CEH v8 labs module 17 evading IDS firewalls and honeypots (1)
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (2.3 MB, 55 trang )
CEH Lab Manual
Evading IDS, Firewalls,
and Honeypots
Module 17
Module 17 - Evading IDS, Firewalls and Honeypots
Intrusion Detection System
A n intrusion detection system (IDS) is a derice or soft/rare application that
monitors netirork and/or system activities fo r malicious activities or policy
violations andprod/ices reports to a Management Station.
I CON
KEY
[£Z7 Valuable
information
S
=
m
Test your
knowledge
Web exercise
Workbook review
Lab Scenario
Due to a growing number o f intrusions and since the Internet and local networks
have become so ubiquitous, organizations increasingly implementing various
systems that monitor IT security breaches. Intrusion detection systems (IDSes) are
those that have recently gained a considerable amount o f interest. An IDS is a
defense system that detects hostile activities 111 a network. The key is then to detect
and possibly prevent activities that may compromise system security, 01 ־a hacking
attempt 111 progress including reconnaissance/data collection phases that involve, for
example, port scans. One key feature o f intrusion detection systems is their ability to
provide a view o f unusual activity and issue alerts notifying administrators and/or
block a suspected connection. According to Amoroso, intrusion detection is a
“process ot identifying and responding to malicious activity targeted at computing
and networking resources.” 111 addition, IDS tools are capable ot distinguishing
between insider attacks originating from inside the organization (coming from own
employees 01 ־customers) and external ones (attacks and the threat posed by hackers)
(Source: )
111 order to become an expert penetration tester and security administrator, you
must possess sound knowledge o f network intrusion prevention system (IPSes),
IDSes, malicious network activity, and log information.
Lab Objectives
& Tools
Demonstrated in
this lab are
located at D:\CEHTools\CEHv8
Module 17
Evading IDS,
Firewalls, and
Honeypots
The objective ot tins lab is to help students learn and detect intrusions 111 a
network, log, and view all log tiles. 111 tins lab, you will learn how to:
■ Install and configure Snort IDS
■ Run Snort as a service
■ Log snort log files to Kiwi Syslog server
■ Store snort log files to two output sources simultaneously
Lab Environment
To earn ׳out tins lab, you need:
■
A computer miming Windows Server 2012 as a host machine
■
A computer running Windows server 2008, Windows 8, 01 ־Windows 7 as a
virtual machine
WniPcap drivers installed 011 the host machine
C E H L ab M an u al P ag e 847
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 17 - Evading IDS, Firewalls and Honeypots
■
Notepads-+ installed 011 the host macliine
■
Kiwi Svslog Server installed 011 the host machine
■
Active Perl installed 011 the host macliine to mil Perl scnpts
■
Administrative pnvileges to configure settings and run tools
■
A web browser with Internet access
Lab Duration
Time: 40 Minutes
Overview of Intrusion Detection Systems
An intrusion detection system (IDS) is a device 01 ־software application that
monitors network an d / 01 ־system activities for malicious activities 01 ־policv
violations and produces reports to a Management Station. Some systems may
attempt to stop an intrusion attempt but tins is neither required nor expected o f a
monitoring system. 111 addition, organizations use intrusion detection and
prevention systems (IDPSes) for other purposes, such as identifying problems with
security policies, documenting existing threats and deterring individuals from
violating security policies. IDPSes have become a necessary addition to the secuntv
infrastructure o f nearly even* organization. Many IDPSes can also respond to a
detected tlireat by attempting to prevent it from succeeding. They use several
response techniques, which involve the IDPS stopping die attack itself, changing the
security environment.
IDPSes are primarily focused 011 identifying possible incidents, logging information
about diem, attempting to stop them, and reporting them to security administrators.
Overview
Pick an organization diat you feel is worthy o f your attention. Tins could be an
educational institution, a commercial company, 01 ־perhaps a nonprofit charity.
Recommended labs to assist you 111 using IDSes:
■
Detecting Intrusions Using Snort
■
Logging Snort Alerts to Kiwi Syslog Server
■
Detecting Intruders and Worms using KFSensor Honeypot IDS
■
HTTP Tunneling Using HTTPort
Lab Analysis
Analyze and document the results related to tins lab exercise. Give your opinion 011
your target’s security posture and exposure.
