首页 > 其他分享 >Network security using SNORT

Network security using SNORT

时间:2024-10-23 17:31:19浏览次数:6  
标签:log rules Kali snort ff using security any Network

Lab 3 : Network security using SNORT

Introduction This Lab is a specialized virtual environment designed for the purpose of cybersecuritytraining and education. In today’s digital landscape, the importance of understanding anddefending against cyber threats is paramount. This lab provides a practical, hands-onapproach to learning various aspects of cybersecurity, including but not limited topenetration testing, network security, intrusion detection, and response strategies.

Purpose

The primary purpose of this Lab is to facilitate a comprehensive understanding andapplication of cybersecurity concepts and practices.This lab environment allows users to:

  1. Provide a hands-on approach to learning offensive and defensive cybersecuritytechniques using tools like Metasploitable, Kali Linux, and Ubuntu.
  1. Serve as an educational platform for aspiring cybersecurity professionals.
  2. Create a safe, controlled environment for experimentation.
  3. Enhance technical skills in network security and ethical hacking.

Scope

The scope of the Lab encompasses:

  1. Virtualization and Network Setup: Utilizing 代 写Network security using SNORT  VMware for the creation and managementof virtual machines, each hosting different operating systems (Metasploitable, Kali Linux,and Ubuntu) and configured in a host-only network to ensure isolation and safety.
  1. Tool Implementation and Configuration: Including Snort for intrusion detection.
  2. Learning Objectives: Focusing on providing hands-on experience in identifyingvulnerabilities, conducting penetration tests, monitoring network traffic, andimplementing defensive strategies.
  1. Resource Constraints: Designed to be efficient and functional within the constraints of8GB RAM, ensuring accessibility for users with limited hardware resources. Lab Requirements

Hardware Requirements RAM: 8 GB of RAMStorage: 30GB+Operating Systems

  1. Metasploitable: This will act as the victim machine. Metasploitable is intentionallyvulnerable to provide a training environment for security testing.https://sourceforge.net/projects/metasploitable/files/latest/download
  1. Kali Linux: This will be used as the attacker machine. Kali Linux comes with numerouspre-installed penetration testing tools.https://www.kali.org/get-kali/
  1. Ubuntu: This will serve as the defense machine, where you’ll monitor the network andimplement security measures.https://ubuntu.com/download/desktop

Software Requirements

  1. Virtualization Software: VMWare.
  2. NIDS&NIPS: Snort https://www.snort.org/downloads#snort3-downloads

Network In my environment I have this network:

Kali — 192.168.152.128/24

Metasploitable — 192.168.152.129/24Ubuntu — 192.168.152.130/24 Network IllustrationNote: My Kali did not receive its IP from virtual DHCP. If you have such problem too,then:

> ip addr show eth0

2: eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen

1000

link/ether 00:0c:29:14:1d:0c brd ff:ff:ff:ff:ff:ff

> sudo ip link set eth0 up

> sudo dhclient eth0

> ip addr show eth0

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group

default qlen 1000

link/ether 00:0c:29:14:1d:0c brd ff:ff:ff:ff:ff:ff

inet 192.168.152.128/24 brd 192.168.152.255 scope global dynamic eth0 valid_lft 1659sec preferred_lft 1659sec

inet6 fe80::20c:29ff:fe14:1d0c/64 scope link proto kernel_ll

valid_lft forever preferred_lft foreverb

Setting Up Virtual Machines

Setting Up Attacker Machine — Kali

  1. Download VMWare version for Kali. https://www.kali.org/get-kali/
  2. Unpack
  3. Open file with `.wmx` extension

Setting Up Victim Machine — Metasploitable

  1. Download https://sourceforge.net/projects/metasploitable/files/latest/download
  2. Unzip
  3. Open file with `.wmx` extension

Setting Up Monitoring and Detection Machine — Ubuntu

  1. Download iso https://ubuntu.com/download/desktop
  2. Create a new Virtual Machine on VMWare
  3. 4. 5. choose ubuntu’s iso 6. 7. 8. 9. 10. (then click next again 2 times)
  4. (then again)
  5. Finish
  6. Power On. Installation will be opened.
  7. Choose keyboard. (US)
  8. 16. 17.
  9. Choose Location20.

