Professional Documents
Culture Documents
Laboratorio IDS
Laboratorio IDS
Revisado
PDF IDS_laboratory.pdf
For this laboratory, we will employ the OpenWRT, METASPLOITABLE, IDS and the
Auditing machine, as shown in Figure 1. Start running the OpenWRT and
METASPLOITABLE VMs. We will now assume that the attacker has been able to
bypass the firewall and take control of a machine in the DMZ.
Finally, test that the network configuration is working properly by pinging the
METASPLOITABLE server (192.168.1.20) from the Auditing machine. Since the “IDS-
Snort” VM is connected to the “DMZ” subnet in promiscuous mode, it should
nevertheless be able to monitor all traffic exchanged between them (recall the Mini-
Lab).
Para reiniciar el snort:
Laboratorio IDS 1
2. How are these actions being identified/labelled by Snort?
Laboratorio IDS 2
a. Se generan 8728
c. Ya pondré la imagen
Configurar Snort para que las alertas de local4 se envien a un archivo en especifico.
Esto era un challenge del lab de logs
Laboratorio IDS 3
Log del local4 creado en /var/log/snort.log
/etc/rsyslog.d/50-default.conf
tail /var/log/snort.log
Laboratorio IDS 4
Milestone 2. Configure the alert thresholds
As you remember from the mini-lab, Snort has a default configuration, and even
sending a ping to the METASPLOITABLE server raises an alert. Check it, by sending 10
pings to the METASPLOITABLE server ( ping -c 10 192.168.1.20 ) from the Auditing
machine host, and write down the Signature ID (SIDs) of the “ICMP PING” and “ICMP
Echo Reply” alerts.
Laboratorio IDS 5
Laboratorio IDS 6
As you may have noticed, each ICMP message in each direction generates a separate
alert (and all packets are logged in case the log_tcpdump output is enabled). In order to
reduce the number of duplicated alerts, we are going to configure the threshold
mechanism to limit the ICMP PING alerts to one every 10 seconds
Laboratorio IDS 7
20 ping se crean 6 alertas:
Modify the /etc/snort/threshold.conf file to limit the number of alerts of the “ICMP PING”
and “ICMP Echo Reply” alerts to one per 10 seconds when pinging the
METASPLOITABLE server from a different source.
Send different number of pings (e.g. 5, 10, 20) from the OpenWRT router and the
Auditing machine host, and watch the alert log to identify the Snort behavior.
Explore different values of the filter type (limit|threshold|both) and track (by_src|by_dst)
options to understand what they do.
Explain such behavior in the report, and justify which filter type and track option
combination are the best for each rule to minimize the number of duplicated alerts while
preventing evasion
Laboratorio IDS 8
threshold : Este tipo de umbral se refiere a un umbral específico que debe
superarse para activar la regla. Te crear una regla cada count, por ejemplo si pones
count 1, se crean 10 reglas. Poniendo count 10 se crean 3 reglas.
Con count 5:
both : Indica que se están configurando tanto un límite como un umbral. Limit es
alertar del primer evento cada Xs, threshold es alertar cada X veces que se ven el
evento en Y segundo. Both es alertar una vez cada cada intervalo de tiempo que se
vean X alertas del evento.
Laboratorio IDS 9
Con count 2
Con count 5
Laboratorio IDS 10
Cambiar los valores del tipo de track→ by_src, by_dst → lo mismo pero cambia de
quiern recibes los logs
Con limit
Con threshold
Con both
Laboratorio IDS 11
Therefore, we want to raise an alert if any other than the administrators from the
10.0.4.0/24 subnet access to such part of the website.
Test the rule by connecting to the METASPLOITABLE server and sending various
malicious payloads. For example, you can use the wget command from the Kali:
wget 192.168.1.20/private
Regla
Depth:8 quita todas las peticiones que tengan algo más que solo /private
Correo pastrana:
Hacer
Laboratorio IDS 12
sudo service snort restart
http inspect
Uricontent para evitar varios '/', Depth para buscar que sea exactamente la ruta que
indica y nocase para nodiscriminar mayus de minus
Laboratorio IDS 13