12) Push the PANIC button! Ok, now click PANIC In case things are messed up, we can click on the SNORT PANIC icon on the desktop. This will put back the original .config file, .pcap file, and .rules file. When you are done with your lab, click SNORT PANIC anyhow, to clean up some things for next time.
Page 16
You are to include your answers for each the following 10 questions in a Word document and submit the file in your WebTycho Gradebook Lab 2 Assignment folder. Each question is worth 10 points.
1. When running Snort IDS why might there be no alerts?
2. If we only went to a few web sites, why are there so many alerts?
3. What are the advantages of logging more information to the alerts file?
4. What are the disadvantages of logging more information to the alerts file?
5. What are the advantages of using rule sets from the snort web site?
6. Describe (in plain English) at least one type of ruleset you would want to add to a high level security network and why?
Page 17
7. If a person with malicious intent were to get into your network and have read/write access to your IDS log or rule set how could they use that information to their advantage?
8. An intrusion prevention system can either wait until it has all of the information it needs, or can allow packets through based on statistics (guessed or previously known facts). What are the advantages and disadvantages of each approach?
9. So, the “bad guy” decides to do a Denial of Service on your Intrusion Prevention System. At least two things can happen, the system can allow all traffic through (without being checked) or can deny all traffic until the system comes back up. What are the factors that you must consider in making this design decision?
10. What did you find particularly useful about this lab (please be specific)? What if anything was difficult to follow? What would you change to make it better?
Page 18
A. DOWNLOADING THE VPN CLIENT 1. In your browser, enter the following URL (do not forget the “s” in https): https://vpn.csvcl.net 2. If needed, select “Continue to this website (not recommended).” 3. Be sure that the GROUP is OOB-anyconnect. Enter the Logon name and VPN password given to you. 4. Click on the Start AnyConnect link. 5. For some operating systems, there may be a warning bar just below the menus asking whether you wish to install the VPN client. Click the bar and proceed to install the ActiveX Control. For other operating systems, you may receive a warning message re: “A website wants to open web content…”, click Allow. 6. You may see a window asking you to proceed since the website’s certificate cannot be verified. Select Yes. (Note: If the system locks up, click another window, then click Yes.) 7. Install the AnyConnect VPN Client. This will take a few moments. If prompted, allow the program from an unknown publisher make changes to the computer. Select Yes. Eventually, you should see “Connection Established.” Note: You just need to download this client just once. 8. This step is for future sessions. You will access the Cisco VPN client this way: Select the “Cisco AnyConnect VPN” from your Start Menu, or choose: Start > All Programs > Cisco > Cisco AnyConnect VPN Client > Cisco AnyConnect VPN Client In response to the question on proceeding, click Yes. Click the Connections tab. If you are not connected, click the “Connect” button and enter your logon name and password. Once connected, minimize the window. B. ACCESSING THE REMOTE DESKTOP CONNECTION 1. Enter https://10.0.4.50/cloud/org/csec630 in the browser and click on “Continue to this website (not recommended)” 2. Type your logon name and password and click on Login. 3. Click on Add Cloud Computer System. 4. Select CSEC630 and click Next. Page 1
5. Type your username in the Name field to uniquely identify your virtual image. 6. Next click Finish. 7. Wait a few minutes for the system to create the virtual machine image. 8. The word “Stopped” will appear. 9. Click on the green Start button to power on the virtual machine. 10. Wait a few moments for the virtual machine to completely start. 11. Once its status changes to Running, double click on the virtual machine image icon (it has a miniature Windows image). If the pop-up is blocked, click the highlighted bar and select “Always Allow Pop-ups from This Site…”. Confirm with a Yes. You may have to re-login again. In response to a warning message “A website wants to open web content…”, click on Allow to install the web application. If presented with an invalid certificate, check “Always trust the host with this certificate”. Click Ignore. If there is a problem with the certificate, select “Continue to this website (not recommended)” 13. Run the Vmware executable file. Allow the program to make changes to the computer, if prompted. If presented with an invalid certificate, check “Always trust the host with this certificate”. Click Ignore. 14. Install theVMware Remote Console Plug-In. If necessary close all Internet Explorer windows. When done, click Finish. Open the browser and re-enter https://10.0.4.50/cloud/org/csec630 and click on “Continue to this website (not recommended)”. Again, type your logon name and password and click on Login. 