Snort

Snort is an open-source network intrusion prevention system (NIPS) and network intrusiondetection system (NIDS) that is used for detecting and preventing network intrusions. It analyzes network traffic to identify malicious activity, logs packets, and can perform realtime traffic analysis and packet logging.

Setting Up Snort

sudo apt-get install snort -y

  1. Write their interface (you can learn it simply by running `ip a`.
  2. Network
  3. sudo ip link set ens33 promisc on
  4. vim /etc/snort/snort.conf
  1. change any to your ip range (mine is 192.168.152.0/24 )
  2. Check the rules and other configurationssnort -T -i ens33 -c /etc/snort/snort.conf

You can see that snort is using prewritten rules: You can disable them by commenting these lines out:

All rules besides $RULE_PATH/local.rules Now Snort is setup. Next thing to do is to write rules and detect them. Writing the First rule You can write them manually into `/etc/snort/rules/local.rules`. Or, in thiswebsite http://snorpy.cyb3rs3c.net/. Or, ChatGPT.

Some notations here:

  1. choose action type
  2. choose protocol
  3. source ip/port
  4. destination ip/port
  5. id (every snort rule should have different id)
  6. revision number. Normally after each update of the rule this number increases byne
  1. Message you want to leave there
  2. Resulting rule. Copy it.

alert icmp any any -> any any ( msg:"Someone is pinging"; sid:10000; rev:1; )

alert icmp any any -> $HOME_NET any ( msg:"Someone is pinging"; sid:10001; rev:1; )

Write the rules into /etc/snort/rules/local.rules file: This command will show alerts in real time:snort -q -l /var/log/snort/ -i ens33 -A console -c /etc/snort/snort.confPing to somewhere and get the alert. You also can try to ping from Kali toMetasploitable.

Example of its application in unauthorized ssh connections

alert tcp any any -> $HOME_NET 22 (msg:"Possible SSH Brute Force Attack"; flags:S;

threshold:type both, track by_src, count 5,

seconds 60; sid:10002; rev:1;)Explanation of the rule components:  alert tcp any any -> $HOME_NET 22: This part specifies that the rule is looking forTCP traffic from any source IP and port, going to any IP within your defined`HOME_NET` on port 22 (the default SSH port).

msg:”Possible SSH Brute Force Attack”: The message that will be logged when thisrule is triggered.

flags:S: This looks for packets with the SYN flag set, which are used to initiate TCPconnections.

threshold:type both, track by_src, count 5, seconds 60: This is a threshold condition.It tracks by source IP, and the rule triggers if there are 5 connection attempts (SYNpackets) within 60 seconds.

sid:10002; rev:1: Every Snort rule needs a unique SID (Snort ID), and a revisionnumber.Moreover, add this rule too. This is for checking single TCP connection:

alert tcp any any -> $HOME_NET any (msg:"TCP Connection Attempt Detected"; flags:S;sid:10003; rev:1;)Write it to the file and run the command.Then, run Metasploitable and Kali.

Check the rule TCP Connection Attempt Detected: You can see that we tried to connect to Metasploitable from Kali.Now let’s check Possible SSH Brute Force Attack.

Drop Let’s now write a drop rule for getting rid of unwanted FTP connection.

drop tcp any any -> $HOME_NET 21 (msg:"Possible FTP Brute Force Attack"; flags:S;

threshold:type both, track by_src, count 5, seconds 20; sid:10004; rev:1;)

Run ftp brute force with hydra in Kali: hydra -l "root" -P /usr/share/wordlists/rockyou.txt ftp://192.168.152.129Extract IPs that get detected:

snort -q -l /var/log/snort/ -i ens33 -A console -c /etc/snort/snort.conf | grep "Possible FTPBrute Force Attack" | awk '{print $13}' | awk -F ":"'{print $1}' >> drops.txt

Example of Snort’s Application in Detecting XSS

lert tcp any any -> [Metasploitable_IP] 80 (msg:"XSS is Detected";

low:to_server,established; content:"<script>"; http_uri; sid:10005; rev:1;)

