Find the flag that will also display data-link headers
Course:- Computer Network Security
Reference No.:- EM132283993

Assignment Help
Expertsmind Rated 4.9 / 5 based on 47215 reviews.
Review Site
Assignment Help >> Computer Network Security

Assignment - Enterprise Application Security

For the purposes of this assignment, you will have to download and install a well known security (software) tool -Snort - on your own computer. It is highly recommended that you create a directory C:\security\ on your hard drive and, subsequently, download and install this tool from that directory.

The material for this assignment is adapted from M. Gregg's "Build Your Own Security Lab: A field guide for network testing" book.

Snort is a freeware IDS. Although initially written for Linux/Unix, most of its functionality is now available in Windows. In this lab, we will use the Windows version.

Snort can operate in one of the following four modes:
• Basic Packet Sniffer;
• Packet Logger;
• Network Intrusion Detection Sensor;
• Network Intrusion Prevention Sensor.

To get Snort running on a Windows system, you need WinPcap and the Snort Executable.
a) WinPcap
The purpose of WinPcap is to allow programs, such as WinDump, Wireshark, Snort, and other IDS applications to capture low-level packets traveling over the network. It should be the first program installed before using any of the Windows-based IDS systems.

b) Snort
Snort for Windows can be downloaded. Under Latest Release -> Binaries, choose/download Snort_2_9_4_6_Installer.exe. Double-click on this program, and follow the installation procedure. Keep the values at ‘default'. At the end of the installation procedure, Snort will be installed in the following directory: C:\Snort.

To test-run Snort, in a command prompt, cd to c:\snort\bin folder, then type: C:\Snort\bin>snort

To properly configure Snort, you need to access the Snort.conf file.  This file should be open with a basic text editor, such as Notepad or WordPad. Once opened, the file will appear as shown below.
The options you may want to configure in this file are:
• network settings;
• rules settings;
• output settings;
• include settings.

a) Network Settings
By default, Snort.conf has the network set at: var HOME_NET any.
Leaving this setting as is will configure Snort to monitor any network that your computer is attached to. To monitor a specific subnet (e.g.,, the setting would be configured as: var HOME_NET Or to monitor a specific device (e.g.,, the setting should be configured as var HOME_NET
b) Rules Settings
The default rule path is: var RULE_PATH ../rules. You must replace this line with the correct path for the rules; for example: var RULE_PATH C:\snort\rule.

Sniffer mode works as the name implies. It configures Snort to sniff traffic. In order to verify this mode of operation, follow these steps:

a) At one of the command prompts, navigate to the C:\snort\bin folder, and type C:\Snort\bin>snort -W You should see a list of possible adapters on which you can install the sensor. The adapters are numbered 1, 2, 3, and so forth (see the figure below).

b) In order to properly configure Snort, at the C:\snort\bin> prompt enter C:\Snort\bin>snort -v -ix where x is the number of the NIC to place your Snort sensor on.

c) Switch to the second command prompt and ping www.conestogac.on.ca. When ping is complete, switch back to the command prompt window running Snort, and press Ctrl+C to stop Snort. Figure below shows a sample capture of ping to www.conestogac.on.ca

Take a screenshot of your own Snort ping capture and include it in your final report.
Now, notice that the given capture does not display data-link headers nor the (application-layer) packet content.

Find the flag that will also display data-link headers as well as the content of raw packets. What command/flag did you use?

Snort can handle packets in in one of two ways. It can alert you when something is happening in real-time (in the console) or it can log the information to a file for later review.
To verify the logger mode of operation, follow these steps:
a) At the command prompt, type C:\Snort\bin>snort -l c:\snort\log
b) To get some logs, open a browser and go to www.conestogac.on.ca.
c) Ctrl+C to stop Snort. Now look at the C:\snort\log directory, you should see some Snort.log files.

Take a screenshot of your Windows/File Explorer showing the captured Snort.log file(s), and include it in the report.

In the log file find the page request for www.conestogac.on.ca. Include the screenshot of this request in your report.

Snort comes with the option of matching the packets that it captures with a set of rules that the administrator provides. The rules reside in a simple ASCII text files and can be modified as needed. Snort rules are what set Snort apart from any other ordinary sniffer. They define the pattern and criteria Snort uses to look for suspicious packets.
Snort rules are made up of two basic parts: rule header and rule options.

The best way to master Snort rules is to create and test some simple rules. To do so, perform the following steps:
a) Open Notepad and enter the following:
Alert TCP any any -> any any (msg: "my TCP scan"; sid: 1;)
b) Save the file as c:\snort\rules\"myrules.conf" and close Notepad. Typing the name in quotes, as shown, will force Notepad to drop the normal .txt extension.
c) Clear the Snort log folder, and open a command prompt.
d) Run Snort from the command prompt by entering the following:
C:\snort\bin> snort -c \snort\rules\myrules.conf -l \snort\log
e) To get some logs, open a browser and go to www.conestogac.on.ca.
f) Ctrl+C to stop Snort. Now look at the C:\snort\log directory. You should see an alert.ids and (new) Snort.log files.

g) Right-click alert.ids file and open with WordPad.

Take a screenshot of alert.ids file and include it in your report.
h) Now, modify your myrules.conf file so that it contains the following rule: Alert UDP any any -> any any (msg: "my UDP scan"; sid: 1;)
(Make sure that you save the file after changing its content.)
i) In the command prompt again execute: C:\snort\bin> snort -c \snort\rules\myrules.conf -l \snort\log
j) To get some logs, open a browser and go to http://www.conesetogac.on.ca.
k) Ctrl+C to stop Snort and again look at the C:\snort\log directory. Open alert.ids with WordPad.

Take a screenshot of the new alert.ids file and include it in your report.

How may alerts have you find in the new alert.ids file? How and why is the content of this file different from the one captured in (5)? Explain!

Attachment:- Enterprise Application Security.rar

Put your comment

Ask Question & Get Answers from Experts
Browse some more (Computer Network Security) Materials
Descripe what is each topic about secure computer network and why its important? Describe these topics to somone that has no knowledge in computer networks to deliver the idea
Meanwhile, at Danny's Dinosaurs, things are not going very well.  Danny downloaded a game from the Internet, but the game wasn't all it appeared to be. When he ran it, the p
Describe, in your own words, how you believe these laws impact the role of the system administrator in an organization. Provide one specific example of when this might occur
Interpret the Department of Homeland Security's mission, operations and responsibilities. Detail the Critical Infrastructure Protection (CIP) initiatives, what they protect,
Using CBC mode of operation what are the consequences of decrypting the cipher text if it has an error in the first bit of the first block C?
Show that a necessary and sufficient condition for perfect security is H(C|M) = H(C) for every set of probabilities. (Homophonic keys) Prove theorem for homophonic systems.
Explain your method of attack and operation within reasonable parameters of the law. Discuss specific malware, social engineer, or any other type of attacks you would deploy t
Develop a paper for him, at least 2 pages (1.5 spaced) in length, font 12, that discusses the different types of cloud computing, provide him with the description of a coupl