Ceh v8 labs module 17 evading ids, firewalls and honeypots

April 5, 2018 | Author: Anonymous | Category: Technology
Share
Report this link


Description

1. C E HLab M a n u a lEvading IDS, Firewalls, and Honeypots M o d u le 17 2. M odule 17 - Evadin g ID S, F ire w a lls and H oneypotsIntrusion D e t e c t i o n S y s t e m A nin tr u s io nm o n ito rsd e te c tio n s y s te mn e tir o r ka n d /o r( ID S )s y s te misad e ric ea c tiv itie s f o ro r s o ftw a re a p p lic a tio n m a lic io u sa c tiv itie sth a to r p o lic yv io la tio n s a n d p ro d u c e s re p o rts to a M a n a g e m e n t S ta tio n .I CONKEY[£ Z 7 V a lu a b le in fo rm a tio nST est your k n o w le d g e=W e b e x e rc is emW o r k b o o k r e v ie wL a b S c e n a r ioDue to a growing number of intrusions and since the Internet and local networks have become so ubiquitous, organizations increasingly implementing various systems that monitor IT security breaches. Intrusion detection systems (IDSes) are those diat have recently gained a considerable amount of interest. An IDS is a defense system that detects hostile activities 111 a network. The key is then to detect and possibly prevent activities that may compromise system security, 01‫ ־‬a hacking attempt 111 progress including reconnaissance/data collection phases that involve, for example, port scans. One key feature of intrusion detection systems is their ability to provide a view of unusual activity and issue alerts notifying administrators and/or block a suspected connection. According to Amoroso, intrusion detection is a “process ot identifying and responding to malicious activity targeted at computing and networking resources.” 111 addition, IDS tools are capable ot distinguishing between insider attacks originating from inside the organization (coming from own employees or customers) and external ones (attacks and the threat posed by hackers) (Source: http://www.windowsecurity.com) 111 order to become an expert penetration tester and security administrator, you must possess sound knowledge of network intrusion prevention system (IPSes), IDSes, malicious network activity, and log information.L a b O b je c tiv e s &Too lsD e m o n s tra te d in th is lab a re lo c a te d a t D:CEHT oo lsC E H v8 M o du le 17 Evading IDS, F ire w a lls , andThe objective ot tins lab is to help students learn and detect intrusions network, log, and view all log tiles. In tins lab, you will learn how to: ■ Install and configure Snort111aIDS■ Run Snort as a service ■ Log snort log files to Kiwi Syslogserver■ Store snort log files to two output sources simultaneouslyH o n eyp o tsL a b E n v ir o n m e n tTo earn‫ ׳‬out tins lab, you need: ■ A computer mnning Windows Seiver 2012 as a host machine ■ A computer running Windows server 2008, Windows 8, 01‫־‬Windows 7 as a virtual maclnne WniPcap drivers nistalled 011 the host maclinieC E H Lab Manual Page 847Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited. 3. M odule 17 - Evadin g ID S, F ire w a lls and H oneypots■ Notepads-+ installed 011 the host machine ■ Kiwi Svslog Server installed 011 the host machine ■ Active Perl installed 011 the host machine to mil Perl scnpts ■ Administrative pnvileges to configure settings and run tools ■ A web browser with Internet access L a b D u r a t io nTime: 40 Minutes O v e r v ie wo f In tr u s io nD e te c tio n S y s te m sAn intrusion detection system (IDS) is a device 01‫ ־‬software application that monitors network and/01‫ ־‬system activities for malicious activities 01‫ ־‬policy violations and produces reports to a Management Station. Some systems may attempt to stop an intrusion attempt but tins is neither required 1101‫ ־‬expected of a monitoring system. 