C E H L ab M an u al Page 848
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 17 - Evading IDS, Firewalls and Honeypots
PLEASE TALK TO
C E H L ab M an u al Page 849
Y O U R I N S T R U C T O R IF YOU
R E L A T E D T O T H I S LAB.
HAVE
QUESTIONS
E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 17 - Evading IDS, Firewalls and Honeypots
Delecting Intrusions using Snort
Snort is an open source netnvrk intrusion prevention and detection system
(IDS/IPS).
I CON
KEY
/ Valuable
information
Test your
knowledge
□
Web exercise
m Workbook review
Lab Scenario
The trade o f die intrusion detection analyst is to find possible attacks against their
network. The past few years have witnessed significant increases 111 D D oS attacks
011 the Internet, prompting network security to become a great concern. Analysts do
tins by IDS logs and packet captures while corroborating with firewall logs, known
vulnerabilities, and general trending data from the Internet. The IDS attacks are
becoming more cultured, automatically reasoning the attack scenarios 111 real time
and categorizing those scenarios becomes a critical challenge. These result ni huge
amounts o f data and from tins data they must look for some land o f pattern.
However, die overwhelming tiows o f events generated by IDS sensors make it hard
for security administrators to uncover hidden attack plans.
111 order to become an expert penetration tester and security administrator, you
must possess sound knowledge o f network IPSes, IDSes, malicious network activity,
and log information.
& Tools
Demonstrated in
this lab are
located at D:\CEHTools\CEHv8
Module 17
Evading IDS,
Firewalls, and
Honeypots
Lab Objectives
The objective o f tins lab is to familiarize students widi IPSes and IDSes.
111
tliis lab, you need to:
■
Install Snort and verify Snort alerts
■
Configure and validate snortconf file
■
Test the worknig o f Snort by carrying out an attack test
■
Perform intrusion detection
■
Configure Oinkmaster
Lab Environment
To earn ־out dns lab, you need:
C E H L ab M an u al P ag e 850
E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 17 - Evading IDS, Firewalls and Honeypots
■
A computer running Windows Server 2012 as a host machine
■
Windows 7 running on virtual maclune as an attacker maclune
■
WinPcap dnvers installed on die host machine
■
N otepad++ installed on the host maclune
■
Kiwi Svslog Server installed on the host maclune
■
Active Perl mstalled on the host macliuie to nui Perl scripts
■
Adnunistrative privileges to configure settings and run tools
Lab Duration
Tune: 30 Minutes
You can also
download Snort from
http:// www.sno1t.org.
Overview of Intrusion Prevention Systems and
Intrusion Detection Systems
A 11 IPS is a netw ork secu rity appliance that monitors a network and system
activities for m alicious activity. Tlie maui functions ot IPSes are to identify
malicious activity, log information about said activity, attempt to block/stop
activity, and report activity.
An IDS is a device or software application that m onitors network and/or system
activities for m alicious activities or policy violations and produces reports to a
Management Station. It performs intrusion detection and attempt to stop detected
possible incidents.
Lab Tasks
1
Install Snort
l.__ Snort is an open
source network intrusion
prevention and detection
system (IDS/IPS).
C E H L ab M an u al Page 851
.
Start Windows Server 2012 on the host maclune. Install Snort.
2. To uistall Snort, navigate to D:\CEH-Tools\CEHv8 Module 17 Evading IDS,
Firewalls, and Honeypots\lntrusion Detection Tools\Snort.
3.
Double-click the Snort_2_9_3_1_lnstaller.exe file. The Snort mstallation
wizard appears.
4.
Accept the License Agreement and uistall Snort with the default options
diat appear step-by-step 111 the wizard.
5.
A wuidow appears after successful mstallation o f Snort. Click the Close
button.
6.
Click OK to exit the Snort Installation wuidow.
E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 17 - Evading IDS, Firewalls and Honeypots
Snort 2.9.3.1 SetuD
Snort 2.9.3.1 Setup
(&
' ־° I
*
*
Snort has successfully been installed.
Snort also requires W inPcap 4 .1 .1 to be installed on this m achine,
r
W inPcap can be dow nloaded from :
http ://w w w .w in p c a p .o rg /
It w ould also be wise to tighten th e security on th e Snort installation
directory to prevent any m alicious m odification of th e Snort executable.
Next, you m ust m anually edit th e 'sn o rt.co n f file to
specify proper paths to allow Snort to find th e rules files
and classification files.
