Lab 8 Snort_Student22-1 (1)

docx

School

Northern Kentucky University *

*We aren’t endorsed by this school

Course

285

Subject

Information Systems

Date

Dec 6, 2023

Type

docx

Pages

6

Uploaded by KidFire12260

Report
CIT 285 - Lab #8: Snort and Nmap 1: Introduction In this lab, we will learn about network intrusion detection with the open source tool, Snort while its running on your server (i.e. Metasploit VM). We will also use tshark, the text interface to Wireshark, to examine captured packets and Nmap port scanner. Nmap is an industry standard tool because few port scanning tools match its capabilities, particularly considering Nmap is open source. Both your Kali and Metasploitable VMs should be powered on to perform the necessary pings and scans. In this lab your Metasploit VM will act as a server running the IDS program (Snort), you’re your Kali VM will be the client (the device being pinged). 1.1: In Metasploit, change to root then verify the tshark version on Metasploit is up to date. The Metasploit login and password are both msfadmin . sudo su - apt-get install snort tshark Configure the snort.conf file to use your Metasploit VM IP address . This ensures traffic is captured by snort when sent to and from your Metasploit VM. nano /etc/snort/snort.conf Find the line highlighted in the image and change the IP listed to your Meta VM IP . Keep the /24 mask. References: Nmap.org – Reference Guide Nmap.org – Port Scanning Techniques 2: Detecting Network Scans In the questions below, if multiple alerts are generated of the same type, indicate the number of alerts of that type. Note: you can view your VMs in their own window be holding down and dragging the tab of the VM outside the VMware window. This can help you view alert messages in real time without having to switch between your Kali and Metasploit VM in one window. Updated 2022 p1
In your Linux server (the Metasploit VM) run the following commands to watch for alerts. The tail command allows you to view new data that is added to the snort alert log. snort -c /etc/snort/snort.conf -D tail -f /var/log/snort/alert 2.1: From the client ( your Kali VM ), ping a server hosted by Nmap for testing purposes using the command below. When the pings complete, view the alerts in snort log running on your Linux server ( your Metasploit VM ). Does anything show up in the snort alert log? o If there is an alert, list the snort alert name (found in the first line of the alert) and the classification (if included) found in the second line, in the table below. ping -c 3 scanme.nmap.org Alerts Seen [Y/N] Snort Alert Name Classification 2.2: Next, ping your Linux server from your client server. Notice that alerts captured by Snort, have a time stamp, new alerts are listed at the bottom of the log file. Then use nmap to scan your Linux server. What alerts show up in the snort alert log List the snort alert name (found in the first line of the alert) and the classification, which is found in the second line, in the box below. ping -c 3 METASPLOIT_SERVER_IP nmap -sT METASPLOIT_SERVER_IP Alerts Seen for ping and nmap [Y/N] Snort Alert Name Classification/Priority 2.3: Use a stealthy FIN scan to identify open ports on your Linux server. How many alerts show up in the snort alert log? Is the FIN (-sF) scan more or less stealthy than the TCP connection (-sT) scan? Include one of the alerts in the box below, along with answers to the questions. If there are no alerts, write “no alerts”. nmap -sF METASPOIT_SERVER_IP Number of Alerts Snort Alert Name Classification/Priority Updated 2022 p2
More or Less Stealthy (?) Alert Example What does the –sF scan do when packets are sent? 2.4: Use a stealthy XMAS scan to identify open ports on your Linux server. How many alerts appear in the snort alert log? Is the XMAS (-sX) scan more or less stealthy than the TCP connection (-sT) scan? Include one of the alerts in the box below, along with answers to the questions. nmap -sX METASPLOIT_SERVER_IP Total Number of Alerts Snort Alert Name Classification/Priority More or Less Stealthy (?) Alert Example What does the –sX scan do? 2.5: Attempt to make a scan stealthier by using IP fragmentation and the null scan. Does anything show up in the snort alert log? If there is an alert, list the snort alert name (found in the first line of the alert) and the classification, which is found in the second line, in the box below. If nothing, just write “no alert.” nmap -f -sN METASLPOIT_SERVER_IP Alerts Seen [Y/N] Snort Alert Name Classification/Priority Number of Alerts ( 0 – 9) More or Less Stealthy (?) Alert Example What does the –sN scan do? Updated 2022 p3
