Page 1

CSEC 630 Lab2 - Intrusion Detection System and Protocol Analysis Lab

Your Faculty Advisor/ Teaching Assistant should have provided you with the following

information before you started the lab exercise:

Cisco VPN Username

Cisco VPN Password

Virtual Machine (VM) IP Address

VM Username (works with the Remote Desktop Connection)

VM Password

A. DOWNLOADING THE VPN CLIENT

1. In your browser, enter the following URL (do not forget the s in

https): https://vpn.csvcl.net

2. If needed, select Continue to this website (not recommended).

3. Be sure that the GROUP is OOB-anyconnect. Enter the Logon name

and VPN password given to you.

4. Click on the Start AnyConnect link.

5. For some operating systems, there may be a warning bar just below the

menus asking whether you wish to install the VPN client. Click the bar and

proceed to install the ActiveX Control.

For other operating systems, you may receive a warning message re: A

website wants to open web content, click Allow.

6. You may see a window asking you to proceed since the websites

certificate cannot be verified. Select Yes. (Note: If the system locks up,

click another window, then click Yes.)

7. Install the AnyConnect VPN Client. This will take a few moments.

If prompted, allow the program from an unknown publisher make changes

to the computer. Select Yes.

Eventually, you should see Connection Established.

Note: You just need to download this client just once.

8. This step is for future sessions. You will access the Cisco VPN client

this way: Select the Cisco AnyConnect VPN from your Start Menu, or

choose:

Start > All Programs > Cisco > Cisco AnyConnect VPN Client > Cisco

AnyConnect VPN Client

In response to the question on proceeding, click Yes.

Click the Connections tab. If you are not connected, click the Connect

button and enter your logon name and password. Once connected,

minimize the window.

B. ACCESSING THE REMOTE DESKTOP CONNECTION

1. Enter https://10.0.4.50/cloud/org/csec630 in the browser and click on

Continue to this website (not recommended)

2. Type your logon name and password and click on Login.

3. Click on Add Cloud Computer System.

4. Select CSEC630 and click Next.

Page 2

5. Type your username in the Name field to uniquely identify your virtual

image.

6. Next click Finish.

7. Wait a few minutes for the system to create the virtual machine image.

8. The word Stopped will appear.

9. Click on the green Start button to power on the virtual machine.

10. Wait a few moments for the virtual machine to completely start.

11. Once its status changes to Running, double click on the virtual machine

image icon (it has a miniature Windows image).

If the pop-up is blocked, click the highlighted bar and select Always

Allow Pop-ups from This Site. Confirm with a Yes. You may have to

re-login again.

In response to a warning message A website wants to open web

content, click on Allow to install the web application.

If presented with an invalid certificate, check Always trust the host with

this certificate. Click Ignore.

If there is a problem with the certificate, select Continue to this website

(not recommended)

13. Run the Vmware executable file.

Allow the program to make changes to the computer, if prompted.

If presented with an invalid certificate, check Always trust the host with

this certificate. Click Ignore.

14. Install theVMware Remote Console Plug-In. If necessary close all

Internet Explorer windows. When done, click Finish.

Open the browser and re-enter https://10.0.4.50/cloud/org/csec630 and

click on Continue to this website (not recommended).

Again, type your logon name and password and click on Login.

15. Double click the virtual machine icon. Allow the website to open web

content. If presented with an invalid certificate, check Always trust the

host with this certificate. Click Ignore.

Click on VMWare Remote Console button on the top bar of the window

and select Send Ctrl+Alt+Del from the dropdown menu.

16. Click OK to the opening window warning.

17. In the Log On to Windows box, type in the username student1 and

the password Csec630 then click OK to log in.

C. EXITING THE APPLICATIONS

1. Log off the cloud application window by closing the window (click the

X on the upper right hand corner of the window). Click the Stop button to

terminate the cloud application from running. Click Yes to the prompt.

Click Logout on the upper right hand side of the window.

2. Access the VPN client window via the Start Menu or use

Start > All Programs > Cisco > Cisco AnyConnect VPN Client > Cisco

AnyConnect VPN Client

Under the Connection button, click the Disconnect button.

3. Close all windows. This should return your computer to normal.

Page 3

Note: There are 10 questions you are to answer after completing this lab found on pp. 17-18

Please submit a Word document that contains your answers

to all 10 questions to Web Tycho Gradebook Lab2 Assignment Week 6.

Source: http://www.snort.org/snort

Snort is a free, open source network intrusion detection and prevention system capable of performing

real-time traffic analysis and packet logging on IP networks. Initially called a lightweight intrusion

detection technology, Snort has evolved into a mature, feature-rich IPS technology that has become the

de facto standard in intrusion detection and prevention. With nearly 4 million downloads and

approximately 300,000 registered users Snort, it is the most widely deployed intrusion prevention

technology in the world.

