>> Computer Network Security
Assignment - Enterprise Application Security
For the purposes of this assignment, you will have to download and install a well known security (software) tool -Snort - on your own computer. It is highly recommended that you create a directory C:\security\ on your hard drive and, subsequently, download and install this tool from that directory.
The material for this assignment is adapted from M. Gregg's "Build Your Own Security Lab: A field guide for network testing" book.
Snort is a freeware IDS. Although initially written for Linux/Unix, most of its functionality is now available in Windows. In this lab, we will use the Windows version.
Snort can operate in one of the following four modes:
• Basic Packet Sniffer;
• Packet Logger;
• Network Intrusion Detection Sensor;
• Network Intrusion Prevention Sensor.
To get Snort running on a Windows system, you need WinPcap and the Snort Executable.
The purpose of WinPcap is to allow programs, such as WinDump, Wireshark, Snort, and other IDS applications to capture low-level packets traveling over the network. It should be the first program installed before using any of the Windows-based IDS systems.
Snort for Windows can be downloaded. Under Latest Release -> Binaries, choose/download Snort_2_9_4_6_Installer.exe. Double-click on this program, and follow the installation procedure. Keep the values at ‘default'. At the end of the installation procedure, Snort will be installed in the following directory: C:\Snort.
To test-run Snort, in a command prompt, cd to c:\snort\bin folder, then type: C:\Snort\bin>snort
SNORT: BASIC CONFIGURATION
To properly configure Snort, you need to access the Snort.conf file. This file should be open with a basic text editor, such as Notepad or WordPad. Once opened, the file will appear as shown below.
The options you may want to configure in this file are:
• network settings;
• rules settings;
• output settings;
• include settings.
a) Network Settings
By default, Snort.conf has the network set at: var HOME_NET any.
Leaving this setting as is will configure Snort to monitor any network that your computer is attached to. To monitor a specific subnet (e.g., 192.168.123.0), the setting would be configured as: var HOME_NET 192.168.123.0/24. Or to monitor a specific device (e.g., 192.168.123.254), the setting should be configured as var HOME_NET 192.168.123.254/32.
b) Rules Settings
The default rule path is: var RULE_PATH ../rules. You must replace this line with the correct path for the rules; for example: var RULE_PATH C:\snort\rule.
SNORT: SNIFFER MODE
Sniffer mode works as the name implies. It configures Snort to sniff traffic. In order to verify this mode of operation, follow these steps:
a) At one of the command prompts, navigate to the C:\snort\bin folder, and type C:\Snort\bin>snort -W You should see a list of possible adapters on which you can install the sensor. The adapters are numbered 1, 2, 3, and so forth (see the figure below).
b) In order to properly configure Snort, at the C:\snort\bin> prompt enter C:\Snort\bin>snort -v -ix where x is the number of the NIC to place your Snort sensor on.
c) Switch to the second command prompt and ping www.conestogac.on.ca. When ping is complete, switch back to the command prompt window running Snort, and press Ctrl+C to stop Snort. Figure below shows a sample capture of ping to www.conestogac.on.ca
Take a screenshot of your own Snort ping capture and include it in your final report.
Now, notice that the given capture does not display data-link headers nor the (application-layer) packet content.
Find the flag that will also display data-link headers as well as the content of raw packets. What command/flag did you use?
SNORT: LOGGER MODE
Snort can handle packets in in one of two ways. It can alert you when something is happening in real-time (in the console) or it can log the information to a file for later review.
To verify the logger mode of operation, follow these steps:
a) At the command prompt, type C:\Snort\bin>snort -l c:\snort\log
b) To get some logs, open a browser and go to www.conestogac.on.ca.
c) Ctrl+C to stop Snort. Now look at the C:\snort\log directory, you should see some Snort.log files.
Take a screenshot of your Windows/File Explorer showing the captured Snort.log file(s), and include it in the report.
In the log file find the page request for www.conestogac.on.ca. Include the screenshot of this request in your report.
SNORT: BUILDING SNORT RULES
Snort comes with the option of matching the packets that it captures with a set of rules that the administrator provides. The rules reside in a simple ASCII text files and can be modified as needed. Snort rules are what set Snort apart from any other ordinary sniffer. They define the pattern and criteria Snort uses to look for suspicious packets.
Snort rules are made up of two basic parts: rule header and rule options.
The best way to master Snort rules is to create and test some simple rules. To do so, perform the following steps:
a) Open Notepad and enter the following:
Alert TCP any any -> any any (msg: "my TCP scan"; sid: 1;)
b) Save the file as c:\snort\rules\"myrules.conf" and close Notepad. Typing the name in quotes, as shown, will force Notepad to drop the normal .txt extension.
c) Clear the Snort log folder, and open a command prompt.
d) Run Snort from the command prompt by entering the following:
C:\snort\bin> snort -c \snort\rules\myrules.conf -l \snort\log
e) To get some logs, open a browser and go to www.conestogac.on.ca.
f) Ctrl+C to stop Snort. Now look at the C:\snort\log directory. You should see an alert.ids and (new) Snort.log files.
g) Right-click alert.ids file and open with WordPad.
Take a screenshot of alert.ids file and include it in your report.
h) Now, modify your myrules.conf file so that it contains the following rule: Alert UDP any any -> any any (msg: "my UDP scan"; sid: 1;)
(Make sure that you save the file after changing its content.)
i) In the command prompt again execute: C:\snort\bin> snort -c \snort\rules\myrules.conf -l \snort\log
j) To get some logs, open a browser and go to http://www.conesetogac.on.ca.
k) Ctrl+C to stop Snort and again look at the C:\snort\log directory. Open alert.ids with WordPad.
Take a screenshot of the new alert.ids file and include it in your report.
How may alerts have you find in the new alert.ids file? How and why is the content of this file different from the one captured in (5)? Explain!
Attachment:- Enterprise Application Security.rar