OK
Figure 1.1: Snort Successful Installation Window
V^/
WinPcap is a tool for
link-layer network access
that allows applications to
capture and transmit
network packets bypass the
protocol stack
7.
Snort requires WinPcap to be installed 011 your machine.
8.
Install W inPcap by navigating to D:\CEH-T0 0 ls\CEHv8 Module 17 Evading
IDS, Firewalls, and HoneypotsMntrusion Detection Tools\Snort, and
double-clicking WinPcap 4 1 _2.exe.
9.
By default, Snort installs itself in C:\Snort (C:\ or D :\ depending upon die
disk drive in which OS installed).
10. Register 011 die Snort website 111 order to
download Snort Rules. After registration comples it will automaticallv
redirect to a download page.
11. Click die Get Rules button to download die latest mles. 111 tins lab we have
downloaded snortrules-snapshot-2931 ■tar.gz.
12. Extract die downloaded mles and copy die extracted folder 111 diis padi:
D:\CEH-T0 0 ls\CEHv8 Module 17 Evading IDS, Firewalls, and
Honeypots\lntrusion Detection Tools\Snort.
13. Rename die extracted folder to snortrules.
14. N ow go to die e tc folder 111 die specified location D:\CEH-T0 0 ls\CEHv8
Module 17 Evading IDS, Firewalls, and Honeypots\lntrusion Detection
Tools\Snort\snortrules\etc o f die extracted Snort mles, copy die snort.conf
hie, and paste diis hie 111 C:\Snort\etc.
15. The Snort.conf tile is already present 111 C:\Snort\etc; replace diis file with
die Snort mles Snort.conf tile.
16. Copv die so_rules folder from D:\CEH-T0 0 ls\CEHv8 Module 17 Evading
IDS, Firewalls, and Honeypots\lntrusion Detection
Tools\Snort\snortrules and paste it 111 C:\Snort.
C E H L ab M an u al Page 852
E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 17 - Evading IDS, Firewalls and Honeypots
17. Replace die preproc rules folder trom D:\CEH-Tools\CEHv8 Module 17
Evading IDS, Firewalls, and HoneypotsMntrusion Detection
Tools\Snort\snortrules and paste it 111 C:\Snort.
18. Copy all die tiles from diis location: D:\CEH-Tools\CEHv8 Module 17
Evading
IDS,
Firewalls,
and
Honeypots\lntrusion
Detection
Tools\Snort\snortrules\rules to C:\Snort\rules.
H
TASK
2
Verify Snort Alert
19. N o w navigate to C:\Snort and right-click folder bin, and click CmdHere
from die context menu to open it 111 a command prompt.
20. Type snort and press Enter.
Administrator: C:\Windows\system32\cmd.exe - snort
C : \S n o r t\b in /s n o r t
R unning in p a c k e t dunp node
— ■■ I n i t i a l i z i n g S n o r t ■—יי
I n i t i a l i z i n g O utput P lu g in s ?
pcap DAQ c o n f ig u r e d t o p a s s i v e .
The DAQ u e r s i o n d o e s n o t s u p p o r t r e l o a d .
A c q u ir in g n etw o rk t r a f f i c f r o n " \D eu ice\N P F _< 0F B 09822-88B 5-411F -A F D 2-F E 3735A 9?7B
B> _
D e co d in g E th e r n e t
— - - I n it ia liz a t io n
y To print out the
TCP/IP packet headers to
the screen (i.e. sniffer
mode), type: snort —v.
C o n p le te - - —
—»> S n o r t? < *־
U e r s io n 2 . 9 . 3 .1-W IN32 GRE < B u ild 4 0 )
By M artin R oesch 8r The S n o r t l e a n : h t t p : / / w w w . s n o r t . o r g / s n o r t / s n o r t - t
o '׳
״ ״
■an
C o p y r ig h t <C> 1 9 9 8 -2 0 1 2 S o u r c e f i r e , I n c . , e t a l .
U s in g PCRE u e r s i o n : 8 . 1 0 2 0 1 0 -0 6 - 2 5
U s in g ZLIB u e r s i o n : 1 . 2 . 3
C on n en cin g p a c k e t p r o c e s s in g < p i d 7 ־S6>
Figure 1.2: Snort Basic Command
21. Tlie Initialization Complete message displays. Press Ctrl+C. Snort exits and
comes back to C:\Snort\bin.