Snort can perform protocol analysis and content searching/matching. It can be used to detect a variety

of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS

fingerprinting attempts, and much more. It uses a flexible rules language to describe traffic that it

should collect or pass, as well as a detection engine that utilizes a modular plug-in architecture. Snort

has a real-time alerting capability as well, incorporating alerting mechanisms for syslog, a user

specified file, a UNIX socket, or WinPopup messages to Windows clients. Snort has three primary

uses: a straight packet sniffer like tcpdump, a packet logger (useful for network traffic debugging, etc),

or a full-blown network intrusion

DOS CHEAT SHEET

COMMANDLINE: EXPLANATION:

. current directory

.. parent directory (up one directory)

../ parent directory (up one directory)

* zero or more of any characters

? any one character

dir directory_to_view list directory_to_view

cd directory_to_go_to change to directory_to_go_to

copy source_file dest_file copy source_file to dest_file

ren old_name new_name rename file from old_name to new_name

move dir1\file1 dir2\file2 move dir1\file1 to dir2\file2

edit /R file1 view file1 (read only)

edit file1 edit file1

Examples:

dir list current directory

dir . list current directory

dir .. list parent directory

Page 4

dir *rules list current directory where name ends w/ "rules"

dir log list current directory where name=log

cd change to default user directory

cd .. change to parent directory

cd c:\snort\bin change to the bin directory in c:\snort

copy csec630.rules csec630.rules.original make backup copy in current directory

ren alert alert1 rename "alert" file to "alert1" in same directory

move log\alert log2\alert1 move "alert" file in "log" directory to "alert1" in "log2" directory

edit /R csec630.rules view the file "csec630.rules" from the current directory read-only

edit csec630.rules open the file "csec630.rules" from the current directory for editing

edit /R log\alert* view file starting with alert in the log directory

SNORT OPTIONS

-c config_filename use supplied filename as the configuration/rule file

-l log_directory use supplied directory to log alerts

-r pcap_filename read supplied filename for processing by snort ruleset

-T Test run, don't actually trigger alerts

Page 5

GETTING ORIENTED

First of all, connect via VPN and start your remote desktop client.

/*** PANIC***/

Notice the SNORT PANIC icon on the desktop of the virtual machine. You will be editing the snort

rules file during this lab. Clicking this icon will run a script that will refresh certain configuration and

rules files, in case they have been corrupted. It's a good idea to click this icon before and after you

work on your lab, or in case you make a mistake editing the snort rules file for the lab.

/*** END PANIC***/

The Command Prompt

In the virtual machines we will work from the command prompt. To get to the command prompt, press

the start button within the virtual machine's window, and click Run..., and then type cmd.exe in the

entry box and click ok

Our Working Directory

Let's go to the directory where we have loaded the Snort files. Type the following commands in the

command console (for clarity, we will use monospaced type for code that is typed into the command

prompt):

cd c:\snort\bin

Page 6

Now that we are in the c:\snort\bin directory, let's take a look. Type dir and press enter.

dir

Note that theres a lot of files. Let's take a look at a list of some of the configuration files that are here.

They end in .conf. These files configure snort's operation.

dir *.conf

Your output may be slightly different, but you should see snort630.conf in the list.

Let's take a look at what rules files are here in the c:\Snort\bin directory. Snort uses rules files to

define the type of network traffic that will generate an alert. We happen to have the rules files in this

directory. They end in .rules, so enter the following command to view files that end with .rules

dir *.rules

This command-line will make dir look in the directory we are in for anything that has "rules" at the end

of its name. (csec630.rules is the file we will be examining; it contains our own rules for this lab.)

Now let's see what pcap files are here (.pcap files are packet capture files)

dir *.pcap

For this lab, we will open CSEC630.pcap in WireShark and then we will run it through Snort to see if

any of Snort's IDS rules are triggered.

Finally, there is a log directory within c:\Snort\bin; let's change to that directory and have a look. We

are already in c:\Snort, so we only need to change to the log directory.

cd log dir

Page 7

RUNNING WIRESHARK

Introduction to Wireshark

Source: http://www.wireshark.org/faq.html#sec1

Wireshark is a network protocol analyzer. It lets you capture and interactively browse the traffic

running on a computer network. It has a rich and powerful feature set and is world's most popular tool

of its kind. It runs on most computing platforms including Windows, OS X, Linux, and UNIX.

Network professionals, security experts, developers, and educators around the world use it regularly. It

is freely available as open source, and is released under the GNU General Public License version 2.