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
2.6: Nmap’s -sT option performs a basic scan of a device. There is also another type of basic scan using the option -sS. Do some research about a scan using a -sS option, then answer the following questions. What information from this type of scan can be determined? Would information returned from the scan be important or useful? Why or why not? What does the –sT scan do? Is information returned from an -sT scan helpful or useful? Why or why not? 2.7: Perform a protocol scan on your Linux server to see what types of IP protocols it accepts. With this type of scan, IP packet headers are used but are typically empty. The scan being performed can take some time to complete . nmap -sO METASPLOIT_SERVER_IP Once the scan completes, issue the following in Metasploit to see all alerts captured by snort and find specific alerts for the questions below. ctrl+c cd /var/log/snort cat alert cat alert | grep ‘cve.mitre.org’ | less In the returned output from the grep command, find a line that contains the cve.mitre.org address and CVE number. Search for this CVE online to see why it caused an alert. Provide a brief description of the alert below and security vulnerability it references. 3: Testing snort with pcap files Packet sniffers like Wireshark and snort can save sniffed packets in a pcap (packet capture) file. These files can then be used for a variety of purposes, including testing that your network intrusion detection system correctly alerts on malicious traffic. The slammer files will be transferred from your Kali VM to your Metasploit VM . o These files are in the Downloads folder of Kali. Use sftp to transfer them to your Metasploit VM . o When running snort against the files, provide the full path to the file. Updated 2022 p4
o If you are not receiving alerts, restart snort using the command listed in the introduction of section 2. Metasploit Commands to retrieve slammer files cd ~ sftp root@KALI_IP sftp> cd Downloads sftp> get lab12-files.tar.bz2 sftp> exit Change to the home directory of root if needed (cd ~), then decompress the lab12-files with the following command. tar xjvf lab12-files.tar.bz2 This creates a new directory called lab11-files. Change to this directory before proceeding with the rest of the lab. cd lab11-files We will test snort with the following command: snort -A console -q -c /etc/snort/snort.conf -S HOME_NET=10.0.0.0/8 -r filename.pcap Where filename.pcap is replaced with the name of the file that contains the packets we plan to use with snort. 3.1: Run snort using the command line above on both slammer1.pcap and slammer2.pcap. What output is generated for each pcap file? Slammer1.pcap Alerts Seen [Y/N] Snort Alert Name Classification/Priority Slammer2.pcap Alerts Seen [Y/N] Snort Alert Name Classification Updated 2022 p5
3.2: The bodies of both packets include the Slammer worm, but the headers differ. Examine the packet headers of both pcap files with tshark to find the answer. tshark -r slammer1.pcap tshark -r slammer2.pcap While an error message about running as ‘root’ for both files is produced, one of the slammer files has an additional message. Do a little research on this error, then explain what this error indicates and why such an alert is helpful in detecting malicious traffic. Submission Upload a completed copy of this document to Canvas by the due date. Updated 2022 p6
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help

Related Documents

Module 2 Quiz.docx
Lab9-F23.pdf
Nikki Lillies - Week 2 Planning .docx
CYS 285 - Lab 9 - Digital Forensics_Student2023-1.docx
chapter 17 case study.docx
1-4 Journal Introduction to Power BI and Reporting.docx
2-2 Journal Extract, Transform and Load Data (ETL).docx
05 Answer Sheet - Analysis Using GBI Pt1Morgan Rios.docx
sbuckle9_cybr7930_homewrk2_siem.pdf
PLC.docx
sbuckle9_cybr7930_SecurityOperationDesign_Final.pdf
sbuckle9_cybr7930_serviceplan.pdf