User Account

All Pages

Find the flag that will also display data-link headers

Assignment Help Computer Network Security
Reference no: EM132283993

Assignment - Enterprise Application Security

For the purposes of this assignment, you will have to download and install a well known security (software) tool -Snort - on your own computer. It is highly recommended that you create a directory C:\security\ on your hard drive and, subsequently, download and install this tool from that directory.

The material for this assignment is adapted from M. Gregg's "Build Your Own Security Lab: A field guide for network testing" book.

Snort is a freeware IDS. Although initially written for Linux/Unix, most of its functionality is now available in Windows. In this lab, we will use the Windows version.

Snort can operate in one of the following four modes:
• Basic Packet Sniffer;
• Packet Logger;
• Network Intrusion Detection Sensor;
• Network Intrusion Prevention Sensor.

To get Snort running on a Windows system, you need WinPcap and the Snort Executable.
a) WinPcap
The purpose of WinPcap is to allow programs, such as WinDump, Wireshark, Snort, and other IDS applications to capture low-level packets traveling over the network. It should be the first program installed before using any of the Windows-based IDS systems.

b) Snort
Snort for Windows can be downloaded. Under Latest Release -> Binaries, choose/download Snort_2_9_4_6_Installer.exe. Double-click on this program, and follow the installation procedure. Keep the values at ‘default'. At the end of the installation procedure, Snort will be installed in the following directory: C:\Snort.

To test-run Snort, in a command prompt, cd to c:\snort\bin folder, then type: C:\Snort\bin>snort

SNORT: BASIC CONFIGURATION
To properly configure Snort, you need to access the Snort.conf file.  This file should be open with a basic text editor, such as Notepad or WordPad. Once opened, the file will appear as shown below.
The options you may want to configure in this file are:
• network settings;
• rules settings;
• output settings;
• include settings.

a) Network Settings
By default, Snort.conf has the network set at: var HOME_NET any.
Leaving this setting as is will configure Snort to monitor any network that your computer is attached to. To monitor a specific subnet (e.g., 192.168.123.0), the setting would be configured as: var HOME_NET 192.168.123.0/24. Or to monitor a specific device (e.g., 192.168.123.254), the setting should be configured as var HOME_NET 192.168.123.254/32.
b) Rules Settings
The default rule path is: var RULE_PATH ../rules. You must replace this line with the correct path for the rules; for example: var RULE_PATH C:\snort\rule.

SNORT: SNIFFER MODE
Sniffer mode works as the name implies. It configures Snort to sniff traffic. In order to verify this mode of operation, follow these steps:

a) At one of the command prompts, navigate to the C:\snort\bin folder, and type C:\Snort\bin>snort -W You should see a list of possible adapters on which you can install the sensor. The adapters are numbered 1, 2, 3, and so forth (see the figure below).

b) In order to properly configure Snort, at the C:\snort\bin> prompt enter C:\Snort\bin>snort -v -ix where x is the number of the NIC to place your Snort sensor on.

c) Switch to the second command prompt and ping www.conestogac.on.ca. When ping is complete, switch back to the command prompt window running Snort, and press Ctrl+C to stop Snort. Figure below shows a sample capture of ping to www.conestogac.on.ca

TASK 1
Take a screenshot of your own Snort ping capture and include it in your final report.
Now, notice that the given capture does not display data-link headers nor the (application-layer) packet content.

TASK 2
Find the flag that will also display data-link headers as well as the content of raw packets. What command/flag did you use?

SNORT: LOGGER MODE
Snort can handle packets in in one of two ways. It can alert you when something is happening in real-time (in the console) or it can log the information to a file for later review.
To verify the logger mode of operation, follow these steps:
a) At the command prompt, type C:\Snort\bin>snort -l c:\snort\log
b) To get some logs, open a browser and go to www.conestogac.on.ca.
c) Ctrl+C to stop Snort. Now look at the C:\snort\log directory, you should see some Snort.log files.

TASK 3
Take a screenshot of your Windows/File Explorer showing the captured Snort.log file(s), and include it in the report.

TASK 4
In the log file find the page request for www.conestogac.on.ca. Include the screenshot of this request in your report.

SNORT: BUILDING SNORT RULES
Snort comes with the option of matching the packets that it captures with a set of rules that the administrator provides. The rules reside in a simple ASCII text files and can be modified as needed. Snort rules are what set Snort apart from any other ordinary sniffer. They define the pattern and criteria Snort uses to look for suspicious packets.
Snort rules are made up of two basic parts: rule header and rule options.

The best way to master Snort rules is to create and test some simple rules. To do so, perform the following steps:
a) Open Notepad and enter the following:
Alert TCP any any -> any any (msg: "my TCP scan"; sid: 1;)
b) Save the file as c:\snort\rules\"myrules.conf" and close Notepad. Typing the name in quotes, as shown, will force Notepad to drop the normal .txt extension.
c) Clear the Snort log folder, and open a command prompt.
d) Run Snort from the command prompt by entering the following:
C:\snort\bin> snort -c \snort\rules\myrules.conf -l \snort\log
e) To get some logs, open a browser and go to www.conestogac.on.ca.
f) Ctrl+C to stop Snort. Now look at the C:\snort\log directory. You should see an alert.ids and (new) Snort.log files.

g) Right-click alert.ids file and open with WordPad.