It is developed and maintained by a global team of protocol experts, and it is an example of a disruptive

technology.

Packet capture files in .pcap format may be examined with tools like tcpdump and Wireshark. For this

lab we will use Wireshark to examine a packet capture session from previous network activity that have

been saved on our virtual machine.

Start Wireshark on your virtual machine from the start menu.

Next, click on the Open option under the Files header in the middle of the screen, and select

c:\snort\bin\CSEC630.pcap in the open dialog.

Page 8

WireShark will display the packets in the packet capture (.pcap) file listed in rows in three panes. The

top pane contains an overview of captured network traffic. The middle pane shows details for the

particular selected row. Notice the triangles at the left of Frame 1, Ethernet II, Internet Protocol,

and Transmission Control Protocol; each of these may be expanded so that you may examine the

contents. The pane at the bottom of the screen displays the raw data in a column of hexadecimal side-

by-side a column of the data in ASCII format; this is useful in identifying suspicious packet contents, as

some content will be easily viewed in ordinary ASCII characters, but some suspicious content may not

be represented in ASCII characters at all but will be able to be identified in the corresponding

hexadecimal representation.

Scroll a bit through the capture file by using the scroll-bar in the top pane that has the colored rows of

network traffic. That's a lot of information! Thankfully, we can filter the results.

Click the Filter button. A dialog will pop up. Select TCP only, and then click OK.

Page 9

Now we can see the filtered results. In the Protocol column we can see TCP as well as other

protocols which are encapsulated within TCP segments.

Again, note the triangle to the left of Transmission Control Protocol in the middle pane. Click it; it

will expand to show the contents of the TCP segment's header. The corresponding raw data (in

hexadecimal alongside an ASCII representation) will be highlighted in the bottom pane. Notice that in

the bottom pane to the right, there are a lot of . characters, but on the left there are various

hexadecimal values representing the binary contents which is not represented in ASCII. A signature for

potentially suspicious activity or for a known attack may compare the header or payload contents of a

TCP segment to a hexadecimal sequence, or a signature may look for a specific ASCII sequence.

Feel free to look around. Scroll down in the top pane until you encounter an HTTP request. You can

click on the HTTP information in the middle pane and view the contents of the HTTP header in detail.

Page 10

You can also click on the Filter button and select HTTP (or type http in the drop-down box and

click the Apply button) to see only packets with encapsulated HTTP content within the TCP payload.

Click the Clear button, to again see all the captured packets.

Page 11

RUNNING SNORT

#1) Snort is run from the command line, so let's open up the command prompt. Before we run snort,

first let's make sure we are in the right directory. Let's change the directory to c:\snort\bin

cd c:\snort\bin #2) Now let's test run snort on our pcap file

We will use several options when running snort:

-T do a test run w/o triggering alerts/logging results

-c snort630.conf use snort630.conf as the configuration/rules file

-l log\ we want to use log as the log directory for alerts

-r CSEC630.pcap read/process the CSEC630.pcap file

Type the following at the command prompt, and then press the enter/return key:

snort -T -c snort630.conf -l log\ -r CSEC630.pcap

We get a lot of output. At the end we see:

"Snort successfully validated the configuration"

"Snort exiting"

3) Let's look in the log directory cd log dir Snort will store alerts here. Since this was a test run (we used the -T option), no new alerts were

Page 12

created on this run. To make sure we are starting with a clean slate, let's clean up this directory if there

are any alert files in it.

del alert* 4) Really run snort on the pcap file.

We are still in c:\snort\bin\log, so let's change back to the parent directory, which is c:\snort\bin.

We can type cd c:\snort\bin or we can simply type cd .. which is a shortcut to go up to the parent

directory.

cd c:\snort\bin Now let's really run the .pcap file through our snort ruleset. We'll use the same command-line as

before, just without the -T option.

snort -c snort630.conf -l log\ -r CSEC630.pcap We told snort to log any results to the log directory, and this was a real run, so there may be an alert.

Let's look in the log directory.

cd log dir If there is an alert file, look at it. For a file named alert.ids, we can look at the file by entering:

edit /R alert.ids

The command edit /R opens a file in read-only mode. The file is empty. We can exit the editor by

selecting File with our mouse, or by clicking Alt-F, and then we can either click exit or type x

Page 13

Let's go up a directory, that is, to the the parent directory of "log", where we were before we typed "cd

log"... to do this, we can use the shortcut "..", which represents the parent directory.

cd .. We were previously in c:\snort\bin\log, so now we are in the parent directory c:\snort\bin. We are ready

to look at some rules.