111 addition, organizations use intrusion detection and prevention systems (IDPSes) for other purposes, such as identifying problems with security policies, documenting existing threats and deterring individuals from violating security policies. IDPSes have become a necessary addition to the security infrastructure of nearly even* organization. Many IDPSes can also respond to a detected threat by attempting to prevent it from succeeding. They use several response techniques, which involve the IDPS stopping die attack itself, changing the security environment. IDPSes are primarily focused 011 identifying possible incidents, logging information about diem, attempting to stop them, and reporting them to security administrators.Pick an organization diat you feel is worthy of your attention. Tins could be an educational institution, a commercial company, 01‫־‬perhaps a nonprofit charity.O v e rv ie wRecommended labs to assist you 111 using IDSes: ■ Detecting Intrusions Using Snort ■ Logging Snort Alerts to Kiwi Svslog Server ■ Detecting Intruders and Worms using KFSensor Honeypot IDS ■ HTTP Tunneling Using HTTPort L a b A n a ly s isAnalyze and document the results related to tins lab exercise. Give your opinion 011 your target’s security posture and exposure.C E H Lab Manual Page 848Ethical Hacking and Countermeasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited. 4. M odule 17 - Evadin g ID S, F ire w a lls and H oneypotsPLE A SEC E H Lab Manual Page 849TA LKTOY O U R IN S T R U C T O R IF Y O U R E L A T E D TO T H IS LAB.H A V EQ U E ST IO N SEthical Hacking and Countermeasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited. 5. M odule 17 - Evadin g ID S, F ire w a lls and H oneypotsD e l e c t i n gIntrusions u s i n g S n o r tS n o r t is a n o p e n s o u rc e n e tir o r k in tr u s io n p r e v e n tio n a n d d e te c tio n s y s te m ( ID S /IP S ) .I C ONKEY/ V a lu a b le in fo rm a tio nT est your k n o w le d g e □W e b e x e rc is emW o r k b o o k r e v ie wL a b S c e n a r ioThe trade of die intrusion detection analyst is to find possible attacks against their network. The past few years have witnessed significant increases in DDoS attacks 011 the Internet, prompting network security to become a great concern. Analysts do tins by IDS logs and packet captures while corroborating with firewall logs, known vulnerabilities, and general trencUng data from the Internet. The IDS attacks are becoming more culuired, automatically reasoning the attack scenarios ni real time and categorizing those scenarios becomes a critical challenge. These result ni huge amounts of data and from tins data they must look for some land of pattern. However, die overwhelmnig dows of events generated by IDS sensors make it hard for security adnnnistrators to uncover hidden attack plans. 111 order to become an expert penetration tester and security administrator, you must possess sound knowledge of network IPSes, IDSes, malicious network activity, and log information.&Too lsD e m o n s tra te d inL a b O b je c tiv e sth is lab a re lo c a te d a t D:CEH-The objective of tins lab is to familiarize students widi IPSes and IDSes.Too lsC E H v8111 tliis lab, youM o du le 17 Evading IDS, F ire w a lls , and H o n eyp o tsneed to:■ Install Snort and verify Snort alerts ■ Configure and validate snort.conf file ■ Test the worknig of Snort by carrying out an attack test ■ Perform mtmsion detection ■ Configure Omkmaster L a b E n v ir o n m e n tTo earn‫ ־‬out dns lab, you need:C E H Lab Manual Page 850Ethical Hacking and Countenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited. 6. M odule 17 - Evadin g ID S, F ire w a lls and H oneypots■ A computer running Windows Server 2012 as a host machine ■ Windows 7 running on virtual macliuie as an attacker macliuie ■ WmPcap dnvers installed on die host machine ■ Notepad++ installed on the host macliuie ■ Kiwi Svslog Server installed on the host macliuie ■ Active Perl installed on the host machine to nui Perl scripts ■ Administrative privileges to configure settings and run tools L a b D u r a t io nTime: 30 Minutes O v e r v ie w In tr u s io n Y ou can also download Snort from http://www.s rt. g.110 01o fIn tr u s io nP r e v e