TASK 5
Take a screenshot of alert.ids file and include it in your report.
h) Now, modify your myrules.conf file so that it contains the following rule: Alert UDP any any -> any any (msg: "my UDP scan"; sid: 1;)
(Make sure that you save the file after changing its content.)
i) In the command prompt again execute: C:\snort\bin> snort -c \snort\rules\myrules.conf -l \snort\log
j) To get some logs, open a browser and go to https://www.conesetogac.on.ca.
k) Ctrl+C to stop Snort and again look at the C:\snort\log directory. Open alert.ids with WordPad.

TASK 6
Take a screenshot of the new alert.ids file and include it in your report.

TASK 7
How may alerts have you find in the new alert.ids file? How and why is the content of this file different from the one captured in (5)? Explain!

Attachment:- Enterprise Application Security.rar

Verified Expert

This is Enterprise Application Security task, it has been done by using the security software tool named Snort along winPcap executable. All the task has been done properly and relevant screenshot have been provided in the word file.

Reference no: EM132283993

Questions Cloud

How would the portion that must be paid within the next year : Coltrane Company has a $5,000 note payable that is paid in $1,000 installments over five years. How would the portion that must be paid within the next year
Calculate the issue price of the bonds : Interest is to be paid semiannually. Calculate the issue price of the bonds if the market interest rate was: 14%
What is the margin of safety in dollars and as a ratio : Felde Bucket Co., a manufacturer of rain barrels, had the following data for 2016: What is the margin of safety in dollars and as a ratio
What is the net effect on the fund balance : Issued purchase orders totaling $25,000 for various supplies. What is the net effect on the fund balance after accounting for these transactions
Find the flag that will also display data-link headers : Enterprise Application Security - you will have to download and install a well known security (software) tool -Snort - on your own computer
Determine the amount at which the bond was issued : Consider a bond issue as follows: Face $100,000. Maturity in five years. Determine the amount at which the bond was issued/sold for
Prepare the adjusting journal entry needed on December : During 2018, Colorado Company stock was sold for $10,140. Prepare the journal entry to record the sale of the Colorado Co. stock during 2018
What dollar value of supplies expense will be reported : Bravo Company had $5,100 of supplies on hand at the beginning of 2016. What dollar value of Supplies Expense will be reported in the annual financial statements
Essay on any one health assessment using gibbs reflective : Reflect on what you have learnt this semester related to a specific aspect of health assessment - what this will mean for you as a student on clinical

Reviews

Write a Review

Computer Network Security Questions & Answers

  Use javascript to implement rsa including encryption

Use JavaScript to implement RSA including Encryption.

  Summarize differences and similarities between wep and wpa

Summarize the main differences and similarities between WEP and WPA. Is one considered more secure than the other? Why or why not? Please explain.

  Describe the major privacy issues facing organizations today

Describe the major privacy issues facing organizations today. Analyze the major privacy issues described above and compare that to the potential privacy risks facing the sporting goods store.

  Describe how a heap buffer overflow attack is implemented

Describe how a heap buffer overflow attack is implemented. Describe how a global data area overflow attack is implemented.

  How much information is available to potential hackers

Maintaining a proactive approach on security requires that an organization perform its own hacking footprinting to see how much information is available to potential hackers

  Examine potential security risks

Examine potential security risks, data breaches, and lost devices. Provide guidelines on how these risks could be mitigated

  Explain access control methods and attacks

Explain access control methods and attacks

  Draw a block diagram that illustrates encapsulation process

Draw a block diagram that illustrates the encapsulation process. Describe the steps at the receiver end to recover plaintext and perform the integrity check.

  What is the plaintext for the ciphertext 10000001

What is the ciphertext (in binary form) generated by the encryption of the character T (Please show your work.)

  Conclude the main reasons why the attack on target occurred

Conclude the main reasons why the attack on Target occurred. Give your opinion as to whether or not the attack was mainly due to the poor infrastructure or the inability of management to act accordingly.

  Identify one method a forensic investigator may use

Identify one method a forensic investigator may use to identify a potential RAT program? How malware may try to hide itself on an asset.

  Provide a disaster recovery plan to prevent a small company

Provide a short Disaster Recovery Plan (DRP) to prevent a small company's IT operation. Make a list of procedures to complete in preparation of the DRP. You may use fictitious examples to support your arguments.

Free Assignment Quote

Assured A++ Grade

Get guaranteed satisfaction & time on delivery in every assignment order you paid with us! We ensure premium quality solution document along with free turntin report!

Submit Assignment

Academics

Major Subjects

Majors

Get In Touch

whatsapp: +1-415-670-9521

Phone: +1-415-670-9521

Email: [email protected]

TERMS & POLICIES

HELP & SUPPORT

All rights reserved! Copyrights ©2019-2020 ExpertsMind IT Educational Pvt Ltd