Scribd
Upload
85 views

Intrusion Detection and Prevention

This document discusses packet capture and intrusion detection tools. It provides instructions for using TCPdump to capture packets on a network and analyze the output. It also explains how to install and configure the Snort intrusion detection system on a pfSense firewall, load updated rulesets, and view alerts generated by network scans. Users are advised not to directly edit Snort configuration files stored on the pfSense system.

Uploaded by

joaqjs
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF, TXT or read online on Scribd
85 views

Intrusion Detection and Prevention

This document discusses packet capture and intrusion detection tools. It provides instructions for using TCPdump to capture packets on a network and analyze the output. It also explains how to install and configure the Snort intrusion detection system on a pfSense firewall, load updated rulesets, and view alerts generated by network scans. Users are advised not to directly edit Snort configuration files stored on the pfSense system.

Uploaded by

joaqjs
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 26

Intrusion Detection and Prevention

Packet Capture
The first step in understanding how an IDS works is to understand packet capture. The best way to do this is to grab some packets with TCPdump. TCPdump is built upon BPF which takes a filter and compiles it into machine code that is used to filter in packet stream for only those packets that you're interested in.

TCPdump
There are a lot of command line options for TCPdump. Here's a common way in which it is run: tcpdump -i le0 -n -c 10 -s0 -i le0 -n -c 20 -s0 capture packets from the eth0 interface do not resolve IP addresses stop after capturing 10 packets capture packets with "full snap length"

Other commonly use command line options include -X, -w filename, -r filename

Exercise #1 - Capturing Packets


Use TCPdump to capture some packets on the victim network: 1. Make sure that all VMs are up and running. 2. Start up TCPdump on the Linux Victim host sudo tcpdump -i le0 -n -c 100 -s0 3. Scan the internal network from the Linux Attacker nmap -sP 172.16.10.0/24 4. Restart TCPdump on the Victim (if necessary) 5. Scan the Victim host from the Attacker nmap -A 172.16.10.10

Exercise #1a - Capturing Packets


Use TCPdump to capture more packets on the victim network: 1. Restart TCPdump on the Victim with the -X flag sudo tcpdump -i le0 -n -c 100 -s0 -X 2. Nmap the victim network from the Attacker nmap -A 172.16.10.1-20

Snort
Snort is one of the most commonly used Intrusion Detection Systems in use today. It's so popular because it's free, it's very good at what it does and it's well supported. You can even buy commercial versions from SourceFire. It's also very well documented.

Snort Rules
Let's look at an example rule and take it apart:
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE Linux shellcode"; content:"|90 90 90 E8 C0 FF FF FF|/bin/sh"; reference:arachnids,343; classtype:shellcode-detect; sid:652; rev:9;)

Snort Rules
Let's make that a little more readable and examine it:
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any ( msg:"SHELLCODE Linux shellcode"; content:"|90 90 90 E8 C0 FF FF FF|/bin/sh"; reference:arachnids,343; classtype:shellcode-detect; sid:652; rev:9; )

Exercise #2: Snort in pfSense


The first step to getting Snort into pfSense is to download and install the snort package for pfSense. This has already been done for you here, but here are the steps. 1. On the Linux Victim, open Firefox and go to http://172.16.10.254 2. Go to System -> Packages 3. Snort is already installed, but examine the other available packages

Exercise #3: Installing Snort Rules


Snort isn't much good until it has some rules to work with. By default, the snort package for pfSense comes with no rules at all. To install the standard rules, you have to register for an account at www.snort.org and then generate an oinkmaster code. Again, this has already been done for you, but here are the steps.

