Honeypots

Apply Your Knowledge

Intrusion detection is an important part of a good network defense. Intrusion detection can be performed on a network or host. Network-based intrusion detection systems monitor traffic passing across the network for evidence of hostile or unusual activity. Snort is one of the leading freeware network-based IDSs.

Exercises

10.1. Setting Up Snort IDS

This exercise steps you through the process of installing and configuring Snort on a Windows PC, as well as introduces you to the analyzation of its output. Requirements include a Windows 2000, XP, or 2003 computer and Snort software.

Win32 Snort v2.1.1. is available from www.snort.org/dl/binaries/win32/.

Estimated Time: 30 minutes.

  1. You will need to go to www.winpcap.org/install/default.htm and download a copy of Winpcap.exe. This low level packet driver will be needed to get Snort to work. After you install Winpcap, reboot if prompted.
  2. Download the latest version of Snort from www.snort.org/dl/binaries/win32/. As of the printing of this book, that version is 2.43. After starting the download, start the Snort install.
  3. Click I Agree to accept the license agreement.
  4. Check support for flexibility response and click Next.
  5. Verify that all components are checked and click Next to continue the installation.
  6. Accept the defaults for location and click Install. The folder C:Snort will be used.
  7. Click Close to finish the Snort installation. During the actual installation, Snort creates a directory structure under C:Snort that looks as follows:

    C:snortin C:snortcontrib C:snortdoc C:snortetc C:snortlog C:snort ules

  8. Click OK to close the Snort Setup information box if necessary. Use Wordpad to open the Snort configuration file to function properly in your environment.
  9. In the snort.conf file, search for the variable statement that begins with var rule_path ./ If necessary, change the statement to refer to the path of your Snort rules folders, which is var RULE_PATH c:snort ules.
  10. Search for the variable statement var HOME_NET Any. Change it to the setting for your network, as an example: var HOME_NET 172.16.0.0/24.
  11. Search for the statement include classification.config and change it to

    include c:snortetcclassification.config

  12. Search for the statement include reference.config and change it to

    include c:snortetc eference.config

  13. Save and close the file.
  14. Reboot your machine and log back on to Windows. To check that Snort was properly configured, open two command prompts.
  15. At one of the command prompts, navigate to the C:snortin folder and enter snort -W. You should see a list of possible adapters on which you can install the sensor. The adapters are numbered 1, 2, 3, and so forth.
  16. At the c:snortin> prompt, enter snort v ix, where x is the number of the NIC to place your Snort sensor on. Record the number of the adaptor here: ________
  17. Switch to the second command prompt you opened and ping another computer such as the gateway. When ping is complete, switch back to the first command prompt window running Snort, and press Ctrl+C to stop Snort. A sample capture is shown here:

    11/01-23:09:51.398772 192.168.13.10 -> 192.168.13.254 ICMP TTL:64 TOS:0x0 ID:38 ID:1039 Seq:0 ECHO 9E 85 00 3B 84 15 06 00 08 09 0A 0B 0C 0D 0E 0F ...:............ 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F ................ 20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F !"#$%&'()*+,-./ 30 31 32 33 34 35 36 37 01234567

    Although this demonstrates the basic capabilities of Snort, not everyone has the time or ability to constantly monitor the console. Therefore, what is needed is a way to log the activity for later review. To do this, continue with the following steps.

  18. If you are not already there, change to the directory where you installed Snort. Then from the command prompt, enter snort -ix -dev -lsnortlog. This command will start Snort and instruct it to record headers in the snortlog folder.
  19. Now ping some other devices such as the gateway. If you have a second computer on the network, you can use it to ping the computer you have installed on or even scan it with Nmap. The idea here is to generate some traffic to be logged in the Snortlog folder for review.
  20. After you have generated some ping traffic or run some scans against the local machine, press Ctrl+C to stop the packet capture.
  21. Use Windows Explorer to navigate to the snortlog folder.
  22. You should see some files there. Examine the contents of one of these files by using Notepad to examine the contents of the capture.
  23. This is a great feature, as now you can go back and review activity. There are additional add-on tools to make log review easier. ACID is one such tool. If you would like to experiment with it, it can be downloaded from www.andrew.cmu.edu/user/rdanyliw/snort/snortacid.html.

10.2. Install and Configure Snort IDS Center

In this exercise, you will install and configure the Snort IDS Center on a Windows computer using the components you prepared in Exercise 10.1.

Estimated Time: 30 minutes.