22. N ow type snort -W. Tins command lists your machine’s physical address,
IP address, and Ediernet Dnvers, but all are disabled by default.
Administrator: C:\Windows\system32\cmd.exe
S n o rt
e x itin g
C :\ S n o r t \ b in נs n o r t
-W
- * > S n o rt! < *—
U e r s i o n 2 . 9 . 3 . 1 - W I N 3 2 GRE < B u i l d 4 0 >
B y M a r t i n R o e s c h 8r T h e S n o r t T e a m : h t t p : / / w w w . s n o r t . o r g / s n o r t / s n o r t - t
C o p y r i g h t <C> 1 9 9 8 - 2 0 1 2 S o u r c e f i r e ,
U s i n g PCRE v e r s i o n : 8 . 1 0 2 0 1 0 - 0 6 - 2 5
U s in g Z L IB u e r s i o n : 1 . 2 . 3
In d e x
P h y s ic a l A d d re s s
IP
1
0 0 :0 0 :0 0 :0 0 :0 0 :0 0
A F D 2 -F E 3 7 3 5 A 9 7 7 B B >
M ic r o s o
2
0 0 :0 0 :0 0 :0 0 :0 0 :0 0
B 6 1 4 -0 F C 1 9 B 5 D D A 2 5 >
3
0 0 :0 0 :0 0 :0 0 :0 0 :0 0
rQRA
4
D 4 : B E : D 9 : C 3 : C 3 : CC
9 A 7 9 -7 7 E 5 A E 2 7 E 5 3 0 >
R e a lte k
A d d re s s
d is a b le d
f t C o r p o r a t io n
d is a b le d
In c .,
et
D e u ic e
a l.
Name
D e s c r ip tio n
\ D e u ic e \ N P F _ < 0 F B 0 9 8 2 2 - 8 8 B 5 - 4 1 I F \ D e ״ic e \ N P F _ < 0 B F D 2 F A 3 - 2 E 1 7 - 4 6 E 3 -
d is a b le d
\ D e u ic e \ N P F _ < lD 1 3 B 7 8 A - B 4 1 1 - 4 3 2 5 -
d is a b le d
P C Ie GBE F a m i l y
\ D e u ic e \ N P F _ < 2 A 3 E B 4 7 0 - 3 9 F B - 4 8 8 0 C o n t r o lle r
C : \ S n o r t \ b in >
Figure 1.3: Snort -W Command
23. Observe your Ediernet Driver index number and write it down; 111 diis lab,
die Ediernet Driver index number is 1.
24. To enable die Ediernet Driver, 111 die command prompt, type snort -dev -i
2
and press Enter.
C E H L ab M an u al Page 853
E th ical H a ck in g a nd C ountem ieasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 17 - Evading IDS, Firewalls and Honeypots
25.
E 7 To specify a log into
logging directory, type
snort —dev —1
/logdirectorylocationand,
Snort automatically knows
to go into packet logger
mode.
You see a rapid scroll text 111 die command prompt. It means
Ethernet Driver is enabled and working properly.
Administrator: C:\Windows\system32\cmd.exe - snort -dev -i 4
C : \S n o r t \ b i n , s n o r t -d e v - i 4
Running in p a c k e t dump 11uue
— == I n i t i a l i z i n g S n o r t ==—
I n i t i a l i z i n g O utpu t P lu g in s ?
pcap DAQ c o n f i g u r e d t o p a s s i v e .
The DAQ v e r s io n d o e s n o t s u p p o r t r e l o a d .
A c q u ir in g n etw o rk t r a f f i c fr o n " \D e v ic e \N P F _ < 2 A 3 E B 4 7 0 -3 9 F B -4 8 8 0 -9 A 7 9 7 7 ־E5AE27E53
B > ".
D e co d in g E th e r n e t
— ■■ I n i t i a l i z a t i o n
o '~> ׳
״״״״
C om p lete ■*—
-» > S n o r t? < * U e r s io n 2 .9 . 3 .1-W IN32 GRE < B u ild 40>
By M artin R oesch 8r The S n o r t T ean : h t t p : / / w w w . s n o r t . o r g / s n o r t / s n o r t - t
r .u i
C o p y r ig h t <C> 1 9 9 8 -2 0 1 2 S o u r c e f i r e , I n c . , e t a l .
