Lab 8 Snort_Student22-1

docx

School

Northern Kentucky University *

*We aren’t endorsed by this school

Course

285

Subject

Information Systems

Date

Dec 6, 2023

Type

docx

Pages

6

Uploaded by JusticeStarGiraffe9

Report
CIT 285 - Lab #8: Snort and Nmap 1: Introduction In this lab, we will learn about network intrusion detection with the open source tool, Snort while its running on your server (i.e. Metasploit VM). We will also use tshark, the text interface to Wireshark, to examine captured packets and Nmap port scanner. Nmap is an industry standard tool because few port scanning tools match its capabilities, particularly considering Nmap is open source. Both your Kali and Metasploitable VMs should be powered on to perform the necessary pings and scans. In this lab your Metasploit VM will act as a server running the IDS program (Snort), you’re your Kali VM will be the client (the device being pinged). 1.1: In Metasploit, change to root then verify the tshark version on Metasploit is up to date. The Metasploit login and password are both msfadmin . sudo su - apt-get install snort tshark Configure the snort.conf file to use your Metasploit VM IP address . This ensures traffic is captured by snort when sent to and from your Metasploit VM. nano /etc/snort/snort.conf Find the line highlighted in the image and change the IP listed to your Meta VM IP . Keep the /24 mask. References: Nmap.org – Reference Guide Nmap.org – Port Scanning Techniques 2: Detecting Network Scans In the questions below, if multiple alerts are generated of the same type, indicate the number of alerts of that type. Note: you can view your VMs in their own window be holding down and dragging the tab of the VM outside the VMware window. This can help you view alert messages in real time without having to switch between your Kali and Metasploit VM in one window. Updated 2022 p1
In your Linux server (the Metasploit VM) run the following commands to watch for alerts. The tail command allows you to view new data that is added to the snort alert log. snort -c /etc/snort/snort.conf -D tail -f /var/log/snort/alert 2.1: From the client ( your Kali VM ), ping a server hosted by Nmap for testing purposes using the command below. When the pings complete, view the alerts in snort log running on your Linux server ( your Metasploit VM ). Does anything show up in the snort alert log? o If there is an alert, list the snort alert name (found in the first line of the alert) and the classification (if included) found in the second line, in the table below. ping -c 3 scanme.nmap.org Alerts Seen [Y/N] Snort Alert Name Classification N 2.2: Next, ping your Linux server from your client server. Notice that alerts captured by Snort, have a time stamp, new alerts are listed at the bottom of the log file. Then use nmap to scan your Linux server. What alerts show up in the snort alert log List the snort alert name (found in the first line of the alert) and the classification, which is found in the second line, in the box below. ping -c 3 METASPLOIT_SERVER_IP nmap -sT METASPLOIT_SERVER_IP Alerts Seen for ping and nmap [Y/N] Snort Alert Name Classification/Priority Y TCP Portscan 3 2.3: Use a stealthy FIN scan to identify open ports on your Linux server. How many alerts show up in the snort alert log? Is the FIN (-sF) scan more or less stealthy than the TCP connection (-sT) scan? Include one of the alerts in the box below, along with answers to the questions. If there are no alerts, write “no alerts”. nmap -sF METASPOIT_SERVER_IP Number of Alerts Snort Alert Name Classification/Priority Updated 2022 p2
No alerts More or Less Stealthy (?) Alert Example What does the –sF scan do when packets are sent? 2.4: Use a stealthy XMAS scan to identify open ports on your Linux server. How many alerts appear in the snort alert log? Is the XMAS (-sX) scan more or less stealthy than the TCP connection (-sT) scan? Include one of the alerts in the box below, along with answers to the questions. nmap -sX METASPLOIT_SERVER_IP Total Number of Alerts Snort Alert Name Classification/Priority No alerts More or Less Stealthy (?) Alert Example What does the –sX scan do? 2.5: Attempt to make a scan stealthier by using IP fragmentation and the null scan. Does anything show up in the snort alert log? If there is an alert, list the snort alert name (found in the first line of the alert) and the classification, which is found in the second line, in the box below. If nothing, just write “no alert.” nmap -f -sN METASLPOIT_SERVER_IP Alerts Seen [Y/N] Snort Alert Name Classification/Priority Y Fragmentation Overlap 3 Number of Alerts ( 0 – 9) More or Less Stealthy (?) 2 More Alert Example Updated 2022 p3
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
