Ex. No.

: 9 INTRUSION DETECTION SYSTEM (IDS)

Date:

AIM:
To demonstrate Intrusion Detection System (IDS) using Snort software tool.

STEPS ON CONFIGURING AND INTRUSION DETECTION:

1. Download Snort from the Snort.org website. (http://www.snort.org/snort-downloads)

2. Download Rules(https://www.snort.org/snort-rules). You must register to get the rules.
(You should download these often)
3. Double click on the .exe to install snort. This will install snort in the “C:\Snort” folder.It is
important to have WinPcap (https://www.winpcap.org/install/) installed
4. Extract the Rules file. You will need WinRAR for the .gz file.
5. Copy all files from the “rules” folder of the extracted folder. Now paste the rules into
“C:\Snort\rules” folder.
6. Copy “snort.conf” file from the “etc” folder of the extracted folder. You must paste it into
“C:\Snort\etc” folder. Overwrite any existing file. Remember if you modify your
snort.conf file and download a new file, you must modify it for Snort to work.
7. Open a command prompt (cmd.exe) and navigate to folder “C:\Snort\bin” folder. ( at the
Prompt, type cd\snort\bin)
8. To start (execute) snort in sniffer mode use following command:
snort -dev -i 3
-i indicates the interface number. You must pick the correct interface number. In my case, it
is 3.
-dev is used to run snort to capture packets on your network.

To check the interface list, use following command:

snort -W
Finding an interface

You can tell which interface to use by looking at the Index number and finding Microsoft.
As you can see in the above example, the other interfaces are for VMWare. My interface is
3.

9. To run snort in IDS mode, you will need to configure the file “snort.conf” according to
your network environment.
10. To specify the network address that you want to protect in snort.conf file, look for the
following line.
var HOME_NET 192.168.1.0/24 (You will normally see any here)
11. You may also want to set the addresses of DNS_SERVERS, if you have some on your
network.

Example:

example snort
12. Change the RULE_PATH variable to the path of rules folder.
var RULE_PATH c:\snort\rules

path to rules
13. Change the path of all library files with the name and path on your system. and you must
change the path of snort_dynamicpreprocessorvariable.
C:\Snort\lib\snort_dynamiccpreprocessor
You need to do this to all library files in the “C:\Snort\lib” folder. The old path might be:
“/usr/local/lib/…”. you will need to replace that path with your system path. Using
C:\Snort\lib
14. Change the path of the “dynamicengine” variable value in the “snort.conf” file..
Example:
dynamicengine C:\Snort\lib\snort_dynamicengine\sf_engine.dll

15 Add the paths for “include classification.config” and “include reference.config” files.
include c:\snort\etc\classification.config
include c:\snort\etc\reference.config
16. Remove the comment (#) on the line to allow ICMP rules, if it is commented with a #.
include $RULE_PATH/icmp.rules
17. You can also remove the comment of ICMP-info rules comment, if it is commented.
include $RULE_PATH/icmp- info.rules
18. To add log files to store alerts generated by snort, search for the “output log” test in
snort.conf and add the following line:
output alert_fast: snort-alerts.ids
19. Comment (add a #) the whitelist $WHITE_LIST_PATH/white_list.rules and the
blacklist

Change the nested_ip inner , \ to nested_ip inner #, \

20. Comment out (#) following lines:
#preprocessor normalize_ip4
#preprocessor normalize_tcp: ips ecn stream
#preprocessor normalize_icmp4
#preprocessor normalize_ip6
#preprocessor normalize_icmp6

21. Save the “snort.conf” file.

22. To start snort in IDS mode, run the following command:

snort -c c:\snort\etc\snort.conf - l c:\snort\log - i 3

(Note: 3 is used for my interface card)

If a log is created, select the appropriate program to open it. You can use WordPard or
NotePad++ to read the file.

To generate Log files in ASCII mode, you can use following command while running snort in
IDS mode:
snort -A console - i3 -c c:\Snort\etc\snort.conf -l c:\Snort\log -K ascii

23. Scan the computer that is running snort from another computer by using PING or NMap
(ZenMap).

After scanning or during the scan you can check the snort-alerts.ids file in the log folder to
insure it is logging properly. You will see IP address folders appear.

Snort monitoring traffic –

RESULT:
Thus the Intrusion Detection System(IDS) has been demonstrated using the Open
Source Intrusion Detection Tool Snort.
Ex.No. : 10 EXPLORING N-STALKER
Date :

AIM:
To download the N-Stalker Vulnerability Assessment Tool and exploring the features.

EXPLORING N-STALKER:
 N-Stalker Web Application Security Scanner is a Web security assessment tool.
 It incorporates with a well-known N-Stealth HTTP Security Scanner and 35,000 Web
attack signature database.
 This tool also comes in both free and paid version.
 Before scanning the target, go to “License Manager” tab, perform the update.
 Once update, you will note the status as up to date.
 You need to download and install N-Stalker from www.nstalker.com.