n tio nS y s te m sa n dD e te c tio n S y s te m sA11 IPS is a n e tw o r k s e c u rity appliance that m o n ito rs a network and system activities for m a lic io u s activity. The main functions of IPSes are to id e n tify malicious activity, log in fo rm a tio n about said activity, attempt to b lo c k /s to p activity, and report activity. A11 IDS is a device or software application that m o n ito rs network and/or system activities for m a lic io u s activities or p o lic y v io la tio n s and produces re p o rts to a Management Station. It performs intrusion detection and attempt to s to p detected possible in c id e n ts . L a b T a s k s 1.Start W in d o w s2.To uistall Snort, navigate toIn s tall S nortS e rv e r 2 0 1 2on the host machine. Install Snort. D :CEH -ToolsC EHv8 M o du le 17 Evading IDS,F ire w a lls , and H o n eyp o tsln tru sio n D e te c tio n ToolsSnort.3. Double-click the wizard appears.Snort_2_9_3_1_ln staller.exefile. The Snort mstallation4. Accept the L ic en se A g re e m e n t and install Snort with the diat appear step -b y-step 111 the wizard..l__ Snort is an open source network intrusion prevention and detection system (ID S / IP S ).C E H Lab Manual Page 851d e fa u lt options5. A window appears after successful installation of Snort. Click the button. 6.Click O K to exit the S n ortIn s ta lla tio nC losewindow.Ethical Hacking and Countemieasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited. 7. M odule 17 - Evadin g ID S, F ire w a lls and H oneypotsSnort 2.9.3.1 SetuD‫ °' ־‬ISnort 2.9.3.1 Setup(&**Snort has successfully been installed.rSnort also requires WinPcap 4.1.1 to be installed on this machine, WinPcap can be downloaded from: http://www.winpcap.org/It would also be wise to tighten the security on the Snort installation directory to prevent any malicious modification of the Snort executable.Next, you must manually edit the 'snort.conf file to specify proper paths to allow Snort to find the rules files and classification files.OKFigure 1.1: Snort Successful Installation Window7. Snort requires W in P ca p to be installed on your machine. 8. Install W inPcap by navigating to D :C EH -ToolsC EH v8 IDS,F ire w a lls ,andHoneypotsM ntrusiondouble-clicking W in P ca p V^/ W inPcap is a tool for link-layer network access that allows applications to capture and transmit network packets bypass the protocol stackM o du le 17 EvadingD e te c tio nToo lsS no rt,and4 1 _2.exe.9. By default, Snort installs itself in disk drive in which OS installed).C:Snort(C: or D: depending upon die10. Register on die Snort website h ttp s ://w w w .sn o rt.o rg /sig n u p 111 order to download Snort Rules. After registration comples it will automaticallv redirect to a download page. 11. Click die G et R ules button to download die latest mles. 11tins lab we have 1 downloaded sn o rtru les-sn ap sh ot-2931 ■tar.gz. 12. Extract die downloaded rales and copy die extracted folder 111 tins padi: D:CEH -ToolsC EHv8M o du le17E vadingIDS,F ire w a lls ,andH o n eyp o tsln tru sio n D e te c tio n ToolsSnort.13. Rename die extracted folder to snortrules. 14. Now go to diee tcfolder111die specified locationD:CEH -ToolsC EHv8M o du le 17 Evading IDS, F ire w a lls , and H o n eyp o tsln tru sio n D e te c tio nof die extracted Snort rales, copy die s n o rt.c o n f tile, and paste diis tile 111 C:Snortetc.T o o lsS n o rtsn o rtru lese tc15. The S n o rt.c o n f file is already present 111 die Snort rales S n o rt.c o n f file.C:Snortetc;16. Copv die so_rules folder from D :C EH -ToolsC EH v8replace diis file withM o du le 17 EvadingIDS, F ire w a lls , and H o n eyp o tsln tru sio n D e te c tio n T oo lsS no rtsn o rtru lesC E H Lab Manual Page 852and paste it 111C:Snort.Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited. 8. M odule 17 - Evadin g ID S, F ire w a lls and H oneypots17. Replace die p rep ro cr u le sfolder trom D:CEH -ToolsC EHv8M o du le 17Evading IDS, F ire w a lls , and HoneypotsM ntrusion D e te c tio n T oo lsS no rtsn o rtru lesand paste it 111 C:Snort.18. Copy all die tiles from dus location: E vadingIDS,F ire w a lls ,T oo lsS no rtsn o rtru lesrulesHTASK2V e rify S n ort A le rtandD :CEH -ToolsC EHv8 M o du le 17 H o n eyp o tsln tru sio nD e te c tio nto C:Snortrules.19. Now navigate to C:Snort and right-click folder bin, and click trom die context menu to open it 111 a command prompt.C m d H ere20. Type sn o rt and press E nter. Administrator: C:Windowssystem32cmd.exe - snort C:Snortbin/snort Running in packet dunp node — ■ In it ia liz in g Snort ■ ■ ‫—יי‬ In it ia liz in g Output Plugins? pcap DAQ configured to passive. The D uersion does not support reload. AQ Acquiring network t r a f f i c fron "DeuiceNPF_ _ Decoding Ethernet — -- In it ia liz a t io n Conplete --—yTo print out the T C P / IP packet headers to the screen (i.e. sniffer mode), type: snort — v.o'‫׳‬ ‫״ ״‬ ■an— Snort? Uersion 2.9 .3 .1-WIN32 GRE 1998-2012 So u rce fire, In c ., et a l. C Using PCRE uersion: 8.10 2010-06-25 Using ZLIB uersion: 1.2.3Connencing packet processing Figure 1.2: Snort Basic Command21. The In itia liza tio n C o m p le te message displays. Press C trl+C. Snort exits and comes back to C:Snortbin. 22. Now type sn o rt -W . Tins command lists your machine’s physical address, IP address, and Ediernet Dnvers, but all are disabled by default. Administrator: C:Windowssystem32cmd.exeSnort exiting C:Snortbin‫ נ‬snort -W -*> Snort! R By Martin Roesch 8 The Snort Team: http://www.snort.org/snort/snort-t r Copyright < > 1998-2012 Sourcefire, Inc., et al. C Using P R version: 8.10 2010-06-25 CE Using ZLIB uersion: 1.2.3 Index Physical Address IP Address Deuice N e am Description 1 00:00:00:00:00:00 disabled DeuiceNPF_ Microsoft Corporation 2 00:00:00:00:00:00 disabled De‫ ״‬iceNPF_ 3 00:00:00:00:00:00 disabled DeuiceNPF_ ׳‬ ‫״״״״‬ r .u i-»> Snort? 1998-2012 So u rce fire, In c ., et a l. C Using PCRE version: 8.10 2010-06-25 Using ZLIB version: 1.2.3Connencing packet processing 11/14-09:55:49.352079 ARP who‫ ־‬has 10.0.0.13 t e l l 10.0.0.10Figure 1.4: Snort — — 4 Command dev i26. Leave die Snort command prompt window open, and launch anodier command prompt window. 27. Li a new command prompt, type pingg o o g le .c o mand press Enter.£ Q Ping [-t] [-a] [-n count] [- size] [-£] [-i T T L] 1 [-v TO S] [-r count] [-s count] [[-j host-list] | [-k host-list]] [-w timeout] destination-listFigure 1.5: Ping googje.com Command28. Tliis pmg command triggers a Snort alert in the Snort command prompt with rapid scrolling text.To enable Network Intrusion Detect ion System (N ID S ) mode so that you don’t record every single packet sent down the wire, type: snort -dev 1 ./log-h 192.168.1.0/24-c snort.conf.Administrator: C:Windowssystem32cmd.exe - snort -dev - 4 ‫־‬TTD i '4.125.236.85:443 10.0.0.10:51345 < TCP TTL:56 TOS:0x0 ID:55300 IpLen:20 DgnLe ‫־‬ 95 nM .flP.M • Seq: 0x81047C40 Ack: 0x4C743C54 Win: 0xFFFF TcpLen: 20 M 7 03 02 00 32 43 3F 4C 22 B4 01 69 AB 37 FD 34 2C?L‫ . . ״‬i. 7 . 4 IF 3F 70 86 CF B8 97 84 C9 9B 06 D7 11 6F 2C 5B .? p o ,[ D 8A B0 FF 4C 30 5B 22 F4 B9 6C BD AE E8 0E 5A L0[‫ . . ״‬l Z F F6 7D 55 31 78 EF ..>Ulx. 11/14-09:58:16.374896 D4:BE:D9:C3:C3:CC 00:09:5 < B: AE: 24: CC type:0x800 len:0x36 ‫־‬ 10.0.0.10:51345 -> 74.125.236.85:443 TCP TTL:128 TOS:0x0 ID:20990 IpLen:20 DgnLe n:40 DF Seq: 0x4C743C54 Ack: 0x81047C77 Win: 0xFB27 TcpLen: 20 .1/14-09:58:17.496035 ARP who-has 10.0.0.13 t e l l .1/14-09:58:18.352315 ARP who-has 10.0.0.13 t e l l .1/14-09:58:19.352675 ARP who-has 10.0.0.13 t e l l1 .0.0.10 0 1 .0.0.10 0 1 .0.0.10 0Figure 1.6: Snort Showing Captured Google RequestC E H Lab Manual Page 854Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited. 10. M odule 17 - Evadin g ID S, F ire w a lls and H oneypots29. Close both command prompt windows. The verification of Snort installation and triggering alert is complete, and Snort is working correcdy 111 verbose mode. T A S K3C o nfigure sn o rt.c o n f File30. Configure die sn o rt.c o n f file located at C :Snortetc. 