Add the rule to /etc/snort/rules/local.rules.Open deliberately vulnerable webapplication: http://192.168.152.129/dvwa/vulnerabilities/xss_r/ in my case. Write therethe payload: <script>alert(1)</script>. Press Enter and get:You will get the alert:

Bonus: Visualizing logs with web interface Write the alerts into log file.

snort -q -l /var/log/snort/ -i ens33 -A console -c /etc/snort/snort.conf >

/var/log/snort/alerts.txt

Change directory to the place where logs are stored and open python server here. cd /var/log/snort

python3 -m http.server

Write this simple nodeJS application into app.js.

// Import the Express module to create a web server

const express = require('express');

// Import the Axios module for making HTTP requests

const axios = require('axios');

// Create an instance of an Express application

const app = express();

// Define the port number on which the server will listen

const port = 3000;

// URL of the API from which log data will be fetched.

<blue_machine_ip>:<python_server_port>/log.file

const api = 'http://192.168.152.130:8000/alerts.txt'

// Define a function to convert log entries into HTML format

const getLogsHtml = (logs) => {

 

return logs.map(log =>

 

// Create an HTML structure for each log entry

 

`<div class="log-entry">

<span class="timestamp">${log.timestamp}</span>

<p>${log.alert}</p>

</div>`

).join('');

}; // Define a route for the root ('/') URL

app.get('/', async (req, res) => 

try 

 

// Fetch log data from the API using Axios

 

const response = await axios.get(api);

 

// Split the data by new line and create an array of log entries

 

const logEntries = response.data.split('\n');

// Prcess each log entry and split it into timestamp and alert parts

 

constformattedLogs = logEntries.map(entry => {

const parts = entry.split(' ');

return { timestamp: parts[0], alert: parts.slice(1).join(' ') };

});

 

// Convert the log entries into HTML format

 

const logsHtml = getLogsHtml(formattedLogs);

// HTML template for the pageconst htmlTemplate = '<!DOCTYPE html><html lang="en"><head><meta charset="UTF-

8"><meta name="viewport" content="width=device-width, initial-scale=1.0"><title>LogViewer</title><style>body { font-family: Arial, sans-serif; margin: 0; padding: 20px;background-color: #f4f4f4; } .log-entry { background-color: #fff; border: 1px solid #ddd;padding: 10px; margin-bottom: 10px; border-radius: 4px; } .timestamp { color:#888; }</style></head><body><h1>Log Entries</h1><div id="log-container"><!-- Log entries

will be inserted here --></div></body></html>';/ Insert the log entries HTML into the template

const finalHtml = htmlTemplate.replace('<!-- Log entries will be inserted here -->',

logsHtml);

// Send the final HTML as the response

res.send(finalHtml);

} catch (error) {

// Handle any errors by sending a 500 error response res.status(500).send('Error fetching logs');

 

});

// Start the server and listen on the specified port

app.listen(port, () => {console.log(`Server running on http://localhost:${port}`);});

Install required packages and run the web app:npm i express axios

node app.jsThis code demonstrates a comprehensive setup for logging, serving, and displaying logdata using a combination of Snort, Python, and Node.js. First, it configures Snort to writealerts to a log file and then starts a Python HTTP server in the directory where these logsare stored. Next, it outlines a Node.js application using Express and Axios to fetch anddisplay these logs in a web browser, with a focus on converting log entries into an HTMLformat for easy viewing. Finally, it provides commands to install the necessary Node.jspackages and run the web application, completing the end-to-end process of log

management and visualization.You will have simple real-time Dashboard to see alerts. You may customize it for getting itmore styled and add additional functionality to see other logs and actions. Submission: You need to submit a pdf report that show the implementation of the lab inyour computer with a set of screenshots. For your deliverables, you should submit a PDFfile with screen shots of your scans. Be sure to include the descriptions and analysis ofyour results. Also, include the reports from your scan. Your report should be wellorganized and clearly written.Include your full name and id

标签:log,rules,Kali,snort,ff,using,security,any,Network
From: https://www.cnblogs.com/goodlunn/p/18494334

