Unformatted text preview: Purpose of the Lab: The purpose of this lab is to expose the student to the operation of an intrusion detection system. During this lab the student will: Use snort to create rules to detect and generate alerts whenever there is a matching packet. View the traffic generated in Wireshark. Materials: Backtrack virtual machine Ubuntu virtual machine Windows XP virtual machine Snort Wireshark Putty Assignment: Turn in: Responses to questions in Lab handout and Screenshots for the Web Server Exercise (Not exceeding 5 Pages at most). 2 Page write up for the questions below: o Briefly describe Snort configuration modes. Give basic commands to operate snort in each of these modes. o Explain basic structure of Snort Rule. List few rule option keywords for each logical section of the rule. o Write a snort rule to detect a DNS packet using the following details: o Source IP address: 192.168.23.128 o Destination IP address: 192.168.23.130 o Write a snort rule to detect a connection attempt on the Telnet Server which has an IP Address 192.168.32.129 and generate alerts for packets with content ‘Telnet!’ directed to the Server. Due Date: 10/14/11 CIS‐6322 ‐ Snort Lab Page 1 SNORT SNORT® is an open source network intrusion prevention system capable of performing real‐time traffic analysis and packet logging on IP networks. Snort can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. Snort can be configured to run in three modes: •
• Sniffer mode, which simply reads the packets off of the network and displays them for you in a continuous stream on the console (screen). Packet Logger mode, which logs the packets to disk. Network Intrusion Detection System (NIDS) mode, the most complex and configurable configuration, which allows Snort to analyze network traffic for matches against a user‐defined rule set and performs several actions based upon what it sees. This lab is based on the Network Intrusion Detection System (NIDS) mode. Snort Rules: Snort uses a simple, lightweight rules description language. Generic Structure for the Snort Rules is:
Action Protocol Source_IP Source_Port Destination_IP Destination_Port (content:“|Signature|”;
msg:“rule invoked”; ….)
The text up to the first parenthesis is the Rule Header and the section enclosed in parenthesis is the
Rule Option. CIS‐6322 ‐ Snort Lab Page 2 Overall Lab Steps 1.
8. Setup the environment Create Snort Rules View the previously generated traffic file Execute snort command with parameters View snort alerts file Modify Snort Rules and run snort again Generate live traffic and run snort again Close all programs and shutdown all virtual machines Directions: 1. Setup the environment a. Restart Windows‐7 (Base Operating System) and Log in with: User: ‘.\student’ Password: ‘T202!2011’ (Case sensitive) b. Setup the backtrack virtual machine i. Start VMware Workstation by clicking the icon ii. Click on the Backtrack icon on the desktop In VMware BT4R2 window, click on ‘Edit Virtual machine Settings’ link. It will pop up the Virtual Machine Settings dialog box, set Network Adapter to Host‐Only (if not set already). iii. on the desktop. CIS‐6322 ‐ Snort Lab Page 3 iv. v. Click on ‘Power on this Virtual Machine’ link in the VMware window to launch the Backtrack in the virtual machine. Login to Backtrack Virtual Machine with: bt login: ‘root’ Password: ‘toor’ Enter Desktop Mode in Backtrack by typing the command below: ‘startx’ Backtrack doesn’t boot with networking by default & doesn’t announce itself with a dynamically assigned IP Address to stay secret on the network. To get Backtrack connected to the wired network interface and get an IP Address assigned dynamically, follow the instruction below: Click: “ K‐Menu Internet Menu Wicd Network Manager ” You will see the window: Click ‘Connect’ Button. Wait few moments until the confirmation message “Connected to wired network (IP: xxx.xxx.xxx.xxx)” appears at the status bar on bottom. Close the ‘Wicd Network Manager’ Window. Backtrack is now connected to the Network Interface. CIS‐6322 ‐ Snort Lab Page 4 2. Create Snort Rules a. Go to Backtrack virtual machine. b. On Backtrack, create a blank text file on by right clicking on the desktop and