5) INSPECT RULES FILE

Let's look at the rules file set up for this lab, but let's make sure we open the file read-only, so that we

don't accidentally mess up the file. We will use the /R option to edit so it is opened for reading only.

edit /R csec630.rules

Hmm, everything has a # character in front of it. Anything after a "#" character is a comment which

will be ignored by snort. That's ok for instructions, examples, notes, etc., but we want some rules to

Page 14

fire.

6) BACKUP RULES FILE

Let's make a backup of the csec630.rules file so we can safely edit it and test out our changes and

still fall back on the original if need be.

copy csec630.rules csec630.rules.original 7) EDIT RULES FILE

Now let's open up csec630.rules for editing. We won't include the "/R" (read-only) option this time.

edit csec630.rules Notice the lines that have two "#" characters at the beginning. These are comment lines. Notice the

first line that starts with a single "#" followed by "alert tcp" and then later msg: and sid: ... this is a

snort rule. Scroll through and take a look at this line. Let's remove the '#' character which is at the

beginning of that first snort rule. Use cursor keys or mouse, backspace or delete, etc.

Now let's save the file. You can use Alt-F or the mouse to select the File menu, and then you can

type s or click save to save the changes that we made.

To exit the file, again, press Alt-f and then x, or use the mouse to select File and exit.

8) RERUN SNORT

Let's run Snort again on our .pcap file.

snort -c snort630.conf -l log\ -r CSEC630.pcap

Page 15

Let's look at the log directory now.

dir log (Notice this time we did not need to change to the log directory. We simply typed "log" after the

dir command, telling "dir" to report on the contents of "log" which is a directory.)

9) INSPECT ALERT FILE

There's an alert file! Let's look at it.

edit /R log\alert.ids (Note that we are not in the log directory so we typed "log\alert.ids" to specify to edit that we wanted to

view the alert.ids file in the log directory.)

Now let's exit (Alt-f then x, or use the mouse to select File and exit.)

Since this is the alert on the first rule we are examining, let's rename the file "alert.ids" to "alert1"; we

will change to the log directory, and then we will rename alert.ids to alert1, and then we will

change back to the parent directory with cd ..

cd log ren alert.ids alert1 cd .. Let's look at the log directory to make sure we did it right.

dir log There is a file named "alert1" in the log directory, but there is no more "alert.ids" file in the log\

directory. When snort runs it will make a new "alert.ids" file containing any alerts from rules which are

triggered when we run snort next.

10) CONTINUE RUNNING SNORT WITH OTHER RULES

Before we run snort again, let's turn off the first rule and turn on the second rule. To accomplish this,

let's add a "#" (comment indicator) back to the beginning of the rule we just looked at and let's remove

the "#" character which precedes the second rule.

Page 16

Now let's re-run snort.

snort -c snort630.conf -l log -r CSEC630.pcap Again let's look at the alert file.

edit /R log\alert.ids Again, let's rename it. We are in the c:\Snort\bin directory so let's change to the log directory and

rename the alert.ids file alert2.

cd log ren alert.ids alert2 cd .. 11) Continue like this through the rest of the rules.

Now that we are done, let's move the original file back in place. Let's make sure we are in the

c:\Snort\bin directory, and then move the file.

cd c:\snort\bin move csec630.rules.original csec630.rules 12) Push the PANIC button!

Ok, now click PANIC

In case things are messed up, we can click on the SNORT PANIC icon on the desktop. This will put

back the original .config file, .pcap file, and .rules file.

When you are done with your lab, click SNORT PANIC anyhow, to clean up some things for next time.

Page 17

You are to include your answers for each the following 10 questions in a Word

document and submit the file in your WebTycho Gradebook Lab 2 Assignment

folder. Each question is worth 10 points.

1. When running Snort IDS why might there be no alerts?

2. If we only went to a few web sites, why are there so many alerts?

3. What are the advantages of logging more information to the alerts file?

4. What are the disadvantages of logging more information to the alerts file?

5. What are the advantages of using rule sets from the snort web site?

6. Describe (in plain English) at least one type of ruleset you would want to add to a high level security

network and why?

Page 18

7. If a person with malicious intent were to get into your network and have read/write access to your

IDS log or rule set how could they use that information to their advantage?

8. An intrusion prevention system can either wait until it has all of the information it needs, or can

allow packets through based on statistics (guessed or previously known facts). What are the

advantages and disadvantages of each approach?

9. So, the bad guy decides to do a Denial of Service on your Intrusion Prevention System. At least

two things can happen, the system can allow all traffic through (without being checked) or can deny all

traffic until the system comes back up. What are the factors that you must consider in making this

design decision?

10. What did you find particularly useful about this lab (please be specific)? What if anything was

difficult to follow? What would you change to make it better?