1. Start N-Stalker from a Windows computer. The program is installed under Start ➪
Programs ➪ N-Stalker ➪ N-Stalker Free Edition.
2. Enter a host address or a range of addresses to scan.
3. Click Start Scan.
4. After the scan completes, the N-Stalker Report Manager will prompt
5. you to select a format for the resulting report as choose Generate HTML.
6. Review the HTML report for vulnerabilities.

Now goto “Scan Session”, enter the target URL.

In scan policy, you can select from the four options,

 Manual test which will crawl the website and will be waiting for manual attacks.
 full xss assessment
 owasp policy
  Web server infrastructure analysis.

Once, the option has been selected, next step is “Optimize settings” which will crawl the
whole website for further analysis.

In review option, you can get all the information like host information, technologies used,
policy name, etc.
Once done, start the session and start the scan.

The scanner will crawl the whole website and will show the scripts, broken pages, hidden
fields, information leakage, web forms related information which helps to analyze further.
Once the scan is completed, the NStalker scanner will show details like severity level,
vulnerability class, why is it an issue, the fix for the issue and the URL which is vulnerable to
the particular vulnerability?

RESULT:
Thus the N-Stalker Vulnerability Assessment tool has been downloaded, installed and
the features has been explored by using a vulnerable website.
Ex.No.: 11a DEFEATING MALWARE - BUILDING TROJANS
Date :

AIM:
To build a Trojan and know the harmness of the Trojan malwares in a computer
system.

PROCEDURE:
1. Create a simple Trojan by using Windows Batch File (.bat)
2. Type these below code in notepad and save it as Trojan.bat
3. Double click on Trojan.bat file.
4. When the Trojan code executes, it will open MS-Paint, Notepad, Command Prompt,
Explorer, etc., infinitely.
5. Restart the computer to stop the execution of this Trojan.

TROJAN:
 In computing, a Trojan horse,or Trojan, is any malware which misleads users of its
true intent.
 Trojans are generally spread by some form of social engineering, for example where a
user is duped into executing an email attachment disguised to appear not suspicious,
(e.g., a routine form to be filled in), or by clicking on some fake advertisement on
social media or anywhere else.
 Although their payload can be anything, many modern forms act as a backdoor,
contacting a controller which can then have unauthorized access to the affected
computer.
 Trojans may allow an attacker to access users' personal information such as banking
information, passwords, or personal identity.
 Example: Ransomware attacks are often carried out using a trojan.

CODE:
Trojan.bat
@echo off
:x
start mspaint
start notepad
start cmd
start explorer
start control
start calc
goto x
OUTPUT:
(MS-Paint, Notepad, Command Prompt, Explorer will open infinitely)

RESULT:
Thus a trojan has been built and the harmness of the trojan viruses has been explored.
Ex.No. : 11b DEFEATING MALWARE - ROOTKIT HUNTER
Date :

AIM:
To install a rootkit hunter and find the malwares in a computer.

ROOTKIT HUNTER:
 rkhunter (Rootkit Hunter) is a Unix-based tool that scans for rootkits, backdoors and
possible local exploits.
 It does this by comparing SHA-1 hashes of important files with known good ones in
online databases, searching for default directories (of rootkits), wrong permissions,
hidden files, suspicious strings in kernel modules, and special tests for Linux and
FreeBSD.
 rkhunter is notable due to its inclusion in popular operating systems (Fedora, Debian,
etc.)
 The tool has been written in Bourne shell, to allow for portability. It can run on almost
all UNIX-derived systems.

GMER ROOTKIT TOOL:

 GMER is a software tool written by a Polish researcher Przemysław Gmerek, for
detecting and removing rootkits.
 It runs on Microsoft Windows and has support for Windows NT, 2000, XP, Vista, 7, 8
and 10. With version 2.0.18327 full support for Windows x64 is added.
Step 1

Visit GMER's website (see Resources) and download the GMER executable.
Click the "Download EXE" button to download the program with a random file name, as
some rootkits will close “gmer.exe” before you can open it.
Step 2

Double-click the icon for the program.

Click the "Scan" button in the lower-right corner of the dialog box. Allow the program to
scan your entire hard drive.
Step 3

When the program completes its scan, select any program or file listed in red. Right-click it
and select "Delete."
If the red item is a service, it may be protected. Right-click the service and select "Disable."
Reboot your computer and run the scan again, this time selecting "Delete" when that service
is detected.
When your computer is free of Rootkits, close the program and restart your PC.

RESULT:
A rootkit hunter software tool gmer has been installed and the rootkits have been
detected.