give it the name: SnortLab.conf (Note: You can give any name for the configuration file, but for the purpose of this lab, the file is named SnortLab.conf). c. Enter the following rules in the text file created in the previous step. RULE 1: Rule to detect a FTP attempt alert tcp any any ‐> any 20:21 (msg:" FTP connection attempted"; sid:1000001; rev:1;) Structure of rule 1: alert: Rule Action ‐ generate alerts for the traffic matching the rule tcp: protocol any: IPaddress of the source machine any: Port number on the source machine from where the request is coming any: IPaddress of the destination machine 20:21: destination port numbers Msg: alert message sid: keyword that is used to uniquely identify the rule rev1: keyword that is used to uniquely identify revisions of the snort rule RULE 2: Rule to detect SMTP packets alert tcp any any ‐> any 25 (msg:"SMTP Connection attempted"; sid:1000002; rev:1;) d. Save the file and close it. 3. View the previously generated traffic file a. Browse to the folder ‘CISLabs SnortLab’ on Backtrack’s Desktop and copy the File ‘SnortTraffic.dat’ to Backtrack’s Desktop location. b. Open a New Console Terminal by clicking the icon on Backtrack Task bar OR by navigating to path: K‐ Menu System Menu Konsole‐Terminal Program c. Open Wireshark by typing ‘wireshark’ at the command prompt and then press enter. d. On Wireshark window click File Open and browse to the path Desktop/SnortTraffic.dat to open the File. You will be able to see 200 previously captured packets. e. Close Wireshark window. 4. Execute snort command with parameters a. Switch to Backtrack console and set backtrack Desktop as the current working directory by typing: ‘cd Desktop’ CIS‐6322 ‐ Snort Lab Page 5 b. ’Type the following command at the command prompt to run snort with parameters including the configuration file and the traffic file: ‘snort –c SnortLab.conf –r SnortTraffic.dat ’ Explanation of the snort command: snort: keyword to execute snort IDS ‐c: This command option is used to specify a configuration file ‐r: This command line option is used to specify a tcpdump‐formatted file from which contains traffic NOTE: For the purpose of this lab and to get an understanding of how to create snort rules, a simple configuration file has been created and the rules have been specified in the configuration file. However, in a real world scenario, the configuration file is generally more complex and has many more parameters/configurations and contains a variable that defines the path to the rules files. You can view the default configuration file for snort, called snort.conf, under the directory /etc/snort. c. Observe the output generated by Snort and record the following: i.
Number of Packets Processed by Snort: _______________________________________________ ii.
Breakdown by Protocol (wherever the value is more than 0): ________________________________________________________________________________
Action Stats: _____________________________________________________________________ 5. View snort alerts file a. To view the alerts generated by Snort type the following at the command prompt on Backtrack. ‘cat /var/log/snort/alert’ b. Observe the alerts and record the number of alerts for the two rules created in Step 2 above. Rule 1 (FTP connection attempted): _________________________________________________ Rule 2 (SMTP connection attempted): _______________________________________________ 6. Modify Snort Rules and run snort again a. On Backtrack, browse to the folder /var/log/snort. One way to browse to this folder is to click on the K‐Menu Internet Menu Konqueror Browser Folder and then enter the path /var/log/snort on the address bar. Click on alert file in this folder to open it using the KWrite editor. b. Delete the entire contents of the alert file. c. Save the file and close it. CIS‐6322 ‐ Snort Lab Page 6 d. Open the configuration file (SnortLab.conf) on the desktop of the Backtrack machine. e. Make the following changes to the rules OR you can delete the previous/existing rules in SnortLab.conf file and write the following two: alert tcp 192.168.23.133 53537 ‐> 192.168.23.131 20:21 (msg:" FTP connection attempted"; sid:1000001; rev:1;) alert tcp 192.168.23.133 48866 ‐> 192.168.23.131 25 (msg:"SMTP Connection attempted"; sid:1000002; rev:1;) f. Save the file and close it. g. Execute snort command again at the command prompt terminal. Make sure the current working directory on Backtrack Console is ‘Desktop’ before you execute Snort by typing: Snort –c SnortLab.conf –r SnortTraffic.dat ‐N h. Do you observe any changes in the number of alerts generated this time? Record the number of alerts generated: ___________________________________________________ What was the reason for the change in the number of alerts generated after the rules were changed? 