31. Open die s n o rt.c o n f file widi Notepad++. 32. The s n o rt.c o n f file opens screenshot.Notepad++ as shown111111the following& Make sure to grab the rules for the version you are installing Snort for.mLog packets in tcpdump format and to produce minimal alerts, type: snort -b -A fast -c snort.conf Figure 1.7: Configuring Snortconf File in Notepad++33. Scroll down to die S te p #1: S e t th e n e tw o rk v a ria b le s section (Line 41) of snort.conf file. 111 the H O M E_N ET line, replace any widi die IP addresses (Line 45) of die machine where Snort is mnning. -!□ X '*C:Sn0ftetc$n0rtx0nf - Notepad+ Be Edit Search 'iict* Encoding Language Settings Macro Run Plugns frndcw o10 % ‫& » ד‬ «JS* C|9»‫* » צ‬fe*x33 5 |IHJ □I II i |!» '?‫׳‬H molcwf |Xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxx4 4 4 # Se # : Sec c e n o variables. F x itoie m 1 ep 1 h etw rk o roraaclon.□» setup tne n ecvcrx aaarcaaca yo are crotectino u ir v a r HOME_»ET 110.0.0.101: *cat situationsmNotepad++ is a free source code editor and Notepad replacement that supports several languages. It runs in the M S Windows environment.ygth: 25421 lines :6574:‫ ת‬C l:2 S 0 5 e 5 dFigure 1.8: Configuring Snortconf File in Notepad++34. Leave die EX TER N A L_N ETC E H Lab Manual Page 855anyline as it is.Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. 11. M odule 17 - Evadin g ID S, F ire w a lls and H oneypotsmThe element ’any’ can be used to match all IPs, aldiough ’any’ is not allowed. Also, negated IP ranges diat are more general dian non-negated IP ranges are not allowed.35. If you have a DNS Server, then make changes 111 the DNS_SERVERS line bv replacing $H O M E _N E T with your DNS Server IP address; otherwise, leave diis line as it is. 36. The same applies to SAITP_SERTE,RS, HTTP_SERTE.RS, SQL_SERrERS, TELNET_SERVERS, and SSH_SERTRS. 37. Remember diat if you don’t have any servers running on your machine, leave the line as it is. DO N O T make any changes 111 diat line. 38. Scroll down to R U LE_PATH (Line 104). 111 Line 104 replace ../rales widi C:Snortrules, 111 Line 105 ../so_rules replace with C:Snortso rules, and 111 Line 106 replace ../p rep ro c ru les with C:Snortpreproc rules. _ |aPtcs1x x tc o n f Notepad♦ ♦ Erie Ldit Search *1e« Encoding Language SetDngi0M es a i i J fMacro R u‫[ ! . ־‬IF □ft fl| P Cx ‫ך‬Piugnj ftmdow IX ai l i f l*9‫׳‬H cnoccorf | ♦ Kote r o r Wir.dowa usera: You are aavisea to r a re tm a ar. absolute pa tn . ♦ such as: c :3 n o r tr u le s var RU1X_PUH C :S n o rtru le s v a r SO RULE PATH C :S n o rta o ru le a ■war PRrPROC R^LE PATH C: S n o rtp r ‫ ־‬pro=_xrule3 10‫ד‬ # I f you are usin g re p u ta tio n preprocessor a c t these 1:9 # C u rre n tly tiie re i s a bug w ith r e la t iv e paths, th ey are r e la t iv e to where sno rt i3 # n o t r e la t iv e to s n o rt.c o n f lilc e the above v a ria b le s 4 Thia i s caa ple cely in c o n s is te n t w ith how oth e r ▼ars work, BCG 5 9986 l- l t s e t th e anaciute patn a p p ro p ria te ly 1*3 v a r HHTTELISTPATH . . / r u le s 114 var BUICK_LI5T_PAIK . ./ r u le sua Rule variable names can be modified in several ways. You can define metavariables using die $ operator. These can be used with the variable modifier operators ? and -t step #2: con n a u re tr.c decoder.For sore in d o rs a tio n , see rta im e .decode1 1 ?* Stop gene ric decode events; c o n fig disable_decod«_alerts:;4• Stop A le rta on experim ental TCP option a ccr.Tlg dl**ble_copopt_experim ent» !