  1. Download IDS Center from www.engagesecurity.com/downloads/#idscenter. After the download completes, install the application. Accept the default settings for the install.
  2. After the install is complete, use Explorer to go to the c:snortlog directory, and then create a file called alert.ids. Open the snort.conf file, and verify that the following include statements point to the proper files:

    var HOME_NET (Your Subnet for example 192.168.12.0/24) var RULE_PATH c:snort ules include c:snortetcclassification.config include c:snortetc eference.config

  3. In your system tray, you will notice the IDS Center icon; double-click it to open IDS Center's Settings window. The Main Configuration window should be displayed. You can select other windows by changing your selection on the left side tabs (General, IDS Rules, Log Settings, Alerts, and Explorer). Under each tab are a few more possible selections for configuration changes.
  4. Under the Main Configuration tab, verify that the correct Snort version is selected.
  5. Select the ... button next to Snort Executable File, and select the path to your snort.exe file (c:snortinsnort.exe).
  6. Now click the button next to Log Folder and select the path to your alert.ids file (c:snortlogalert.ids).
  7. If the General tab contains an Activity Log icon, click it and check Enable Activity. Logging Activate the Alert. Events tab and check both check boxes.
  8. On the left of the program screen, click the IDS Rules tab. Click the Snort Config icon, click the ... button, and navigate to your snort.conf file (c:snortetcsnort.conf). You should see a copy of the snort.conf file that you can edit in the window. This was the file you modified in Exercise 10.1.
  9. Click the Network Variables icon and make sure that your home network is correct. This is the subnet on which the computer resides; click Edit Variable and enter the correct value. This value should be the IP address of your network. As an example, HOME_NET 192.168.13.0/24
  10. On the left of the program screen, click the Preprocessors icon. Activate the Portscan Detection tab and check Portscan Detection. Set Monitored Hosts/Networks to EXTERNAL_NET.
  11. Click the icon for Rules/Signatures.
  12. Verify that the top line reads c:snortetcclassification.config. Highlight that line and click the Select button near the bottom of the window to tell IDScenter that this is the classification definition's files.
  13. Uncheck all the $RULE_PATH/ lines except for $RULE_PATH/scan.rules.
  14. Click the Log Settings tab and the Logging Parameters icon. Check Decode Link Layer Headers (-e) and Dump Application Layer (-d).
  15. Click the Alerts tab and the Alert Detection icon. Click the Add Alert Log File button.
  16. Click the Alert Notification icon. This is the icon that looks like a pig.
  17. In the right pane, click Start Alarm Beep When Alert Is Logged. This should use your computer's case speaker for those who don't have external speakers and sound cards. Click the Start Sound Test button to be sure that you get an alert sound.
  18. Check Start This Program When Receiving An Alert, click the ... button, and navigate to and then select c:scan_alert.bat.
  19. When you are finished with this configuration, click the Apply button at the top of the window.
  20. Now, it's time to test your settings, click the Test Settings button at the top of the window. If all rules and chains are successful, press Enter to close the test window.
  21. Click the Start Snort button.
  22. Now, you can perform some pings or use another computer to ping this host or scan it. Once it is scanned, you should see your alert occur.
  23. Click the Stop Snort button and right-click the IDS Center icon. Choose View Alerts to see what alerts have been logged. You might be able to see at the top of the alert log if the scan were generated by ping, Nmap, or another type of program. Navigate to your c:snortlogs directory; you might be able to see the packets that have been logged along with the alerts.
  24. If you were configuring this system as an actual IDS system, it would not be unreasonable to plan on spending a week or so to get the system properly tuned and setup. While IDS systems are powerful devices, the setup and tuning is critical; otherwise, there can be a large number of false negatives and false positives.

Exam Prep Questions

1.

Your IDS is actively matching incoming packets against known attacks. Which of the following technologies is being used?

A. Pattern matching

B. Anomaly detection

C. Protocol analysis

D. Stateful inspection

2.

You have decided to set up Snort. You have been asked by a co-worker what protocols it cannot check.

A. TCP

B. IP

C. IGMP

D. UDP

3.

How would you describe an attack in which an attacker attempts to deliver the payload over multiple packets for long periods of time?

A. Evasion

B. IP fragmentation

C. Session splicing

D. Session hijacking

4.

You have been asked to start up Snort on a Windows host. Which of the following is the correct syntax?

