View the step-by-step solution to: 1. When running Snort IDS why might there be no alerts? 2. If

This question was answered on Oct 12, 2011. View the Answer
1. When running Snort IDS why might there be no alerts?

2. If we only went to a few web sites, why are there so many alerts?

3. What are the advantages of logging more information to the alerts file?


4. What are the disadvantages of logging more information to the alerts file?


5. What are the advantages of using rule sets from the snort web site?

6. Describe (in plain English) at least one type of ruleset you would want to add to a high level security network and why?


7. If a person with malicious intent were to get into your network and have read/write access to your IDS log or rule set how could they use that information to their advantage?


8. An intrusion prevention system can either wait until it has all of the information it needs, or can allow packets through based on statistics (guessed or previously known facts). What are the advantages and disadvantages of each approach?


9. So, the “bad guy” decides to do a Denial of Service on your Intrusion Prevention System. At least two things can happen, the system can allow all traffic through (without being checked) or can deny all traffic until the system comes back up. What are the factors that you must consider in making this design decision?


10. What did you find particularly useful about this lab (please be specific)? What if anything was difficult to follow? What would you change to make it better?

CSEC630 lab2- IDS revised 20110614[1].pdf

CSEC 630 Lab2 - Intrusion Detection System and Protocol Analysis Lab
Your Faculty Advisor/ Teaching Assistant should have provided you with the following
information before you started the lab exercise:






Cisco VPN Username
Cisco VPN Password
Virtual Machine (VM) IP Address
VM Username (works with the Remote Desktop Connection)
VM Password

A. DOWNLOADING THE VPN CLIENT
1. In your browser, enter the following URL (do not forget the s in
https): https://vpn.csvcl.net
2. If needed, select Continue to this website (not recommended).
3. Be sure that the GROUP is OOB-anyconnect. Enter the Logon name
and VPN password given to you.
4. Click on the Start AnyConnect link.
5. For some operating systems, there may be a warning bar just below the
menus asking whether you wish to install the VPN client. Click the bar and
proceed to install the ActiveX Control.
For other operating systems, you may receive a warning message re: A
website wants to open web content, click Allow.
6. You may see a window asking you to proceed since the websites
certificate cannot be verified. Select Yes. (Note: If the system locks up,
click another window, then click Yes.)
7. Install the AnyConnect VPN Client. This will take a few moments.
If prompted, allow the program from an unknown publisher make changes
to the computer. Select Yes.
Eventually, you should see Connection Established.
Note: You just need to download this client just once.
8. This step is for future sessions. You will access the Cisco VPN client
this way: Select the Cisco AnyConnect VPN from your Start Menu, or
choose:
Start > All Programs > Cisco > Cisco AnyConnect VPN Client > Cisco
AnyConnect VPN Client
In response to the question on proceeding, click Yes.
Click the Connections tab. If you are not connected, click the Connect
button and enter your logon name and password. Once connected,
minimize the window.
B. ACCESSING THE REMOTE DESKTOP CONNECTION
1. Enter https://10.0.4.50/cloud/org/csec630 in the browser and click on
Continue to this website (not recommended)
2. Type your logon name and password and click on Login.
3. Click on Add Cloud Computer System.
4. Select CSEC630 and click Next.
Page 1