7. Generate live traffic and run snort again A. Setup the Environment a. Setup the Windows XP virtual machine
ii. Click on the Windows XP icon on the desktop of Windows 7 machine. In VMware Windows XP window, click on ‘Edit Virtual machine Settings’ link. It will pop up the Virtual Machine Settings dialog box, set Network Adapter to NAT (if not set already). iii. iv. Click on ‘Power on this Virtual Machine’ link in the Windows XP VMware window. This will launch the Windows XP in the virtual machine. Login to Windows XP VM. You can use Administrator Password “T202!2011” for WinXP VM if prompted. b. Determine Backtrack IP Address: Type command below on Backtrack Console Terminal to determine its IP Address: ‘ifconfig’ [Backtrack IP] : (inet addr: xxx.xxx.xxx.xxx) [Network Interface]: eth(x) Make a note of Backtrack IP and Network Interface CIS‐6322 ‐ Snort Lab Page 7 c. Add a snort rule i.
Switch over to Backtrack virtual machine. ii.
Open the Snortlab.conf file. iii.
Delete previous rules and enter the following rule: alert tcp any any ‐> [Backtrack IP] 22 (msg:"Remote Login"; sid:1000001; rev:1;) iv. Save the file and close it. ([Backtrack IP] was determined in step (7.A.b)) d. Delete previous alerts in the alert file. i. On Backtrack, browse to the /var/log/snort folder clicking K‐Menu Internet Menu Konqueror Browser Folder and then enter the path /var/log/snort on the address bar. Click on alert file in this folder to open it using the KWrite editor. ii. Delete the entire contents of the alert file opened in the step above. iii. Save the file and close it. e. Open Wireshark in Backtrack and start capturing traffic. i.
Open a new terminal in Backtrack. ii.
Type sudo wireshark and press enter. iii. Click on the capture button eth(x):[Backtrack IP]. and click the Start button next to interface B. Generate traffic using putty and run snort a. Click on the Backtrack virtual machine tab and open a new terminal if it is not already open. Execute the snort command (the same command as the one in the steps above) at the command prompt. Make sure the current working directory on Backtrack Console is ‘Desktop’ before you execute Snort by typing: snort –c SnortLab.conf ‐i eth(x) [Network Interface eth(x) was determined in step (7.A.b)] b. On Windows XP machine, double click the putty icon be displayed. CIS‐6322 ‐ Snort Lab on the desktop. The following screen will Page 8 Enter the IP address of the Backtrack: [Backtrack IP] in the Host Name field, select Never checkbox from Close window on Exit field and click the Open button. c. Go to Windows XP virtual machine and click OK on the Network Error dialog box. d. Go to Backtrack virtual machine and click on the terminal on which you were executing the snort command to give it focus and then press Ctrl+C. Wait for a few minutes as snort may take a while to display the results. e. How many alerts did snort log this time? Record Number of alerts generated: __________________________________________________ Also, observe the packets in the Wireshark window on the Backtrack machine. Do you see any ssh packets? If yes, how many? ______________________________________________________ Observe the output generated by Snort and record the following: f. i.
ii. Number of Packets Processed by Snort: _________________________________________ Breakdown by Protocol (wherever the value is more than 0): __________________________________________________________________________
__________________________________________________________________________ ______________________________________________________________________ iii.