A. Snort -c snort.conf 192.168.13.0/24

B. Snort -dev -l ./log -a 192.168.13.0/8 -c snort.conf

C. ./snort -dev -l ./log -h 192.168.1.0/24 -c snort.conf

D. Snort -ix -dev -lsnortlog

   
5.

Your co-worker has set up a packet filter to filter traffic on the source port of a packet. He wants to prevent DoS attacks and would like you to help him to configure Snort. Which of the following would best accomplish the stated goal?

A. Filtering on the source port will protect the network.

B. Filtering on the source port of the packet prevents spoofing.

C. Filtering on the source port of the packet will not prevent spoofing.

D. Filtering on the source port of the packet will prevent DoS attacks.

6.

You have been running Snort on your network and captured the following traffic. Can you identify it?

11/12-01:52:14.979681 0:D0:9:7A:E5:E9 -> 0:D0:9:7A:C:9B type:0x800 len:0x3E 192.168.13.10.237:1674 -> 192.168.13.234:12345 TCP TTL:128 TOS:0x0 ID:5277 IpLen:20 DgmLen:48 ******S* Seq: 0x3F2FE2AA Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+  

A. Nmap Ack scan

B. Nmap XMAS scan

C. Subseven scan

D. Netbus scan

7.

You are about to install Snort on a Windows computer. Which of the following must first be installed?

A. LibPcap

B. WinPcap

C. IDSCenter

D. AdMutate

   
8.

Identify the purpose of the following trace.

11/14-9:01:12.412521 0:D0:9:7F:FA:DB -> 0:2:B3:2B:1:4A type:0x800 len:0x3A 192.168.13.236:40465 -> 192.168.13.235:1 TCP TTL:40 TOS:0x0 ID:5473 IpLen:20 DgmLen:40 **U*P**F Seq: 0x0 Ack: 0x0 Win: 0x400 TcpLen: 20 UrgPtr: 0x0 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=  

A. Nmap Ack scan

B. Nmap XMAS scan

C. Subseven scan

D. Netbus scan

9.

After accessing a router configuration file, you found the following password "70832585B0D1C0B0343." What type of password is it?

A. MD5

B. DES

C. Vigenere

D. AES

10.

Which of the following can maintain a state table?

A. Packet filters

B. Proxy servers

C. Honeypots

D. Bastion hosts

11.

While scanning, you have not been able to determine what is in front of 192.168.13.10, which you believe to be some type of firewall. Your Nmap scan of that address seems to hang without response. What should you do next?

A. Perform an Nmap stealth scan.

B. Perform an Nmap OS scan.

C. Run hping with Null TCP settings.

D. Attempt to banner grab from the device.

   
12.

What does an ICMP type 3 code 13 denote?

A. Subnet mask request

B. TTL failure

C. Administratively prohibited

D. Redirect

13.

During a penetration test, you saw a contractor use the tool ACKCMD. Which of the following best describes the purpose of the tool?

A. It is being used as a Windows exploit.

B. It is being used as a covert channel.

C. It is being used as a honeypot.

D. It is being used to exploit routers.

14.

You have been asked to enter the following rule into Snort: Alert tcp any any -> any 23(msg: "Telnet Connection Attempt"). What is its purpose?

A. This is a logging rule designed to notify you of the use of Telnet in either direction.

B. This is a logging rule designed to notify you of the use of Telnet in one direction.

C. This is an alert rule designed to notify you of the use of Telnet in either direction.

D. This is an alert rule designed to notify you of the use of Telnet in one direction.

15.

Snort is a useful tool. Which of the following best describes Snort's capabilities?

A. Proxy, IDS, and sniffer

B. IDS and sniffer

C. IDS, packet logger, and sniffer

D. Firewall, IDS, and sniffer

Answers to Exam Questions

A1:

1. A. Pattern matching is the act of matching packets against known signatures. Answer B is incorrect because anomaly detection looks for patterns of behavior that are out of there ordinary. Answer C is incorrect because protocol analysis analyzes the packets to determine if they are following established rules. Answer D is incorrect, as stateful inspection is used firewalls.

A2:

2. C. Snort cannot analyze IGMP, a routing protocol. Answers A, B, and D are incorrect because Snort can analyze IP, TCP, UDP, and ICMP.

   
A3:

3. C. Session splicing works by delivering the payload over multiple packets, which defeats simple pattern matching without session reconstruction. Answer A is incorrect, as evasion is a technique that might attempt to flood the IDS to evade it. Answer B is incorrect, as IP fragmentation is a general term that describes how IP handles traffic when faced with smaller MTUs. Answer D is incorrect because session hijacking describes the process of taking over an established session.