5. Type your username in the Name field to uniquely identify your virtual
image.
6. Next click Finish.
7. Wait a few minutes for the system to create the virtual machine image.
8. The word Stopped will appear.
9. Click on the green Start button to power on the virtual machine.
10. Wait a few moments for the virtual machine to completely start.
11. Once its status changes to Running, double click on the virtual machine
image icon (it has a miniature Windows image).
If the pop-up is blocked, click the highlighted bar and select Always
Allow Pop-ups from This Site. Confirm with a Yes. You may have to
re-login again.
In response to a warning message A website wants to open web
content, click on Allow to install the web application.
If presented with an invalid certificate, check Always trust the host with
this certificate. Click Ignore.
If there is a problem with the certificate, select Continue to this website
(not recommended)
13. Run the Vmware executable file.
Allow the program to make changes to the computer, if prompted.
If presented with an invalid certificate, check Always trust the host with
this certificate. Click Ignore.
14. Install theVMware Remote Console Plug-In. If necessary close all
Internet Explorer windows. When done, click Finish.
Open the browser and re-enter https://10.0.4.50/cloud/org/csec630 and
click on Continue to this website (not recommended).
Again, type your logon name and password and click on Login.
15. Double click the virtual machine icon. Allow the website to open web
content. If presented with an invalid certificate, check Always trust the
host with this certificate. Click Ignore.
Click on VMWare Remote Console button on the top bar of the window
and select Send Ctrl+Alt+Del from the dropdown menu.
16. Click OK to the opening window warning.
17. In the Log On to Windows box, type in the username student1 and
the password Csec630 then click OK to log in.
C. EXITING THE APPLICATIONS
1. Log off the cloud application window by closing the window (click the
X on the upper right hand corner of the window). Click the Stop button to
terminate the cloud application from running. Click Yes to the prompt.
Click Logout on the upper right hand side of the window.
2. Access the VPN client window via the Start Menu or use
Start > All Programs > Cisco > Cisco AnyConnect VPN Client > Cisco
AnyConnect VPN Client
Under the Connection button, click the Disconnect button.
3. Close all windows. This should return your computer to normal.

Page 2

Note: There are 10 questions you are to answer after completing this lab found on pp. 17-18
Please submit a Word document that contains your answers
to all 10 questions to Web Tycho Gradebook Lab2 Assignment Week 6.
Source: http://www.snort.org/snort
Snort is a free, open source network intrusion detection and prevention system capable of performing
real-time traffic analysis and packet logging on IP networks. Initially called a lightweight intrusion
detection technology, Snort has evolved into a mature, feature-rich IPS technology that has become the
de facto standard in intrusion detection and prevention. With nearly 4 million downloads and
approximately 300,000 registered users Snort, it is the most widely deployed intrusion prevention
technology in the world.
Snort can perform protocol analysis and content searching/matching. It can be used to detect a variety
of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS
fingerprinting attempts, and much more. It uses a flexible rules language to describe traffic that it
should collect or pass, as well as a detection engine that utilizes a modular plug-in architecture. Snort
has a real-time alerting capability as well, incorporating alerting mechanisms for syslog, a user
specified file, a UNIX socket, or WinPopup messages to Windows clients. Snort has three primary
uses: a straight packet sniffer like tcpdump, a packet logger (useful for network traffic debugging, etc),
or a full-blown network intrusion
DOS CHEAT SHEET
COMMANDLINE:

EXPLANATION:

.
..
../
*
?

current directory
parent directory (up one directory)
parent directory (up one directory)
zero or more of any characters
any one character

dir directory_to_view
cd
directory_to_go_to
copy source_file dest_file
ren
old_name new_name
move dir1\file1
dir2\file2

list directory_to_view
change to directory_to_go_to
copy source_file to dest_file
rename file from old_name to new_name
move dir1\file1 to dir2\file2

edit /R file1
edit file1

view file1 (read only)
edit file1

Examples:
dir
dir .
dir ..

list current directory
list current directory
list parent directory
Page 3

dir *rules
dir log

list current directory where name ends w/ "rules"
list current directory where name=log

cd
cd ..
cd c:\snort\bin

change to default user directory
change to parent directory
change to the bin directory in c:\snort

copy csec630.rules csec630.rules.original
ren
alert
alert1

make backup copy in current directory
rename "alert" file to "alert1" in same directory

move log\alert log2\alert1

move "alert" file in "log" directory to "alert1" in "log2" directory

edit /R csec630.rules
edit csec630.rules
edit /R log\alert*

view the file "csec630.rules" from the current directory read-only
open the file "csec630.rules" from the current directory for editing
view file starting with alert in the log directory

SNORT OPTIONS
-c config_filename
-l log_directory
-r pcap_filename
-T

use supplied filename as the configuration/rule file
use supplied directory to log alerts
read supplied filename for processing by snort ruleset
Test run, don't actually trigger alerts