_ • 1 * 1 ‫* ־‬ .1‫־‬ 2 ‫״‬4 Stop A lc r ta on obaolet■ TCP option■ c c r.ria d19anie_t cpo pt_cb ao le te _a ie rt ‫ג‬1:9 1 Stop A le rts on T/TCP a le rts N SIFigure 1.9: Configuring Snortconf File in Notepad++39.111 Line113 and 114 replace ../rules widi C:Snortrules.C:Snortetcsnort.conf - Notepad* filetdit Search View Encoding Longuogc Settings Macro Run Plugre ftmdcvr! o‫׳‬MS d 83 4 * B| ♦ < ft *a -* - ‫ ז‬nil S 1 1 »‫צ‬ 3 *Jl i i i i f l ‫«י‬H noco&rf I 103 f aucn a3: c 1 a n o rtru ie a 104 var RtJLEPATfl C :3 n o rtru le a 105 var SC_ROLE_PAIH C :3 n o rtso _ ru l« » :06 var PREPROCRULEPATH C :S nortN preproc_rulea 108 *.09 110 111 t*.? ‫דלל‬f z r you are uaina re p u ta tio n preprocessor act tneae $ C u rre n tly th ere ia a bug w ith r e la t iv e paths, th ey are r e la t iv e to whereanort ia f no t r e la t iv e co •n ort.co nX l i k « th e above v a ria b le s • Thia 1 a com pletely ine on aia ten t w ith hew eth e r vara werlr, BUG 89986 4 Smt th • absolute path a p p ro p ria te ly var white L IS I PAIH c :s n o r t r u ie a l1174 Seen #3: Configure the decoder.71: B cm A ciM m si.E iii aaalm ltalFoe ‫״־‬ore information, 9 .. BSirME. decadeangth: 25d51 lines:657_______ Ln:1» Col:35 S«l:0Figure 1.10: Configuring Snort.conf File in Notepad++C E H Lab Manual Page 856Etliical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited. 12. M odule 17 - Evadin g ID S, F ire w a lls and H oneypots40. Navigate to C :Snortrules and create two tiles and name them w h ite jis t.r u le s and b la c k jis t.r u le s make sure die two tiles extensions are mThe include keyword allows other rule files to be included within the rule file indicated on die Snort command line. It works much like an #include from die C programming language, reading the contents o f the named file and adding the contents in the place where die include statement appears in die file..rules.41. Scroll down to S tep #4 : C o nfigure d yn am ic loaded lib ra ries section (Line 242). Configure d yn am ic loaded lib ra ries in this section. 42. At padi to dynamic preprocessor libraries (Line 247), replace /usr/lo cal/lib/sn o rt_d yn am icp rep ro cessor/ with your dynamic preprocessor libranes tolder location. 43.111 tins lab,dynamic preprocessor libraries are located atC :Snortlibsnort_dynam icpreprocessor. .‫־ ־ן‬C:Sn0rletcs1x x U 0nf Notepad ♦♦ 7‫־ ־‬ Erie Ld!t Search Vie* Incoding Language Settings Macro Run P 1 < 3 ftmdew J Kg 1 OIM e%l ‘l|M *a**x‫ז‬ X[E 3VH tno*.coti j2 • U245 246 242 2‫9ז־‬ 250 2‫צ‬252 253H U Preprocessors are loaded and configured using the ‘preprocessor’ keyword. The format o f die preprocessor directive in the Snort rules file is: preprocessor : .Step *4: Configure dynamic loaded lib ra rie s . 70- e o ii In fo !station, see Snore Manual, Configuring 5r.cn - Dynamic Modules♦ pat& to dynamic preprocessor lib ra rie s f patn to dynamic preprocessor lib ra rie s dytlMacpreprocessor directory C:Sncrtlib3nort dynaai ^preprocessor| * path to base preprocessor engine ciyr.anlceng 1 ne /u9r/10cal/llb/sn0rL_£iyna»lcer.glne/ilbsr_er.gir.e.30 Vt path to dynamic rules lib ra rie s dynamlcdetecclon directory /u sr/local/1lb/anort_dynamlcr ulea255 ? 5‫־‬4 step fs : Contiaure preprocessors 4 For more information, see the Snort Manual, Configuring Snort ‫ ־‬Preprocesso »4 GTP Control Channle Preprocessor. For note information, see RFA2ME.OTP V preprocessor aces porta 1 2123 3386 2152 > 2»‫צ‬f In lin e packet normalization. For mozt information, see R£AD2. normalize 4 Does notfting in IOS node r«pr0c«110r nornmlixe_ip4 preprocessor r.crmai1 se_top1 1p9 eon scream preprocessor norma lie e ic m p i czeproceaaor normalize lp«325 ׳‬BQ| s»‫י‬f l s ■ ‫ ש‬e ^ a > h i t! & ‫ז‬ f■ liltllttttttttitiitlllllttttttttttttttttllllltttttl Preprocessor*¥¥¥*¥f T WWf ¥¥¥¥¥f *TT¥¥ ¥¥¥r t ¥¥¥¥TWWWT ¥¥¥r ¥ TT¥¥W¥TTT T> REAnJE.GTP♦ 4 ♦ ♦ I ♦In lin e packet n o rm a liz a tio n . For 1 Does noth in g in ZDS node preprocessor normal1ze_1p4 preprocessor n o rm a lis e tc p : ip s e! preprocessor normalize_lcmp4 preprocessor normal1 se_1 p6: in fo rm a tio n , see R£AI»‫׳‬E. norm alize♦preprocessor norjralire ic p mC• Target-based IP de fragm entation. For more information, see BLADME. frag3 preprocessor tra g 5 _ g lo b a l: max_Irags 6SSS6 preprocessor troa3 engine: p o lic y windows dete ct_a r.