Intrusion detection is an important part of a good network defense. Intrusion detection can be performed on a network or host. Network-based intrusion detection systems monitor traffic passing across the network for evidence of hostile or unusual activity. Snort is one of the leading freeware network-based IDSs.
10.1. Setting Up Snort IDS
This exercise steps you through the process of installing and configuring Snort on a Windows PC, as well as introduces you to the analyzation of its output. Requirements include a Windows 2000, XP, or 2003 computer and Snort software.
Win32 Snort v2.1.1. is available from www.snort.org/dl/binaries/win32/.
Estimated Time: 30 minutes.
C:snortin C:snortcontrib C:snortdoc C:snortetc C:snortlog C:snort ules
include c:snortetc eference.config
11/01-23:09:51.398772 192.168.13.10 -> 192.168.13.254 ICMP TTL:64 TOS:0x0 ID:38 ID:1039 Seq:0 ECHO 9E 85 00 3B 84 15 06 00 08 09 0A 0B 0C 0D 0E 0F ...:............ 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F ................ 20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F !"#$%&'()*+,-./ 30 31 32 33 34 35 36 37 01234567
Although this demonstrates the basic capabilities of Snort, not everyone has the time or ability to constantly monitor the console. Therefore, what is needed is a way to log the activity for later review. To do this, continue with the following steps.
10.2. Install and Configure Snort IDS Center
In this exercise, you will install and configure the Snort IDS Center on a Windows computer using the components you prepared in Exercise 10.1.
Estimated Time: 30 minutes.
var HOME_NET (Your Subnet for example 192.168.12.0/24) var RULE_PATH c:snort ules include c:snortetcclassification.config include c:snortetc eference.config
Exam Prep Questions
Your IDS is actively matching incoming packets against known attacks. Which of the following technologies is being used?
You have decided to set up Snort. You have been asked by a co-worker what protocols it cannot check.
How would you describe an attack in which an attacker attempts to deliver the payload over multiple packets for long periods of time?
You have been asked to start up Snort on a Windows host. Which of the following is the correct syntax?
Your co-worker has set up a packet filter to filter traffic on the source port of a packet. He wants to prevent DoS attacks and would like you to help him to configure Snort. Which of the following would best accomplish the stated goal?
You have been running Snort on your network and captured the following traffic. Can you identify it?
11/12-01:52:14.979681 0:D0:9:7A:E5:E9 -> 0:D0:9:7A:C:9B type:0x800 len:0x3E 192.168.13.10.237:1674 -> 192.168.13.234:12345 TCP TTL:128 TOS:0x0 ID:5277 IpLen:20 DgmLen:48 ******S* Seq: 0x3F2FE2AA Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
You are about to install Snort on a Windows computer. Which of the following must first be installed?
Identify the purpose of the following trace.
11/14-9:01:12.412521 0:D0:9:7F:FA:DB -> 0:2:B3:2B:1:4A type:0x800 len:0x3A 192.168.13.236:40465 -> 192.168.13.235:1 TCP TTL:40 TOS:0x0 ID:5473 IpLen:20 DgmLen:40 **U*P**F Seq: 0x0 Ack: 0x0 Win: 0x400 TcpLen: 20 UrgPtr: 0x0 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
After accessing a router configuration file, you found the following password "70832585B0D1C0B0343." What type of password is it?
Which of the following can maintain a state table?
While scanning, you have not been able to determine what is in front of 192.168.13.10, which you believe to be some type of firewall. Your Nmap scan of that address seems to hang without response. What should you do next?
What does an ICMP type 3 code 13 denote?
During a penetration test, you saw a contractor use the tool ACKCMD. Which of the following best describes the purpose of the tool?
You have been asked to enter the following rule into Snort: Alert tcp any any -> any 23(msg: "Telnet Connection Attempt"). What is its purpose?
Snort is a useful tool. Which of the following best describes Snort's capabilities?
Answers to Exam Questions
1. A. Pattern matching is the act of matching packets against known signatures. Answer B is incorrect because anomaly detection looks for patterns of behavior that are out of there ordinary. Answer C is incorrect because protocol analysis analyzes the packets to determine if they are following established rules. Answer D is incorrect, as stateful inspection is used firewalls.
2. C. Snort cannot analyze IGMP, a routing protocol. Answers A, B, and D are incorrect because Snort can analyze IP, TCP, UDP, and ICMP.