Page 4

GETTING ORIENTED
First of all, connect via VPN and start your remote desktop client.
/*** PANIC***/
Notice the SNORT PANIC icon on the desktop of the virtual machine. You will be editing the snort
rules file during this lab. Clicking this icon will run a script that will refresh certain configuration and
rules files, in case they have been corrupted. It's a good idea to click this icon before and after you
work on your lab, or in case you make a mistake editing the snort rules file for the lab.
/*** END PANIC***/
The Command Prompt
In the virtual machines we will work from the command prompt. To get to the command prompt, press
the start button within the virtual machine's window, and click Run..., and then type cmd.exe in the
entry box and click ok

Our Working Directory
Let's go to the directory where we have loaded the Snort files. Type the following commands in the
command console (for clarity, we will use monospaced type for code that is typed into the command
prompt):

cd c:\snort\bin

Page 5

Now that we are in the c:\snort\bin directory, let's take a look. Type dir and press enter.

dir
Note that theres a lot of files. Let's take a look at a list of some of the configuration files that are here.
They end in .conf. These files configure snort's operation.

dir *.conf

Your output may be slightly different, but you should see snort630.conf in the list.
Let's take a look at what rules files are here in the c:\Snort\bin directory. Snort uses rules files to
define the type of network traffic that will generate an alert. We happen to have the rules files in this
directory. They end in .rules, so enter the following command to view files that end with .rules

dir *.rules
This command-line will make dir look in the directory we are in for anything that has "rules" at the end
of its name. (csec630.rules is the file we will be examining; it contains our own rules for this lab.)
Now let's see what pcap files are here (.pcap files are packet capture files)

dir *.pcap
For this lab, we will open CSEC630.pcap in WireShark and then we will run it through Snort to see if
any of Snort's IDS rules are triggered.
Finally, there is a log directory within c:\Snort\bin; let's change to that directory and have a look. We
are already in c:\Snort, so we only need to change to the log directory.

cd log
dir
Page 6

RUNNING WIRESHARK
Introduction to Wireshark
Source: http://www.wireshark.org/faq.html#sec1
Wireshark® is a network protocol analyzer. It lets you capture and interactively browse the traffic
running on a computer network. It has a rich and powerful feature set and is world's most popular tool
of its kind. It runs on most computing platforms including Windows, OS X, Linux, and UNIX.
Network professionals, security experts, developers, and educators around the world use it regularly. It
is freely available as open source, and is released under the GNU General Public License version 2.
It is developed and maintained by a global team of protocol experts, and it is an example of a disruptive
technology.
Packet capture files in .pcap format may be examined with tools like tcpdump and Wireshark. For this
lab we will use Wireshark to examine a packet capture session from previous network activity that have
been saved on our virtual machine.
Start Wireshark on your virtual machine from the start menu.

Next, click on the Open option under the Files header in the middle of the screen, and select
c:\snort\bin\CSEC630.pcap in the open dialog.

Page 7

WireShark will display the packets in the packet capture (.pcap) file listed in rows in three panes. The
top pane contains an overview of captured network traffic. The middle pane shows details for the
particular selected row. Notice the triangles at the left of Frame 1, Ethernet II, Internet Protocol,
and Transmission Control Protocol; each of these may be expanded so that you may examine the
contents. The pane at the bottom of the screen displays the raw data in a column of hexadecimal sideby-side a column of the data in ASCII format; this is useful in identifying suspicious packet contents, as
some content will be easily viewed in ordinary ASCII characters, but some suspicious content may not
be represented in ASCII characters at all but will be able to be identified in the corresponding
hexadecimal representation.

Scroll a bit through the capture file by using the scroll-bar in the top pane that has the colored rows of
network traffic. That's a lot of information! Thankfully, we can filter the results.
Click the Filter button. A dialog will pop up. Select TCP only, and then click OK.

Page 8

Now we can see the filtered results. In the Protocol column we can see TCP as well as other
protocols which are encapsulated within TCP segments.

Again, note the triangle to the left of Transmission Control Protocol in the middle pane. Click it; it
will expand to show the contents of the TCP segment's header. The corresponding raw data (in
hexadecimal alongside an ASCII representation) will be highlighted in the bottom pane. Notice that in
the bottom pane to the right, there are a lot of . characters, but on the left there are various
hexadecimal values representing the binary contents which is not represented in ASCII. A signature for
potentially suspicious activity or for a known attack may compare the header or payload contents of a
TCP segment to a hexadecimal sequence, or a signature may look for a specific ASCII sequence.
Feel free to look around. Scroll down in the top pane until you encounter an HTTP request. You can
click on the HTTP information in the middle pane and view the contents of the HTTP header in detail.