1.Point a browser at www.snort.org 2.Create a new snort.org account (click on Not Registered?) 3.Wait for the email to come back... 4.Log in using your snort.org account and generate an oinkmaster code 5.You'll get a really long hex string for your oinkmaster code 6.Go back to the Linux victim, point a browser at the pfSense console and log in 7.Go to Packages -> Snort -> and enter your code 8.Go to Packages -> Snort -> Update Rules and wait for snort to update itself 9.You are now running snort with (relatively) up to date rules

Exercise #4: Generate Some Alerts


Now that snort is installed and is running with updated rules let's generate some alerts. 1. Start the nessus client on the Attacker nessus 2. Login to nessus and start a scan of 172.16.10.10 3. In the pfSense web console, go to Services -> Snort -> Alerts 4. Refresh a few times if there are no alerts

Exercise #5: Under The Hood


Snort and all of the configuration files that are documented are sitting on pfSense. If you are feeling adventurous and know what you're doing, you edit them directly. This is not recommended. 1. On the pfSense VM, enter a command shell (option 8) 2. cd /usr/local/etc/snort 3. snort.conf contains the primary configuration files for Snort

Questions?

Intrusion Detection and Prevention

Packet Capture
The first step in understanding how an IDS works is to understand packet capture. The best way to do this is to grab some packets with TCPdump. TCPdump is built upon BPF which takes a filter and compiles it into machine code that is used to filter in packet stream for only those packets that you're interested in.

ra C e rT h fo -itfw 2 0 l c i h - 0 u s p t tin n 'sa m e c .H lo p d m P u C d T P s:k y m c rc a e p th s0 o re r l i f ,w X m - d O io p h a g 0 ln s1 fu d t" -n k y k ig fu IP lv

frse L th .e o ig p ru d d P n T a k h n m m p u k C tc M A .a x iw 3 0 l i c t s L s S 0 2 1 lV 1 :V U w x v E so -g # fro c th ta sm rA ic e .e k A V S 5 T R 4 0 6 . 2 7 1 ) P sy s (fn - im p 4 a 2 n / C d u

m n u tso d e C k T c se a 6 . 7 A n N 2 0 l i c 2 t A rs s ta 0 R 1 1 o flg p r:-X P w U im x v E h f k w v V .h -ig #

b g v 'f,v c b p a lu D 'w sIn id ly a i.td h F m e se rc rty u o o n S Y S m f.I .v n e d lo It'sa m u c w ry

m O x C n r:L a ip k e t'slo k e ta - v d 2 y 5 f 6 ; 4 b 3 / , | s F i 0 h c r h 8 u 0 D 9 O | C : " t : c g ; s " ( d H o _ y A n N N R M T H X $ E > $ i S t T r R l P p _ L E S D r )

t'sm b e a 8 0 9 | h c s h i x / u | D F O ; C " " o : c g l s y ( N H M _ H A $ N > R T S X T E R $ P p _ i E t D r O l C o it:L k m a x L d n n S le rlid ) 9 v 2 5 6 o p y t l ; 4 3 , s d i h a : c n f ; e t r c

k siw a e y fS m d c a V lo x n u 4 L 5 S 0 n .6 g 2 o 7 firstp :/1 e tp h h P -> G ,2 g O x 1 b T ry E T .F :lb # x p u lb ,b rv y o d th le e rtisa in o m n a S k 3 c . g s

fE w b ? y .R ,d ifp g g w v .T o a l,y le ru u d h n rtis'm sta o e n )h N C 2 P 1 A c m p c S B x k (k :IR 3 # (3 w R p v L k g b fS 'lx lh d p .c )u sy y u d n sc g m m ik e to rh ra itfo n a e 9 U 8 S -> P ,7 G 6 Y 5 4 W

g d c p u u d ith rile 0 sn 6 a . th 2 w 7 o 1 L c 2 fA s o S w .1 g N rls'n x e E a m :G 4 # k it.p n frsh s-> e ic R v 4 r In e 3 S m a l,g o c b la w tA S o

M w sV k S v p g u u ig a c .filsh e d lfh m d c rta tre o o n n ,# O ) 1 8 y (p x T E y .I'm H T :U 5 rt2 t o r n o S f . 3 t e s a tle l u r fg s n u c / y d a c rim p .ish

u Q n s e ? tio

You might also like