15. Double click the virtual machine icon. Allow the website to open web content. If presented with an invalid certificate, check “Always trust the host with this certificate”. Click Ignore. Click on VMWare Remote Console button on the top bar of the window and select “Send Ctrl+Alt+Del” from the dropdown menu. 16. Click OK to the opening window warning. 17. In the “Log On to Windows” box, type in the username student1 and the password Csec630 then click OK to log in. C. EXITING THE APPLICATIONS 1. Log off the cloud application window by closing the window (click the X on the upper right hand corner of the window). Click the Stop button to terminate the cloud application from running. Click Yes to the prompt. Click Logout on the upper right hand side of the window. 2. Access the VPN client window via the Start Menu or use Start > All Programs > Cisco > Cisco AnyConnect VPN Client > Cisco AnyConnect VPN Client Under the Connection button, click the Disconnect button. 3. Close all windows. This should return your computer to normal.
Page 2
Note: There are 10 questions you are to answer after completing this lab found on pp. 17-18 Please submit a Word document that contains your answers to all 10 questions to Web Tycho Gradebook Lab2 Assignment Week 6. Source: http://www.snort.org/snort “Snort is a free, open source network intrusion detection and prevention system capable of performing real-time traffic analysis and packet logging on IP networks. Initially called a “lightweight” intrusion detection technology, Snort has evolved into a mature, feature-rich IPS technology that has become the de facto standard in intrusion detection and prevention. With nearly 4 million downloads and approximately 300,000 registered users Snort, it is the most widely deployed intrusion prevention technology in the world. Snort can perform protocol analysis and content searching/matching. It can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. It uses a flexible rules language to describe traffic that it should collect or pass, as well as a detection engine that utilizes a modular plug-in architecture. Snort has a real-time alerting capability as well, incorporating alerting mechanisms for syslog, a user specified file, a UNIX socket, or WinPopup messages to Windows clients. Snort has three primary uses: a straight packet sniffer like tcpdump, a packet logger (useful for network traffic debugging, etc), or a full-blown network intrusion” DOS CHEAT SHEET COMMANDLINE: . .. ../ * ? dir directory_to_view cd directory_to_go_to copy source_file dest_file ren old_name new_name move dir1\file1 dir2\file2 edit /R file1 edit file1 Examples: dir dir . dir .. list current directory list current directory list parent directory Page 3
EXPLANATION: current directory parent directory (up one directory) parent directory (up one directory) zero or more of any characters any one character list directory_to_view change to directory_to_go_to copy source_file to dest_file rename file from old_name to new_name move dir1\file1 to dir2\file2 view file1 (read only) edit file1
dir *rules dir log cd cd .. cd c:\snort\bin
list current directory where name ends w/ "rules" list current directory where name=”log” change to default user directory change to parent directory change to the bin directory in c:\snort make backup copy in current directory rename "alert" file to "alert1" in same directory
copy csec630.rules csec630.rules.original ren alert alert1 move log\alert log2\alert1 edit /R csec630.rules edit csec630.rules edit /R log\alert* SNORT OPTIONS -c config_filename -l log_directory -r pcap_filename -T
move "alert" file in "log" directory to "alert1" in "log2" directory view the file "csec630.rules" from the current directory read-only open the file "csec630.rules" from the current directory for editing view file starting with “alert” in the log directory
use supplied filename as the configuration/rule file use supplied directory to log alerts read supplied filename for processing by snort ruleset Test run, don't actually trigger alerts
Page 4
GETTING ORIENTED First of all, connect via VPN and start your remote desktop client. /*** PANIC***/ Notice the “SNORT PANIC” icon on the desktop of the virtual machine. You will be editing the snort rules file during this lab. Clicking this icon will run a script that will refresh certain configuration and rules files, in case they have been corrupted. It's a good idea to click this icon before and after you work on your lab, or in case you make a mistake editing the snort rules file for the lab. /*** END PANIC***/ The Command Prompt In the virtual machines we will work from the command prompt. To get to the command prompt, press the start button within the virtual machine's window, and click “Run...”, and then type “cmd.exe” in the entry box and click “ok”
Our Working Directory Let's go to the directory where we have loaded the Snort files. Type the following commands in the command console (for clarity, we will use monospaced type for code that is typed into the command prompt):
cd c:\snort\bin
Page 5
Now that we are in the “c:\snort\bin” directory, let's take a look. Type “dir” and press enter.