U s in g PCRE v e r s i o n : 8 . 1 0 2 0 1 0 -0 6 - 2 5
U s in g ZLIB v e r s i o n : 1 . 2 . 3
C on n en cin g p a c k e t p r o c e s s in g < p id =2852>
1 1 / 1 4 - 0 9 : 5 5 : 4 9 .3 5 2 0 7 9 ARP who ־h as 1 0 . 0 . 0 . 1 3 t e l l 1 0 . 0 . 0 . 1 0
Figure 1.4: Snort —dev —i4 Command
26. Leave die Snort command prompt window open, and launch anodier
command prompt window.
27. Li a new command prompt, type ping google.com and press Enter.
£ Q Ping [-t] [-a] [-n
count] [-1 size] [-£] [-i TTL]
[-v TOS] [-r count] [-s
count] [[-j host-list] | [-k
host-list]] [-w timeout]
destination-list
Figure 1.5: Ping googje.com Command
28. Tliis pmg command triggers a Snort alert in the Snort command prompt
with rapid scrolling text.
Administrator: C:\Windows\system32\cmd.exe - snort -dev -i 4
To enable Network
Intrusion Detect ion
System (NIDS) mode so
that you don’t record every
single packet sent down the
wire, type: snort -dev -1
./log-h 192.168.1.0/24-c
snort.conf.
־TTD
' 4 .1 2 5 .2 3 6 .8 5 : 4 4 3 1 0 . 0 .0 .1 0 : 5 1 3 4 5 < ־TCP TTL:56 TOS:0x0 I D :5 5 3 0 0 Ip L e n :2 0 DgnLe
95
nM.flP.MM• S eq : 0x81047C 40 Ack: 0x4C743C54 Win: 0xFFFF T cpLen: 20
7 03 02 00 32 43 3F 4C 22 B4 01 69 AB 37 FD 34
2C?L ״. . i . 7 . 4
IF 3F 70 86 CF B8 9 7 84 C9 9B 06 D7 11 6F 2C 5B . ? p
o ,[
D 8A B0 FF 4C 30 5B 22 F4 B9 6C BD AE E8 0E 5A
L 0 [ ״. . l
Z
F F6 7D 55 31 78 EF
.. > U l x .
1 1 / 1 4 - 0 9 : 5 8 : 1 6 .3 7 4 8 9 6 D4: BE: D9:C 3: C 3: CC 0 0 : 0 9 : 5 < ־B: AE: 24: CC t y p e : 0 x 8 0 0 l e n :0 x 3 6
1 0 .0 .0 .1 0 : 5 1 3 4 5 - > 7 4 .1 2 5 .2 3 6 .8 5 : 4 4 3 TCP TTL:128 TOS:0x0 ID :2 0 9 9 0 Ip L e n :2 0 DgnLe
n :4 0 DF
S eq : 0x4C743C54 Ack: 0x81047C 77 Win: 0xFB27 T cpLen: 20
.1 / 1 4 - 0 9 : 5 8 : 1 7 .4 9 6 0 3 5 ARP w h o-h as 1 0 . 0 . 0 . 1 3
t e l l 1 0 .0 .0 .1 0
.1 / 1 4 - 0 9 : 5 8 : 1 8 .3 5 2 3 1 5 ARP w h o-h as 1 0 . 0 . 0 . 1 3
t e l l 1 0 .0 .0 .1 0
.1 / 1 4 - 0 9 : 5 8 : 1 9 .3 5 2 6 7 5 ARP w h o-h as 1 0 . 0 . 0 . 1 3
t e l l 1 0 .0 .0 .1 0
Figure 1.6: Snort Showing Captured Google Request
C E H L ab M anual Page 854
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 17 - Evading IDS, Firewalls and Honeypots
29. Close both command prompt windows. The verification o f Snort
installation and triggering alert is complete, and Snort is working correcdy 111
verbose mode.
T A S K
3
Configure
snort.conf File
30. Configure die snort.conf file located at C:\Snort\etc.
31. Open die snort.conf file with N otepad++.
32. Tlie snort.conf file opens 111 N otepad++ as shown 111 the following
screenshot
&
Make sure to grab
the rules for the version
you are installing Snort for.
m Log packets in
tcpdump format and to
produce minimal alerts,
type: snort -b -A fast -c
snort.conf.
Figure 1.7: Configuring Snortconf File in Notepad++
33. Scroll down to die Step #1: Set the network variables section (Line 41) o f
snort.conf file. 111 the HOME_NET line, replace any widi die IP addresses
(Line 45) o f die machine where Snort is ranning.