*1 a i 1 es cverlap_1 1 a n t 10 ann_fra01r.cnt_length 100 tim eoutmMany configuration and command line options o f Snort can be specified in the configuration file. Format: config [: ]V la r g c t s is c a scacecul insp e ctio n /o trca m reassembly. preprocessor serea»S_global; tr a c k e c p yes,tr*ck_u dp yaa,tra c k _ 1 cnc no, fo r xcrc m ro ra tio n , ace RLADKt.streanbMX_tcp 3 2 4 ,614rax_uap 131072,max_act1 ve_responses 2,m in response aaconda 5_________________mth246 lin.:57 y : 55 e 51:269 Col:3 Sd 0Figure 1.14: Configuring Snort.conf File in Notepad‫־‬l— 1 ‫־‬48. Scroll down to S te p #6 : C o nfigure o u tp u t plugins (Line 514). 111 tins step, provide die location of die c la s s ific a tio n .c o n fig and re fe re n c e .c o n fig files. 49. These two files are 111 C :Snortetc. Provide diis location of files 111 configure output plugins (111 Lines 540 and 541).C E H Lab Manual Page 858Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. 14. M odule 17 - Evadin g ID S, F ire w a lls and H oneypotslit 0CASnortettsnmconf Notepad* ♦ idit Jjcareh view Incoding Language Settings Macro Run Plugns ftmdcw'- I‫ם‬I‫ י‬hh« a , & * * r !| ‫ ס‬e m% > * ‫ ז -־ ־ י י‬djae s i s c e)"B •ncCcorf ‫ ף‬step 46: cor.riou re c utpu t p lu gin s 4 5 *‫׳‬j ?or more in fo rm a tio n , see Snort Manual, C on figu rin g Snort - Output Modules[ 5!«=j r — il< " 51fl 519 520 521 Si'i4 523 524caTlie frag3 preprocessor is a targetbased IP defragmentation module for Snort.* u n ifie d ? 4 aeeonsenaaa r c r !cost i n s t a lls 4 c u tp u t u n ifie d 2 : filenam e m erged.log, l i m i t 128, nosts3«r, wpl3_CTrent_type3, vlan_event_type3 ‫ ־‬A d d itio n a l c o n fig u ra tio n fo r s p e c ific tjp e s o f i n s t a lls # c utpu t a le rt_ u n i£ ie d 2 : filenam e s n o r t.a le r t , l i i a i t 125, nosCaap f o u tp ut lo g un1r1ed2: rilenarae sn a re .lo o , l i m i t 123, ncatamp4 oatafcass 4 ou tp ut database: a le r t , , us?r« pa3 3w=rd“ paaav:rs‫< ־‬Eaaavord>• lii» * c ta d a ti rercrcr.ee aata. do not * e a itv t£e include C:Snarceceelas31f1eat1on.e0nt10l lac lu d # C; Sac r«c c r »C«r«nc«. co n fi g_| length :25482 lina:6S7________In :541 Co) :22 S*l:0Figure 1.15: Configuring Snort.coiif File in Notepad++ lrigure 1 i ‫ :כ‬Uonngunng inort.com rile in !Notepad^ ‫1־‬ . ‫־‬50.this s te p #6 , add the line o u tp u t dump all logs 111 die a le rts .id s file. 111ale rt_fa st: a le rts.id s .for Snort to*C 00flelcsnoM :S -conf - N otepad* file £d!t Search Ukw Encoding Language Settings Macro Run PHigns ftmdcvr Io0*‫ % * |&־ ^ ₪ ׳‬C 9 c )|» ‫ ו ?״ 931 > 4 8ף‬Wz 2 ‫ן ! ו $ י ו‬*H «nc< corf ‫ן‬ b.A 4 step te : c on no ure outp ut p lu gin s 515 4 For more in fo rm a tio n , see Snort Manual, C on figu rin g Snort ‫־‬ 517 '*.fi 519 S?0 521 525 524‫?׳ »׳‬C utput Modules4 u n ifie d : V ;■ccorr.cr.ici cor !coat i n s t a lls 4 o u tp ut u n ifie d 2 : filenam e merged. 100, l i m i t 128, n03ta*p» « p ls _ e ^ n t_ ty p e s , vlan_event_types4A d d itio n a l c o n fig u ra tio n fo r s p e c ific types o f in s t a lls 4 c utpu t a lo rt_ u n ifi» d 2 : fila n a a » a n o r c .a le r t, l i m i t 129, r.oxaap 4 cu tp u t lo g un1E1ed2: rilenarae s n o r t.is o , l i m i t 126, r.: ‫ ־ י‬axtmN ote: ’ipvar’s are enabled only with IPv6 support. W ithout IPv6 support, use a regular ’var.’- -533 5344 oatafcass 4 c utpu t database: a le r t , , uaer- pe a3 *:rc‫(§) On losing focusC Extended Op, V, t, V , x ...) O® DawnO AlwaysO Regular expressionQ L m atches newline0 Transparency=0=Figure 1.18: Configuring Snort.conf File in Notepad++54. Save die sn o rt.c o n f file. 55. Before running Snort you need to enable detection niles 111 die Snort niles file; for diis lab we have enabled ICMP mle so diat Snort can detect any host discovery ping probes to die system running Snort. 56. Navigate toC :Snortrulesand open dieicm p -info .ru lesfile widi Notepad++.57.C E H Lab Manual Page 860Uncom m entthe Line number 4 7 and save and close die file.Ethical Hacking and Countenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited. 16. M odule 17 - Evadin g ID S, F ire w a lls and H oneypotsC:5nortrulesicmp info.rules Nofepad♦ E*e Edit Search View Encoding Language SetDngs Macro Run Plugns 0■H « ft 14m* r!