A4:

4. D. Snort -ix -dev -lsnortlog is the correct entry to run snort as an IDS on a Windows computer. The syntax in answers A B, and C are invalid, although it is the correct syntax to start up Snort on a Linux computer.

A5:

5. C. Filtering data on the source port of a packet isn't secure because a skilled hacker can easily change a source port on a packet, which could then pass through the filter. Therefore answers A, B, and D are incorrect.

A6:

6. D. In a Netbus scan, port 12345 is scanned as can be seen in the trace. Answers A, B, and C are incorrect because an ACK scan would show an ACK flag. A XMAS scan would show as Urgent, Push, and FIN flag.

A7:

7. B. WinPcap is a program that will allow the capture and sending of raw data from a network card. Answer A is incorrect because LibPcap is used by Linux, not Windows. Answer C is incorrect, as IDSCenter is a GUI for Snort, not a packet driver. Answer D is incorrect, as AdMutate is a tool for bypassing IDS.

A8:

8. B. A XMAS scans as the Urgent, Push, and FIN flags are set. Answer A is not correct, as an ACK scan would show an ACK flag. Answer C is incorrect, as 27444 would be displayed; answer D is incorrect because a Netbus scan port 12345 is scanned.

A9:

9. C. Cisco uses a proprietary Vigenere cipher to encrypt all passwords on the router except the enable secret password, which uses MD5. The Vigenere cipher is easy to break. Answers A, B, and D are incorrect because the password is not MD5, DES, or AES.

A10:

10. B. Proxy servers have the capability to maintain state. Answer A is incorrect, as packet filters do not maintain state. Answers C and D are incorrect because honeypots and bastion servers do not maintain a state table or answer the question.

A11:

11. C. Running a Null TCP hping should tell you whether packet filter is in use. Answer A is incorrect because running an Nmap stealth scan will not help. Answer B is incorrect, as an OS scan most likely will not provide any details to help you determine the packet filtering status of the device. Answer D is incorrect, as banner grabbing is not a valid option without knowing open ports.

A12:

12. C. An ICMP type 3 code 13 is an unreachable message that is generated because the communication is administratively prohibited. Answers A, B, and D are incorrect because they do not describe an ICMP 3-13.

A13:

13. B. ACKCMD is a covert channel tool that can be used to send and receive information and potentially bypass a firewall and IDS. Answer A is incorrect because it is not a Windows exploit. Answer C is incorrect, as it is not a honeypot. Answer D is incorrect because it is not used to exploit routers.

   
A14:

14. D. This is an alert rule designed to notify you of the use of Telnet in one direction. The rule means that any IP address on any port that attempts to connect to any IP address on port 23 will create an alert message. The arrow points one direction, so the alert will not apply to both directions. Answers A and B are incorrect because this is not a logging rule. Answer C is incorrect, as the rule applies to only one direction.

A15:

15. C. Snort can best be described as an IDS, packet logger, and sniffer. Answer A is incorrect, as Snort is not a proxy. Answer B is incorrect because Snort is not only an IDS and sniffer, but also a packet logger. Answer D is incorrect, as Snort is not a firewall.

Suggested Reading and Resources

www.hping.orgThe hping homepage.

www.snort.orgThe Snort homepage. A good site to explore to learn more about Snort.

www.networkworld.com/news/2005/072805-cisco-black-hat.htmlCisco vulnerabilities unveiled at Black Hat.

www.securiteam.com/tools/6V0011PEBY.htmlCisco password cracker.

www.networkclue.com/routing/Cisco/access-lists/index.aspxACL basics.

www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.htmlUsing IPTables for packet filtering.

www.fwbuilder.orgMultipurpose firewall ruleset builder.

www.packetfactory.net/projects/firewalkFirewalk homepage.

www.honeynet.org/papers/individual/DefeatingHPs-IAW05.pdfDetecting honeypots.

www.tldp.org/HOWTO/Firewall-HOWTO-2.htmlUnderstanding firewall types and configurations.

www.securitystats.com/tools/index.htmlSecurity stats and password cracking tools.

www.cisco.com/warp/public/707/cisco-sn-20040326-exploits.shtmlCisco router.cfg vulnerability.

www.insecure.org/stf/secnet_ids/secnet_ids.htmlEvading IDS.

http://packetstorm.widexs.nl/UNIX/IDS/nidsbench/nidsbench.htmlNIDSbench.

Buffer Overflows, Viruses, and Worms

Категории