Page 9

You can also click on the Filter button and select HTTP (or type http in the drop-down box and
click the Apply button) to see only packets with encapsulated HTTP content within the TCP payload.

Click the Clear button, to again see all the captured packets.

Page 10

RUNNING SNORT
#1) Snort is run from the command line, so let's open up the command prompt. Before we run snort,
first let's make sure we are in the right directory. Let's change the directory to c:\snort\bin

cd c:\snort\bin
#2) Now let's test run snort on our pcap file
We will use several options when running snort:
-T
do a test run w/o triggering alerts/logging results
-c snort630.conf
use snort630.conf as the configuration/rules file
-l log\
we want to use log as the log directory for alerts
-r CSEC630.pcap
read/process the CSEC630.pcap file
Type the following at the command prompt, and then press the enter/return key:

snort -T -c snort630.conf -l log\ -r CSEC630.pcap

We get a lot of output. At the end we see:
"Snort successfully validated the configuration"
"Snort exiting"

3) Let's look in the log directory

cd log
dir
Snort will store alerts here. Since this was a test run (we used the -T option), no new alerts were
Page 11

created on this run. To make sure we are starting with a clean slate, let's clean up this directory if there
are any alert files in it.

del alert*
4) Really run snort on the pcap file.
We are still in c:\snort\bin\log, so let's change back to the parent directory, which is c:\snort\bin.
We can type cd c:\snort\bin or we can simply type cd .. which is a shortcut to go up to the parent
directory.

cd c:\snort\bin
Now let's really run the .pcap file through our snort ruleset. We'll use the same command-line as
before, just without the -T option.

snort -c snort630.conf -l log\ -r CSEC630.pcap
We told snort to log any results to the log directory, and this was a real run, so there may be an alert.
Let's look in the log directory.

cd log
dir
If there is an alert file, look at it. For a file named alert.ids, we can look at the file by entering:

edit /R alert.ids

The command edit /R opens a file in read-only mode. The file is empty. We can exit the editor by
selecting File with our mouse, or by clicking Alt-F, and then we can either click exit or type x

Page 12

Let's go up a directory, that is, to the the parent directory of "log", where we were before we typed "cd
log"... to do this, we can use the shortcut "..", which represents the parent directory.

cd ..
We were previously in c:\snort\bin\log, so now we are in the parent directory c:\snort\bin. We are ready
to look at some rules.
5) INSPECT RULES FILE
Let's look at the rules file set up for this lab, but let's make sure we open the file read-only, so that we
don't accidentally mess up the file. We will use the /R option to edit so it is opened for reading only.

edit /R csec630.rules

Hmm, everything has a # character in front of it. Anything after a "#" character is a comment which
will be ignored by snort. That's ok for instructions, examples, notes, etc., but we want some rules to
Page 13

fire.
6) BACKUP RULES FILE
Let's make a backup of the csec630.rules file so we can safely edit it and test out our changes and
still fall back on the original if need be.

copy csec630.rules csec630.rules.original
7) EDIT RULES FILE
Now let's open up csec630.rules for editing. We won't include the "/R" (read-only) option this time.

edit csec630.rules
Notice the lines that have two "#" characters at the beginning. These are comment lines. Notice the
first line that starts with a single "#" followed by "alert tcp" and then later msg: and sid: ... this is a
snort rule. Scroll through and take a look at this line. Let's remove the '#' character which is at the
beginning of that first snort rule. Use cursor keys or mouse, backspace or delete, etc.

