Scribd Logo
Upload

Welcome to Scribd!

  • Laboratorio IDS

    Uploaded by

    Jotacee
    5 views13 pages
    The document describes steps for a network intrusion detection system (IDS) laboratory. It involves using OpenWRT, Metasploitable, and IDS virtual machines to test Snort alerts. Initial tests use the nikto scanner against Metasploitable to generate alerts. Threshold configuration is explored to reduce duplicate alerts from ICMP pings. Different filter types and track options are tested. A custom Snort rule is written to alert on unauthorized access to a /private/ web directory from outside the trusted subnet.

    Original Description:

    Original Title

    Laboratorio IDS e11e0ba1058541f0b862af5df74c275a

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document describes steps for a network intrusion detection system (IDS) laboratory. It involves using OpenWRT, Metasploitable, and IDS virtual machines to test Snort alerts. Initial tests use the nikto scanner against Metasploitable to generate alerts. Threshold configuration is explored to reduce duplicate alerts from ICMP pings. Different filter types and track options are tested. A custom Snort rule is written to alert on unauthorized access to a /private/ web directory from outside the trusted subnet.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    5 views13 pages

    Laboratorio IDS

    Uploaded by

    Jotacee
    The document describes steps for a network intrusion detection system (IDS) laboratory. It involves using OpenWRT, Metasploitable, and IDS virtual machines to test Snort alerts. Initial tests use the nikto scanner against Metasploitable to generate alerts. Threshold configuration is explored to reduce duplicate alerts from ICMP pings. Different filter types and track options are tested. A custom Snort rule is written to alert on unauthorized access to a /private/ web directory from outside the trusted subnet.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 13

    Laboratorio IDS

    Fecha @November 21, 2023 12:32 PM

    Revisado

    PDF IDS_laboratory.pdf

    For this laboratory, we will employ the OpenWRT, METASPLOITABLE, IDS and the
    Auditing machine, as shown in Figure 1. Start running the OpenWRT and
    METASPLOITABLE VMs. We will now assume that the attacker has been able to
    bypass the firewall and take control of a machine in the DMZ.

    Thus, set all Firewall policies to ACCEPT.

    Finally, test that the network configuration is working properly by pinging the
    METASPLOITABLE server (192.168.1.20) from the Auditing machine. Since the “IDS-
    Snort” VM is connected to the “DMZ” subnet in promiscuous mode, it should
    nevertheless be able to monitor all traffic exchanged between them (recall the Mini-
    Lab).
    Para reiniciar el snort:

    sudo snort –T –c /etc/snort/snort.conf

    sudo service snort restart

    Milestone 1. Checking Snort alerts and


    configuration
    In order to test that Snort is properly configured to monitor the DMZ, run the nikto
    scanner in Auditing machine against the METASPLOITABLE server ( nikto –h
    192.168.1.20 ) and check the Snort alerts. From these alerts:

    1. Would you be able to identify what kind of tests nikto is performing?

    a. nikto hace → Web Application Attacks

    Laboratorio IDS 1
    2. How are these actions being identified/labelled by Snort?

    1. How many alerts are generated due to the nikto scan?

    Laboratorio IDS 2
    a. Se generan 8728

    b. Viendo el /var/log/snort.log si lo borramos para que se genere de 0, se


    generan 2400 alertas aporx.

    c. Ya pondré la imagen

    Configurar Snort para que las alertas de local4 se envien a un archivo en especifico.
    Esto era un challenge del lab de logs

    Modificar la conf del snort → sudo snort –T –c /etc/snort/snort.conf

    Laboratorio IDS 3
    Log del local4 creado en /var/log/snort.log
    /etc/rsyslog.d/50-default.conf

    No se porque tengo en el segundo log /var/log/syslog.log → tiene que estar


    /var/log/syslog

    tail /var/log/snort.log

    Laboratorio IDS 4
    Milestone 2. Configure the alert thresholds
    As you remember from the mini-lab, Snort has a default configuration, and even
    sending a ping to the METASPLOITABLE server raises an alert. Check it, by sending 10
    pings to the METASPLOITABLE server ( ping -c 10 192.168.1.20 ) from the Auditing
    machine host, and write down the Signature ID (SIDs) of the “ICMP PING” and “ICMP
    Echo Reply” alerts.