3. C. Session splicing works by delivering the payload over multiple packets, which defeats simple pattern matching without session reconstruction. Answer A is incorrect, as evasion is a technique that might attempt to flood the IDS to evade it. Answer B is incorrect, as IP fragmentation is a general term that describes how IP handles traffic when faced with smaller MTUs. Answer D is incorrect because session hijacking describes the process of taking over an established session.
4. D. Snort -ix -dev -lsnortlog is the correct entry to run snort as an IDS on a Windows computer. The syntax in answers A B, and C are invalid, although it is the correct syntax to start up Snort on a Linux computer.
5. C. Filtering data on the source port of a packet isn't secure because a skilled hacker can easily change a source port on a packet, which could then pass through the filter. Therefore answers A, B, and D are incorrect.
6. D. In a Netbus scan, port 12345 is scanned as can be seen in the trace. Answers A, B, and C are incorrect because an ACK scan would show an ACK flag. A XMAS scan would show as Urgent, Push, and FIN flag.
7. B. WinPcap is a program that will allow the capture and sending of raw data from a network card. Answer A is incorrect because LibPcap is used by Linux, not Windows. Answer C is incorrect, as IDSCenter is a GUI for Snort, not a packet driver. Answer D is incorrect, as AdMutate is a tool for bypassing IDS.
8. B. A XMAS scans as the Urgent, Push, and FIN flags are set. Answer A is not correct, as an ACK scan would show an ACK flag. Answer C is incorrect, as 27444 would be displayed; answer D is incorrect because a Netbus scan port 12345 is scanned.
9. C. Cisco uses a proprietary Vigenere cipher to encrypt all passwords on the router except the enable secret password, which uses MD5. The Vigenere cipher is easy to break. Answers A, B, and D are incorrect because the password is not MD5, DES, or AES.
10. B. Proxy servers have the capability to maintain state. Answer A is incorrect, as packet filters do not maintain state. Answers C and D are incorrect because honeypots and bastion servers do not maintain a state table or answer the question.
11. C. Running a Null TCP hping should tell you whether packet filter is in use. Answer A is incorrect because running an Nmap stealth scan will not help. Answer B is incorrect, as an OS scan most likely will not provide any details to help you determine the packet filtering status of the device. Answer D is incorrect, as banner grabbing is not a valid option without knowing open ports.
12. C. An ICMP type 3 code 13 is an unreachable message that is generated because the communication is administratively prohibited. Answers A, B, and D are incorrect because they do not describe an ICMP 3-13.
13. B. ACKCMD is a covert channel tool that can be used to send and receive information and potentially bypass a firewall and IDS. Answer A is incorrect because it is not a Windows exploit. Answer C is incorrect, as it is not a honeypot. Answer D is incorrect because it is not used to exploit routers.
14. D. This is an alert rule designed to notify you of the use of Telnet in one direction. The rule means that any IP address on any port that attempts to connect to any IP address on port 23 will create an alert message. The arrow points one direction, so the alert will not apply to both directions. Answers A and B are incorrect because this is not a logging rule. Answer C is incorrect, as the rule applies to only one direction.
15. C. Snort can best be described as an IDS, packet logger, and sniffer. Answer A is incorrect, as Snort is not a proxy. Answer B is incorrect because Snort is not only an IDS and sniffer, but also a packet logger. Answer D is incorrect, as Snort is not a firewall.
Suggested Reading and Resources
www.hping.orgThe hping homepage.
www.snort.orgThe Snort homepage. A good site to explore to learn more about Snort.
www.networkworld.com/news/2005/072805-cisco-black-hat.htmlCisco vulnerabilities unveiled at Black Hat.
www.securiteam.com/tools/6V0011PEBY.htmlCisco password cracker.
www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.htmlUsing IPTables for packet filtering.
www.fwbuilder.orgMultipurpose firewall ruleset builder.
www.tldp.org/HOWTO/Firewall-HOWTO-2.htmlUnderstanding firewall types and configurations.
www.securitystats.com/tools/index.htmlSecurity stats and password cracking tools.
www.cisco.com/warp/public/707/cisco-sn-20040326-exploits.shtmlCisco router.cfg vulnerability.
Buffer Overflows, Viruses, and Worms