Laboratory #7: Intrusion Detection Systems

 

 

Goal: to make the student able to configure  an Enterprise Intrusion Detection System based on the previously developed knowledge of Enterprise System Vulnerabilities  and Security Policy.

Nature: Hands-on

Duration: 2 Weeks.

Deliverables:  Five -double spaced page observation paper.  The paper must include samples of observed data.

 

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

 

The purpose of  learning  and configuring an IDS system is to be able to use it to detect unauthorized intrusions in the system and network.

 

To achieve this, set up SNORT on one of the student servers.  You have a choice between  using:

 

• SNORT  for Windows -  get it from: Http://www.snort.org/dl/binaries/win32/
• SNORT for Linux – get this from: http://www.snort.org

 

Installing Snort  for Linux

 

Go to the Snort source and print Snort documentation and follow.

 

Installing Snort  for Windows

 

Get the documents:

 

• “Installing Snort and MySQL for Windows”   follow the guidelines in it.
• “Writing Snort Rules” – from http://packetstormsecurity.nl/papers/IDS/snort_rules.htm
• “Snort.conf.txt” from Snort DOCS – these are the snort rules that you are going to work with.
• “Snort-manual.txt” – from Snort DOCS – this is big so you do not have to print it. But use it to find what you need.

 

Configuring Snort

 

Snort can be configured in four ways:

 

• set the network variables for your network
• configure preprocessors
• configure output plugins
• customize the rule set.

 

You are going to do this to make snort work for you. Your first exercise will be to configure the network variables. You will need to justify every step of what you do.

 

Test Snort

 

Test your Snort as follows:

 

• set it to monitor the network cluster behind your server
• set it to monitor one IP address outside your cluster. Later use this machine to access any of the clients behind your server. Write what you see.
• Set rules for Snort to alert to a text file which you will print.
• Monitor and alert  all port numbers above 114.
• Monitor and alert all udp packets – incoming  into the cluster.
• Alert on the following portsL and test on them): 13, 22, 63, 74, 114, 1001, 1248 and 5000. 

 

 

Note: You are free to find and use  other tools  to accomplish your exercise as long as those tools are downloaded NOT brought into the lab.

 

 

Some of the suggested  activities  and tools you can use to test snort include ( but not limited to):

 

• Port scans ( find the port numbers in the Port Database on the NetScan Pro utility)
• TCP
• TCP SYN Half Open
• UDP
• Mac Address
• Whois
• Subnet Calculator
• TTCP  test
• SMTP
• Realtime Black List
• Ping – to detect  IP addresses (i.e in case of masquerading)
• Netscann
• Net Topology
• Connections
• RPC Scan
• Denial of service vulnerability detection
• SNMP detection
• Identifying  unknown open ports and their associated applications
•  Report all open TCP and UDP ports and map them.
• Security log analyzer  to identify and track who has gained access to your system and document details.
• File analyzer  to examine files on disk drives for unauthorized activities.
• Test the server for stress
• And many more