Action Stats: _______________________________________________________________ g. Stop capturing traffic in Wireshark and close Wireshark. (You do not need to save the file if prompted to do so by Wireshark). h. Click on the Windows XP virtual machine and then click the OK button on the network timeout dialog box and then Close the putty screen, if any screen is displayed. CIS‐6322 ‐ Snort Lab Page 9 Web Server Exercise: Start Apache2 Web Server on Backtrack virtual machine and generate traffic by connecting to the default web page ‘index.html’ on Backtrack from Windows XP virtual machine. Then, create a rule to detect the connection attempt to the web server and generate alerts for the packets containing ‘index.html’. To start Web Server on Backtrack and connect to its default page from Windows XP, follow the steps below: Note: Make sure you are logged on to Windows VM with Network Adapter set to “NAT” to share the host’s IP Address before proceeding with the following Web Server Exercise. 1. Determine Backtrack IP: Type command below on Backtrack Console Terminal to determine its IP Address: ‘ifconfig’ [Backtrack IP] : (inet addr: xxx.xxx.xxx.xxx) 2. Start Apache2 Server on Backtrack: To start Apache2 Web Server on Backtrack, navigate to the path below: K‐ Menu Backtrack Menu Services Menu HTTPD Menu apache start Option A confirmation screen will flash with a message “Starting Web Server Apache2 [OK]”. An information dialog box will appear with the confirmation message “Apache Server started”. Web service is now actively listening on Backtrack http port. 3. Remove Previous Alerts on Backtrack: On Backtrack, browse to the /var/log/snort folder clicking K‐Menu Internet Menu Konqueror Browser Folder and then enter the path /var/log/snort on the address bar. Click on alert file in this folder to open it using the KWrite editor. Delete the entire contents of the alert file and save it before you close. 4. Add snort rule to detect http packets: Open SnortLab.conf rule file on Backtrack desktop and delete the rules on file. Now add a rule to track http packets. You need to write this rule yourself using similar structure as in previous rules. 5. Run snort to monitor live traffic: Click on the Backtrack virtual machine tab and open a new terminal if it is not already open. Set current working directory to backtrack Desktop typing ‘cd Desktop’. Execute Snort for monitoring live web traffic typing the command below: snort –c SnortLab.conf ‐i eth(x) [Network Interface eth(x) was determined in step (7.A.b)] CIS‐6322 ‐ Snort Lab Page 10 6. Request web service from Window XP: Switch to Win XP VM and request the default index page on Backtrack Web Server, typing the following URL on Win XP’s Internet Explorer: ‘http://[Backtrack IP]/index.html’ ( [Backtrack IP] was determined in Step (7.A.b)) If your web request is successfully served by Backtrack Web Server, You will see a success message; ‘It works’ on WinXP Internet Explorer. 7. Stop Snort on Backtrack: Stop Snort on Backtrack using ‘ctrl+c’ on console prompt and monitor action stats on console prompt. 8. Examine Alerts: To view & examine alerts for live http traffic, Type: ‘cat /var/log/snort/alert’ Write the rule that you created in step (3) to detect web traffic. Record the number of alerts generated by the rule. Take snapshots of the steps. 9. Stop Apache Web Server on Backtrack: To stop Apache2 Web Server on Backtrack, navigate to the path below: K‐ Menu Backtrack Menu Services Menu HTTPD Menu apache stop Option A confirmation screen will flash with a message “Stopping Web Server Apache2 [OK]”. 10. Close all programs and shutdown all virtual machines a. Shutdown Backtrack i.
Close all programs on Backtrack VM ii.
iii. Logout Backtrack VM by Clicking: ’K‐Menu Leave Then, shutdown Backtrack VM by typing on console: ‘shutdown –h now’ End Session Logout’ b. Shutdown WinXp VM: iv.
Close Internet Explorer on WinXP VM . v.
Click on Start Menu and select Shutdown to turn off WinXP VM c. Close all VmWare tabs and close VMWare window. d. Log off Windows 7 machine i.
Close any open programs/windows. ii.
Log off from Base OS, Windows 7. CIS‐6322 ‐ Snort Lab Page 11 ...
View Full Document
- Spring '11
- snort, BackTrack, snort lab, Backtrack virtual machine