dir
Note that there’s a lot of files. Let's take a look at a list of some of the configuration files that are here. They end in “.conf”. These files configure snort's operation.
dir *.conf
Your output may be slightly different, but you should see “snort630.conf” in the list. Let's take a look at what rules files are here in the “c:\Snort\bin” directory. Snort uses rules files to define the type of network traffic that will generate an alert. We happen to have the rules files in this directory. They end in “.rules”, so enter the following command to view files that end with “.rules”
dir *.rules
This command-line will make dir look in the directory we are in for anything that has "rules" at the end of its name. (“csec630.rules” is the file we will be examining; it contains our own rules for this lab.) Now let's see what pcap files are here (.pcap files are packet capture files)
dir *.pcap
For this lab, we will open “CSEC630.pcap” in WireShark and then we will run it through Snort to see if any of Snort's IDS rules are triggered. Finally, there is a log directory within “c:\Snort\bin”; let's change to that directory and have a look. We are already in “c:\Snort”, so we only need to change to the “log” directory.
cd log dir
Page 6
RUNNING WIRESHARK Introduction to Wireshark Source: http://www.wireshark.org/faq.html#sec1 “Wireshark® is a network protocol analyzer. It lets you capture and interactively browse the traffic running on a computer network. It has a rich and powerful feature set and is world's most popular tool of its kind. It runs on most computing platforms including Windows, OS X, Linux, and UNIX. Network professionals, security experts, developers, and educators around the world use it regularly. It is freely available as open source, and is released under the GNU General Public License version 2. It is developed and maintained by a global team of protocol experts, and it is an example of a disruptive technology.” Packet capture files in .pcap format may be examined with tools like tcpdump and Wireshark. For this lab we will use Wireshark to examine a packet capture session from previous network activity that have been saved on our virtual machine. Start Wireshark on your virtual machine from the start menu.
Next, click on the “Open” option under the “Files” header in the middle of the screen, and select “c:\snort\bin\CSEC630.pcap” in the open dialog.
Page 7
WireShark will display the packets in the packet capture (.pcap) file listed in rows in three panes. The top pane contains an overview of captured network traffic. The middle pane shows details for the particular selected row. Notice the triangles at the left of “Frame 1”, “Ethernet II”, “Internet Protocol”, and “Transmission Control Protocol”; each of these may be expanded so that you may examine the contents. The pane at the bottom of the screen displays the raw data in a column of hexadecimal sideby-side a column of the data in ASCII format; this is useful in identifying suspicious packet contents, as some content will be easily viewed in ordinary ASCII characters, but some suspicious content may not be represented in ASCII characters at all but will be able to be identified in the corresponding hexadecimal representation.
Scroll a bit through the capture file by using the scroll-bar in the top pane that has the colored rows of network traffic. That's a lot of information! Thankfully, we can filter the results. Click the “Filter” button. A dialog will pop up. Select “TCP only”, and then click “OK”.
Page 8
Now we can see the filtered results. In the “Protocol” column we can see “TCP” as well as other protocols which are encapsulated within “TCP” segments.