Now let's save the file. You can use Alt-F or the mouse to select the File menu, and then you can
type s or click save to save the changes that we made.
To exit the file, again, press Alt-f and then x, or use the mouse to select File and exit.
8) RERUN SNORT
Let's run Snort again on our .pcap file.

snort -c snort630.conf -l log\ -r CSEC630.pcap
Page 14

Let's look at the log directory now.

dir log
(Notice this time we did not need to change to the log directory. We simply typed "log" after the
dir command, telling "dir" to report on the contents of "log" which is a directory.)
9) INSPECT ALERT FILE
There's an alert file! Let's look at it.

edit /R log\alert.ids
(Note that we are not in the log directory so we typed "log\alert.ids" to specify to edit that we wanted to
view the alert.ids file in the log directory.)
Now let's exit (Alt-f then x, or use the mouse to select File and exit.)
Since this is the alert on the first rule we are examining, let's rename the file "alert.ids" to "alert1"; we
will change to the log directory, and then we will rename alert.ids to alert1, and then we will
change back to the parent directory with cd ..

cd log
ren alert.ids alert1
cd ..
Let's look at the log directory to make sure we did it right.

dir log
There is a file named "alert1" in the log directory, but there is no more "alert.ids" file in the log\
directory. When snort runs it will make a new "alert.ids" file containing any alerts from rules which are
triggered when we run snort next.
10) CONTINUE RUNNING SNORT WITH OTHER RULES
Before we run snort again, let's turn off the first rule and turn on the second rule. To accomplish this,
let's add a "#" (comment indicator) back to the beginning of the rule we just looked at and let's remove
the "#" character which precedes the second rule.

Page 15

Now let's re-run snort.

snort -c snort630.conf -l log -r CSEC630.pcap
Again let's look at the alert file.

edit /R log\alert.ids
Again, let's rename it. We are in the c:\Snort\bin directory so let's change to the log directory and
rename the alert.ids file alert2.

cd log
ren alert.ids alert2
cd ..
11) Continue like this through the rest of the rules.
Now that we are done, let's move the original file back in place. Let's make sure we are in the
c:\Snort\bin directory, and then move the file.

cd c:\snort\bin
move csec630.rules.original csec630.rules
12) Push the PANIC button!
Ok, now click PANIC
In case things are messed up, we can click on the SNORT PANIC icon on the desktop. This will put
back the original .config file, .pcap file, and .rules file.
When you are done with your lab, click SNORT PANIC anyhow, to clean up some things for next time.

Page 16

You are to include your answers for each the following 10 questions in a Word
document and submit the file in your WebTycho Gradebook Lab 2 Assignment
folder. Each question is worth 10 points.
1. When running Snort IDS why might there be no alerts?

2. If we only went to a few web sites, why are there so many alerts?

3. What are the advantages of logging more information to the alerts file?

4. What are the disadvantages of logging more information to the alerts file?

5. What are the advantages of using rule sets from the snort web site?

6. Describe (in plain English) at least one type of ruleset you would want to add to a high level security
network and why?

Page 17

7. If a person with malicious intent were to get into your network and have read/write access to your
IDS log or rule set how could they use that information to their advantage?

8. An intrusion prevention system can either wait until it has all of the information it needs, or can
allow packets through based on statistics (guessed or previously known facts). What are the
advantages and disadvantages of each approach?

9. So, the bad guy decides to do a Denial of Service on your Intrusion Prevention System. At least
two things can happen, the system can allow all traffic through (without being checked) or can deny all
traffic until the system comes back up. What are the factors that you must consider in making this
design decision?

10. What did you find particularly useful about this lab (please be specific)? What if anything was
difficult to follow? What would you change to make it better?

Page 18

Sign up to view the entire interaction

Dear Student Please find... View the full answer

Computer Science.doc

1.When running Snort IDS why might there be no alerts?
AnsAs we know that Snort is a open source network-based intrusion detection
system (NIDS) which performs real time traffic analysis and does...

Why Join Course Hero?

Course Hero has all the homework and study help you need to succeed! We’ve got course-specific notes, study guides, and practice tests along with expert tutors and customizable flashcards—available anywhere, anytime.

-

Educational Resources
  • -

    Study Documents

    Find the best study resources around, tagged to your specific courses. Share your own to gain free Course Hero access or to earn money with our Marketplace.

    Browse Documents
  • 890,990,898

    Question & Answers

    Get one-on-one homework help from our expert tutors—available online 24/7. Ask your own questions or browse existing Q&A threads. Satisfaction guaranteed!

    Ask a Question
  • 890,990,898

    Flashcards

    Browse existing sets or create your own using our digital flashcard system. A simple yet effective studying tool to help you earn the grade that you want!

    Browse Flashcards