相关文章

  • nerual network系列--3b1b视频记录
    3b1b部分视频汉化B站作品页:3Blue1Brown投稿视频-3Blue1Brown视频分享-哔哩哔哩视频neuralnetworksseries:https://www.youtube.com/watch?v=aircAruvnKk&list=PLZHQObOWTQDNU6R1_67000Dx_ZCJB-3pi内容+问题(只是部分思考,可能暂无答案),以视频记录和思考顺序记录,可能较乱,不做整......
  • STAR: A Simple Training-free Approach for Recommendations using Large Language M
    目录概符号说明STARRetrievalRanking最后的结果LeeD.,KraftA.,JinL.,MehtaN.,XuT.,HongL.,ChiE.H.andYiX.STAR:Asimpletraining-freeapproachforrecommendationsusinglargelanguagemodels.2024.概本文提出了一种融合语义/协同/时序信息的方法,......
  • modsecurity:规则例子:匹配url
    一,拦截包含一个字符串的访问:1,例子:如下:11.89.39.11--[23/Oct/2024:04:47:22+0800]"GET/.git/configHTTP/1.1"404548"-""Mozilla/5.0(WindowsNT10.0;Win64;x64)AppleWebKit/537.36(KHTML,likeGecko)Chrome/70.0.3538.102Safari/537.36&qu......
  • 使用 C++ 实现网络编程 NetWork(pro版)
    上一次小编分享了C++实现网络编程NetWork,这是链接:C++网络通信类Network的实现详解-CSDN博客这次小编带着改进之后的NetWork归来!在现代计算机网络中,网络通信是不可或缺的一部分。本文将介绍如何使用C语言实现一个简单的网络通信库,涵盖TCP和UDP协议的基本功能。我们将通过......
  • modsecurity: 规则的体系三
    一,modsecurity规则的级别:paranoialevelmodsecurity根据规则可能存在的误报情况,设置了规则的级别,称之为PL(paranoialevel),共有4个级别,分别为1/2/3/4,级别越高,漏报越少,误报越多。用户可以根据实际业务情况适当调整,默认设置PL=1,可以在crs-setup.conf中设置配置文件:crs-setup.con......
  • 【论文阅读】【IEEE TGARS】RRNet: Relational Reasoning Network WithParallel Multi
    引言任务:光学遥感显著目标检测-关系推理论文地址:RRNet:RelationalReasoningNetworkWithParallelMultiscaleAttentionforSalientObjectDetectioninOpticalRemoteSensingImages|IEEEJournals&Magazine|IEEEXplore代码地址:rmcong/RRNet_TGRS2021(g......
  • modsecurity: 规则的体系一
    一,每个事务的生命周期:如图:每个事务在modsecurity需要经历5个阶段,在每个阶段可能需要解析等操作,然后调用相应阶段的规则进行匹配,对应规则中的phase阶段一:requestheaders请求头,这是modsecurity最先接触到的数据,      需要验证请求头相关的规则,并根据请求头来判断......
  • SDCN:《Structural Deep Clustering Network》
    代码:https://github.com/461054993/SDCN摘要聚类是数据分析中的一项基本任务。最近,主要从深度学习方法中获得灵感的深度聚类实现了最先进的性能,并引起了相当大的关注。当前的深度聚类方法通常借助深度学习强大的表示能力(例如自动编码器)来提高聚类结果,这表明学习有效的聚类表示......
  • C语言实现 网络通信 Network
    在现代计算机网络中,网络通信是不可或缺的一部分。本文将介绍如何使用C语言实现一个简单的网络通信库,涵盖TCP和UDP协议的基本功能。我们将通过一个示例代码库进行详细讲解,以便更好地理解网络编程的核心概念。项目结构本项目包含两个文件:network.h:头文件,定义了数据结构和函数......
  • 集成Spring Security详解
    集成SpringSecurity详解一、SpringSecurity简介SpringSecurity是一个功能强大且高度可定制的身份验证和访问控制框架,它专注于为Java应用程序提供全面的安全解决方案。作为Spring项目的一部分,SpringSecurity继承了Spring框架的灵活性和可扩展性,能够轻松地集成到任何Spr......