Again, note the triangle to the left of “Transmission Control Protocol” in the middle pane. Click it; it will expand to show the contents of the TCP segment's header. The corresponding raw data (in hexadecimal alongside an ASCII representation) will be highlighted in the bottom pane. Notice that in the bottom pane to the right, there are a lot of “.” characters, but on the left there are various hexadecimal values representing the binary contents which is not represented in ASCII. A signature for potentially suspicious activity or for a known attack may compare the header or payload contents of a TCP segment to a hexadecimal sequence, or a signature may look for a specific ASCII sequence. Feel free to look around. Scroll down in the top pane until you encounter an HTTP request. You can click on the HTTP information in the middle pane and view the contents of the HTTP header in detail.
Page 9
You can also click on the “Filter” button and select “HTTP” (or type “http” in the drop-down box and click the “Apply” button) to see only packets with encapsulated HTTP content within the TCP payload.
Click the “Clear” button, to again see all the captured packets.
Page 10
RUNNING SNORT #1) Snort is run from the command line, so let's open up the command prompt. Before we run snort, first let's make sure we are in the right directory. Let's change the directory to “c:\snort\bin”
cd c:\snort\bin
#2) Now let's test run snort on our pcap file We will use several options when running snort: -T do a test run w/o triggering alerts/logging results -c snort630.conf use “snort630.conf” as the configuration/rules file -l log\ we want to use “log” as the log directory for alerts -r CSEC630.pcap read/process the “CSEC630.pcap” file Type the following at the command prompt, and then press the enter/return key:
snort -T -c snort630.conf -l log\ -r CSEC630.pcap
We get a lot of output. At the end we see: "Snort successfully validated the configuration" "Snort exiting"
3) Let's look in the “log” directory
cd log dir
Snort will store alerts here. Since this was a test run (we used the -T option), no new alerts were Page 11
created on this run. To make sure we are starting with a clean slate, let's clean up this directory if there are any alert files in it.
del alert*
4) Really run snort on the pcap file. We are still in “c:\snort\bin\log”, so let's change back to the parent directory, which is “c:\snort\bin”. We can type “cd c:\snort\bin” or we can simply type “cd ..” which is a shortcut to go up to the parent directory.
cd c:\snort\bin
Now let's really run the .pcap file through our snort ruleset. We'll use the same command-line as before, just without the -T option.
snort -c snort630.conf -l log\ -r CSEC630.pcap
We told snort to log any results to the “log” directory, and this was a real run, so there may be an alert. Let's look in the log directory.
cd log dir
If there is an alert file, look at it. For a file named “alert.ids”, we can look at the file by entering:
edit /R alert.ids
The command “edit /R” opens a file in read-only mode. The file is empty. We can exit the editor by selecting “File” with our mouse, or by clicking “Alt-F”, and then we can either click “exit” or type “x”
Page 12
Let's go up a directory, that is, to the the parent directory of "log", where we were before we typed "cd log"... to do this, we can use the shortcut "..", which represents the parent directory.
cd ..
We were previously in c:\snort\bin\log, so now we are in the parent directory c:\snort\bin. We are ready to look at some rules. 5) INSPECT RULES FILE Let's look at the rules file set up for this lab, but let's make sure we open the file read-only, so that we don't accidentally mess up the file. We will use the /R option to edit so it is opened for reading only.
edit /R csec630.rules
Hmm, everything has a “#” character in front of it. Anything after a "#" character is a comment which will be ignored by snort. That's ok for instructions, examples, notes, etc., but we want some rules to Page 13
fire. 6) BACKUP RULES FILE Let's make a backup of the “csec630.rules” file so we can safely edit it and test out our changes and still fall back on the original if need be.
copy csec630.rules csec630.rules.original
7) EDIT RULES FILE Now let's open up “csec630.rules” for editing. We won't include the "/R" (read-only) option this time.
edit csec630.rules
Notice the lines that have two "#" characters at the beginning. These are comment lines. Notice the first line that starts with a single "#" followed by "alert tcp" and then later “msg:” and “sid:” ... this is a snort rule. Scroll through and take a look at this line. Let's remove the '#' character which is at the beginning of that first snort rule. Use cursor keys or mouse, backspace or delete, etc.