| P c* ft * - ta t ‫ז‬I>r‫ ,פ |״‬T,[ | ‫ כ‬S i l i f l« >P i— ! H K _ E y X FC E ent"; 1type:9; rereren‫׳‬29 * a le r t leap 3 # a le r t leap 0 31 * a le r t lc n p 32 * a le r t i=r^>SEXTERNAL_NET any ‫ > ־‬SHOMEKET any $ X R A _ E any - $ O E NT any S IE N 1 N T > H K_ E SEXTERNAL_NET any -> SH0HE_KET any SEXTERNALNET any -> SH0KE_NET any(msg:‫ ־‬ICXP-IKyC IRDP (nsg :'I-X ^-IK F C FUJG (rsg:‫ ״‬ICMP‫ ־‬INF0 PING (osg: ‫ ״‬IS 'P-INTC PINGro u te r s e le c tio n "; ity p e :1 0 ; reference :‫ו‬ *H IX•; lcype :S ; co n te n t : 1 13 12 1 1 1 1 ‫■״‬ 0 BSDtype"; 1 ty p e :8; c o n te n t:‫| ״‬O0 09 OA 0 1 BayR3 R ou ter"; ity p e :8; co n te n t:■ | 01 0234 # a le r t icnj?SEXTERNAL_NET any -> £H0KE_NET any (nsg:‫ ״‬ICM?-IK7C ?IUG Cisco Type. x " ; ity p e :8 ; co n te n t:"|A B CD3 * alert re © SE IE N L_N Tan - $ 0 E NT an (m ?:"X X lN rIUG SeOSI.x"; ltype:8; content:"| Q 0 0 0 3 s X R A E y > H K _ E y 3 C P- FO Q 0 0 ‫׳‬- $H0KE_KET any (nsg:‫־‬irxP-IKFCPING DelpiH-PieLte Windowsltype:8; conien >3 # alert leap $ X E N L NTa y 5 E T R A_ E n436 * a le r t ic n pSEXTERNAL~NET any -> SH0HE~NET any (msg:‫ ״‬ICHP-INF0 PIHG Flo*pom t2200 o r Network Management Scf‫־‬3 ‫ ־‬alert icnp SE T R A E a y - SH K N T a y (x s :‫״‬IC P-IK C P G IP H onitor M X E N LN T n > O E E n a g X 7 IN etM acintosh‫ ;״‬itype:B; c n ■ o t• 3 t alert 1st® $exiernal_net an - Shoke_n an cn3g:1‫״‬cxp F0pibg li2tjx/35‫״‬d d 1ze:8; 1 :1 1 0 1 8 y> ei y -lK ‫3 ;״‬ d 3 7 ; type:8♦ a le r t ic n p SEXTERNAL_NET any -> SH0XE_NET any (msg:*ICKP-IK?C PIHG M ic ro s o ft X indovs"; i ty p e :8; c o n te n t:"0 40 I a le r t lea p $EXIERNA1_NET any -> $HOXE_KET any (nsg :‫ ״‬I3 (P ‫ ־‬XKFC POTG network Toolbox 3 Window*‫ ; ״‬l type 8; coi : * a le r t ic n p SEXTERNAL_NET any ‫ > ־‬SH0KE_NET any (msg:‫ ״‬ICMP-INF0 PIHG Pmg-O-HeterWindows"; ity p e :0 ; content: 42 « a le r t ict*> SEXTERNAL~NET any ‫ > ־‬SH0KE~NET any (rasg:‫ ״‬ICKP-IKFC PIHG Pinger Windows"; it y p e : 8; c o n te n t: "Oata 43 * a le r t 1 cnp cexie rn a l_ n e t any ‫ > ־‬Shoke_nei any (cs3 : 1 ‫ ״‬cxp-1 k fo pih c seer windows"; 1 ty p e i8; con t e n t « 1 8 ‫ ״‬a 04 44 • a le r t 1 a 1p SEXTERNAL NET any ‫ > ־‬SHOKE NET any (msg:‫ ״‬ICKP-INF0 PING O racle S o la n s "; ds18e : 8; 1 type«8 ; clas. 45 f a le r t lea p $EXTERNAL_NET any -> $H0XE_KIT any ( n » g :2 ‫ ״‬CXff-IKFC PIHG Window•‫ ; ״‬lc y p e :8 ; co n te n t: ‫ ״‬abcdergfcljk. 9 a le r t !;rap SEXIERNAI_NEI any > SH0KE_KEI any !f» a :*1 a tP -lN fC tra c e ro u te 1 ;‫ ״‬svce: 8 ; t t l i l ; c la a a t ! t t : a t t c n “ a le r t icnp SFXTERXAL NFT any -> SHO _KET any (mag: ‫ ״‬TCMP-IKFC PINO‫ ; ״‬ic o d e :0 ; ity p e :8 ; e la s s ty p - :» ia c - a c tiv 1 | XR » a le r t isno SHOKEJJET any -> CEXTERNAL_NET any ( n a a i- io t f - 1K5C Address mask R « ly "> ic o d c io ; lt v p e u s ; cia®. 49 • a le r t 1 cnp SEXTERNAL_NET any ‫ > ־‬SH0KE_NET any (msg:‫ ״‬ICKP-INF0 Address Maslr Reply undefined code"* 1 eode:>0 50 t a le r t lea p $SXTERKAL_NET any -> $K0XE_KET any ( e * g : 2 ‫(^ ״‬P-Z>:FC Add:««a Ka»k Rvquaat"; lc o d « :0 ; lty p e :1 7 ; cl• 51 ♦ a le r t 1 ‫ סגמ‬SEXIERNAL_NET any ‫$ > ־‬H0KE_NET any (ns3 : ‫ ״‬ICJ4 P‫־‬IN f0 Address Mask Reaucst undetined code‫! ; ״‬code::5 « alert 2 S X E N L NT a y- $ O E NT a y (M E T R A ~ E n > H K~ E n gr-ICVP-IKFCAlternate H «t A d o d re‫ ;״״״‬icode:0; itype:6; c f alert isnp «exiernal_net an ‫«>־‬ho e_net an (nsg:1‫״‬c p 1 F Alternate H st A aress u d ed c d ‫ ;״‬ic d y k y x - NC o d n erm o e e •>4 55 8H0KE_NET any (e1sj:*IC H P ‫ ־‬INF0 Dataarati Conversion E r r o r "; icodesO; 1 ty p e :3 f a le r t lea p fEXTERNAL NET any -> d... File and *irter Sharng File and *rter Sharng File and *inter Sh«rhg File and ^!rrer sharng File and *rter Sharng File and *irter Sh


Comments

Copyright © 2024 UPDOCS Inc.