    Laboratorio IDS 5
    Laboratorio IDS 6
    As you may have noticed, each ICMP message in each direction generates a separate
    alert (and all packets are logged in case the log_tcpdump output is enabled). In order to
    reduce the number of duplicated alerts, we are going to configure the threshold
    mechanism to limit the ICMP PING alerts to one every 10 seconds

    Para sacar la sig_id → numero entre corchetes

    Reglas nuevas threshold.con:

    Sin threshold se crean 24 reglas


    5 ping se crean 3 alertas:

    10 ping ssudoe crean solo 3 alertas:

    Laboratorio IDS 7
    20 ping se crean 6 alertas:

    Modify the /etc/snort/threshold.conf file to limit the number of alerts of the “ICMP PING”
    and “ICMP Echo Reply” alerts to one per 10 seconds when pinging the
    METASPLOITABLE server from a different source.
    Send different number of pings (e.g. 5, 10, 20) from the OpenWRT router and the
    Auditing machine host, and watch the alert log to identify the Snort behavior.

    Explore different values of the filter type (limit|threshold|both) and track (by_src|by_dst)
    options to understand what they do.
    Explain such behavior in the report, and justify which filter type and track option
    combination are the best for each rule to minimize the number of duplicated alerts while
    preventing evasion

    Cambiar los valores del tipo de filtro → limit, threshold y both

    limit : Este tipo de umbral se refiere a un límite máximo en el número de eventos


    permitidos en un período de tiempo dado. Si se supera este límite, se activará la
    regla asociada.

    Laboratorio IDS 8
    threshold : Este tipo de umbral se refiere a un umbral específico que debe
    superarse para activar la regla. Te crear una regla cada count, por ejemplo si pones
    count 1, se crean 10 reglas. Poniendo count 10 se crean 3 reglas.

    Con count 5:

    both : Indica que se están configurando tanto un límite como un umbral. Limit es
    alertar del primer evento cada Xs, threshold es alertar cada X veces que se ven el
    evento en Y segundo. Both es alertar una vez cada cada intervalo de tiempo que se
    vean X alertas del evento.

    Laboratorio IDS 9
    Con count 2

    Con count 5

    Como en 10 segundos no se han recibido 11 alertas, no se crea una alertas de


    ping.

    Laboratorio IDS 10
    Cambiar los valores del tipo de track→ by_src, by_dst → lo mismo pero cambia de
    quiern recibes los logs

    Cuando utilizas by_src , estás rastreando y contando eventos basándote en la


    dirección de origen (source) de los paquetes de red. Esto es útil cuando estás
    interesado en limitar o establecer umbrales para actividades específicas que
    provienen de una dirección de origen particular.

    Vagos mirad las imagenes de arriba

    Cuando utilizas by_dst , estás rastreando y contando eventos basándote en la


    dirección de destino (destination) de los paquetes de red. Esto es útil cuando estás
    interesado en limitar o establecer umbrales para actividades específicas que se
    dirigen a una dirección de destino particular.

    Con limit

    Con threshold

    Con both

    Milestone 3. Writing custom Snort rules


    Although the Snort ruleset is quite comprehensive, in many cases it is necessary to
    write custom rules adapted to the protected environment, e.g. monitoring custom
    applications.
    For instance, let us assume that the web application has an administrative interface in
    the /private/ directory.

    Laboratorio IDS 11
    Therefore, we want to raise an alert if any other than the administrators from the
    10.0.4.0/24 subnet access to such part of the website.

    Add an alert rule to the /etc/snort/rules/local.rules file to generate an alert when


    somebody tries to access the /private/ directory in the web application running at the
    METASPLOITABLE server, while avoiding false positives (e.g. “/public/private/”) and
    common evasion techniques (e.g. “///private/”, “/PrIvAtE/”).

    Test the rule by connecting to the METASPLOITABLE server and sending various
    malicious payloads. For example, you can use the wget command from the Kali:
    wget 192.168.1.20/private

    Regla

    alert tcp !10.0.4.0/24 any → 192.168.1.20 80 (msg: “Acceso no autorizado a


    /private”;uricontent:”/private”;nocase;depth:8;sid:2000000)

    Depth:8 quita todas las peticiones que tengan algo más que solo /private

    nocase → suda de si se usan mayusculas o minusculas

    Uricontent para evitar varios '/'

    Correo pastrana:

    Hacer

    sudo snort –T –c /etc/snort/snort.conf

    Laboratorio IDS 12
    sudo service snort restart

    http inspect

    Uricontent para evitar varios '/', Depth para buscar que sea exactamente la ruta que
    indica y nocase para nodiscriminar mayus de minus

    Laboratorio IDS 13

    You might also like