Now let's save the file. You can use “Alt-F” or the mouse to select the “File” menu, and then you can type “s” or click “save” to save the changes that we made. To exit the file, again, press “Alt-f” and then “x”, or use the mouse to select “File” and “exit”. 8) RERUN SNORT Let's run Snort again on our .pcap file.
snort -c snort630.conf -l log\ -r CSEC630.pcap
Page 14
Let's look at the “log” directory now.
dir log
(Notice this time we did not need to change to the “log” directory. We simply typed "log" after the “dir” command, telling "dir" to report on the contents of "log" which is a directory.) 9) INSPECT ALERT FILE There's an alert file! Let's look at it.
edit /R log\alert.ids
(Note that we are not in the log directory so we typed "log\alert.ids" to specify to edit that we wanted to view the “alert.ids” file in the “log” directory.) Now let's exit (“Alt-f” then “x”, or use the mouse to select “File” and “exit”.) Since this is the alert on the first rule we are examining, let's rename the file "alert.ids" to "alert1"; we will change to the “log” directory, and then we will rename “alert.ids” to “alert1”, and then we will change back to the parent directory with “cd ..”
cd log ren alert.ids alert1 cd ..
Let's look at the “log” directory to make sure we did it right.
dir log
There is a file named "alert1" in the “log” directory, but there is no more "alert.ids" file in the log\ directory. When snort runs it will make a new "alert.ids" file containing any alerts from rules which are triggered when we run snort next. 10) CONTINUE RUNNING SNORT WITH OTHER RULES Before we run snort again, let's turn off the first rule and turn on the second rule. To accomplish this, let's add a "#" (comment indicator) back to the beginning of the rule we just looked at and let's remove the "#" character which precedes the second rule.
Page 15
Now let's re-run snort.
snort -c snort630.conf -l log -r CSEC630.pcap
Again let's look at the alert file.
edit /R log\alert.ids
Again, let's rename it. We are in the “c:\Snort\bin” directory so let's change to the “log” directory and rename the “alert.ids” file “alert2”.
cd log ren alert.ids alert2 cd ..
11) Continue like this through the rest of the rules. Now that we are done, let's move the original file back in place. Let's make sure we are in the “c:\Snort\bin” directory, and then move the file.
cd c:\snort\bin move csec630.rules.original csec630.rules
12) Push the PANIC button! Ok, now click PANIC In case things are messed up, we can click on the SNORT PANIC icon on the desktop. This will put back the original .config file, .pcap file, and .rules file. When you are done with your lab, click SNORT PANIC anyhow, to clean up some things for next time.
Page 16
You are to include your answers for each the following 10 questions in a Word document and submit the file in your WebTycho Gradebook Lab 2 Assignment folder. Each question is worth 10 points.
1. When running Snort IDS why might there be no alerts?
2. If we only went to a few web sites, why are there so many alerts?
3. What are the advantages of logging more information to the alerts file?
4. What are the disadvantages of logging more information to the alerts file?
5. What are the advantages of using rule sets from the snort web site?
6. Describe (in plain English) at least one type of ruleset you would want to add to a high level security network and why?
Page 17
7. If a person with malicious intent were to get into your network and have read/write access to your IDS log or rule set how could they use that information to their advantage?
8. An intrusion prevention system can either wait until it has all of the information it needs, or can allow packets through based on statistics (guessed or previously known facts). What are the advantages and disadvantages of each approach?
9. So, the “bad guy” decides to do a Denial of Service on your Intrusion Prevention System. At least two things can happen, the system can allow all traffic through (without being checked) or can deny all traffic until the system comes back up. What are the factors that you must consider in making this design decision?
10. What did you find particularly useful about this lab (please be specific)? What if anything was difficult to follow? What would you change to make it better?
Page 18