What does the –sN scan do? The -sX flag is an option that instructs Nmap to perform a TCP Xmas scan. This scan sends packets with the PSH, URG, and FIN flags set to a target system’s ports. If the target system responds with an RST packet, the port is considered closed. If the target system does not respond, the port is considered open. 2.6: Nmap’s -sT option performs a basic scan of a device. There is also another type of basic scan using the option -sS. Do some research about a scan using a -sS option, then answer the following questions. What information from this type of scan can be determined? Would information returned from the scan be important or useful? Why or why not? What does the –sT scan do? The -sT flag in an Nmap scan is used to perform a TCP connect scan. This scan type is the default when Nmap is run without root privileges1. In this scan, Nmap attempts to establish a full TCP connection with the target host by sending a SYN packet and waiting for a SYN- ACK response. If the target responds with a SYN-ACK packet, Nmap sends an ACK packet to complete the three-way handshake Is information returned from an -sT scan helpful or useful? Why or why not? The information returned from an -sT scan can be helpful in identifying open ports and services running on a target system. This information can be used to identify potential vulnerabilities and security weaknesses that can be exploited by attackers. 2.7: Perform a protocol scan on your Linux server to see what types of IP protocols it accepts. With this type of scan, IP packet headers are used but are typically empty. The scan being performed can take some time to complete . nmap -sO METASPLOIT_SERVER_IP Once the scan completes, issue the following in Metasploit to see all alerts captured by snort and find specific alerts for the questions below. ctrl+c cd /var/log/snort cat alert cat alert | grep ‘cve.mitre.org’ | less In the returned output from the grep command, find a line that contains the cve.mitre.org Updated 2022 p4
address and CVE number. Search for this CVE online to see why it caused an alert. Provide a brief description of the alert below and security vulnerability it references. 3: Testing snort with pcap files Packet sniffers like Wireshark and snort can save sniffed packets in a pcap (packet capture) file. These files can then be used for a variety of purposes, including testing that your network intrusion detection system correctly alerts on malicious traffic. The slammer files will be transferred from your Kali VM to your Metasploit VM . o These files are in the Downloads folder of Kali. Use sftp to transfer them to your Metasploit VM . o When running snort against the files, provide the full path to the file. o If you are not receiving alerts, restart snort using the command listed in the introduction of section 2. Metasploit Commands to retrieve slammer files cd ~ sftp root@KALI_IP sftp> cd Downloads sftp> get lab12-files.tar.bz2 sftp> exit Change to the home directory of root if needed (cd ~), then decompress the lab12-files with the following command. tar xjvf lab12-files.tar.bz2 This creates a new directory called lab11-files. Change to this directory before proceeding with the rest of the lab. cd lab11-files We will test snort with the following command: snort -A console -q -c /etc/snort/snort.conf -S HOME_NET=10.0.0.0/8 -r filename.pcap Where filename.pcap is replaced with the name of the file that contains the packets we plan to use with snort. Updated 2022 p5 CVE 2003-0567 is a vulnerability in Cisco IOS 11.x and 12.0 through 12.2 that allows remote attackers to cause a denial of service (traffic block) by sending a particular sequence of IPv4 packets to an interface on the device, causing the input queue on that interface to be marked as full.
3.1: Run snort using the command line above on both slammer1.pcap and slammer2.pcap. What output is generated for each pcap file? Slammer1.pcap Alerts Seen [Y/N] Snort Alert Name Classification/Priority Y MS-SQL Worm Propagation attempt Classification: Misc Attack Priority: 2 Slammer2.pcap Alerts Seen [Y/N] Snort Alert Name Classification N 3.2: The bodies of both packets include the Slammer worm, but the headers differ. Examine the packet headers of both pcap files with tshark to find the answer. tshark -r slammer1.pcap tshark -r slammer2.pcap While an error message about running as ‘root’ for both files is produced, one of the slammer files has an additional message. Do a little research on this error, then explain what this error indicates and why such an alert is helpful in detecting malicious traffic. Submission Upload a completed copy of this document to Canvas by the due date. Updated 2022 p6 The UDP checksum is a 16-bit value that is used to detect errors in the UDP datagram. It is calculated by the sender and verified by the receiver. If the checksum value calculated by the receiver does not match the value in the UDP datagram, the receiver discards the datagram and sends an error message to the sender. The UDP checksum is helpful in detecting malicious traffic because it can detect errors in the datagram that may have been introduced by an attacker. For example, an attacker may modify the contents of a datagram in transit, which could cause the checksum to fail. This would alert the receiver that the datagram has been tampered with and should not be trusted.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help

Related Documents

LAB5_Digital Forensics Technology and Practices_Kwadwo Antwi.docx
LAB2_Digital Forensics Technology and Practices_WORKSHEET2 Kwadwo Antwi.docx
Problem 11-5.docx
LAB6_Digital Forensics Technology and Practices_WORKSHEET2 Kwadwo Antwi.docx
LAB4_Digital Forensics Technology and Practices_WORKSHEET3 Kwadwo Antwi.docx
LAB3_Digital Forensics Technology and Practices_WORKSHEET2.docx
Case 4A S4H GBI Production-Group 4.docx
2-1 Discussion Use Case Diagram.docx
Remediation template for Fundamentals Practice A & B (1).docx
microsoft.pass4sure.ms-101.vce.download.2023-nov-26.by.edward.269q.vce.pdf
Qs.Exam#1.Chapters.1-9.docx
Final Paper MIT.pdf