*C:\Sn0ft\etc\$n0rtx0nf - Notepad+
Be Edit Search 'iict* Encoding Language Settings Macro Run Plugns frndcw
o 10 e
H
|
41
□
-!□
X'
I
& JS * £ |נ.< » **צx
44Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
# Seep # 1: Sec che necw ork v a r ia b le s . For ito ie m r o r a a c lo n .
» se tu p tn e n e cwcrx a a a re a aca you a re c rc c e c c 1.no
ip v e r HOME TOT 110.0.0.10|
: * c a t s it u a t i o n s
m
Notepad־)־+ is a free
source code editor and
Notepad replacement that
supports several languages.
It runs in the MS Windows
environment.
ygth: 25421 lines :657
45: תCel: 25 Sd 0
Figure 1.8: Configuring Snortconf File in Notepad־־(־1־
34. Leave die EXTERNAL_NET any line as it is.
C E H L ab M anual Page 855
Etliical H a ck in g a nd C o untenneasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 17 - Evading IDS, Firewalls and Honeypots
m The element ’any’ can
be used to match all IPs,
although ’any’ is not
allowed. Also, negated IP
ranges that are more
general than non-negated
IP ranges are not allowed.
35. If you have a DNS Server, dien make changes 111 die DNS_SERVERS line bv
replacing $HOME_NET widi yonr D N S Server IP address; otherwise, leave
diis line as it is.
36. The
same
applies
to
SA1'I P_SER\TERS,
HTTP_SER\TERS,
SQL_SER\rERS, TELNET_SER\T 1 RS, and SSH_SER \־T R S .
37. Remember diat if you don’t have any servers running on your machine,
leave the line as it is. DO NOT make any changes 111 diat line.
38. Scroll down to RULE_PATH (Line 104). 111 Line 104 replace ../mles widi
C:\Snort\rules, 111 Line 105 ../so_rules replace with C:\Snort\so rules, and 111
Line 106 replace ../preproc rules with C:\Snort\preproc rules.
_ |a
Ptc\s1xxtconf Notepad♦ ♦
Erie Ldit Search !rfiew Encoding Language Settings
M e
f t f1 | p
c
m
Macro Ru
0 *ף
*
>
Piugnj
x ך
ftmdow I
1] ! .□ ? ־
X
a
i l i f l
*9׳
H tr o t corf |
♦ s o t e r o r wir.aowa u s e r s : You a re a d v ise d to r a r e c m 3 an a r a c iu t e p a tn .
♦ su ch a s : c : \ 3 n o r t \ r u l e s
v a r RU1X_PJJH C :\S n o r c \ru le s
v a r SO RULE PATH C :\S n o r t\a o r u le a
■war PREPROCRtTLEPATH C :\S n o rt\p re p ro c _ x ru le s
ua Rule variable names
can be modified in several
ways. You can define metavariables using the $
operator. These can be
used with the variable
modifier operators ? and -
10ד
1:9
1 *3
114
# I f you a r e u s in g r e p u ta tio n p r e p r o c e s s o r a c t th e a e
# C u r r e n tly th e r e 13 a bug w ith r e l a t i v e p a in s , th e y a r e r e l a t i v e co where sn o re 13
# n o t r e l a t i v e co s n o r t.c o n f lilc e th e obcve v a r ia b le s
4 T h is i s c o a p le te l y i n c o n s is te n t w ith how o th e r ▼ars w ork, BCG 5 9986
t s e t th e a n sc iu c e p a th a p p r o p r ia te ly
v a r HHTTELISTPATH . . / r u l e s
v a r BUICK_LI5T_PATH . . / r u l e s
t s te p #2: c o n n a u r e th e d e co d e r.
For s o r e in d o r s a tio n , aee re a im e . decode
119
* Sto p g e n e r ic decode e v e n ts ;
e o n fig d i s a b l e d e c o d e a l e r t s
1:4
• Sto p A le r ts on e x p e rim e n ta l TCP opc iona
c c r.riq d l« * b l« _ c opopc_exp«rinwmc» !_ • 1e ic a
12 ״־
4 Sto p A lv r ta on obaolw t■ TCP option■
c c r .ria a 1 aab ie _ c c co p t_ o & s o ie te _ a ie r z a
1:9
1 Scop A le rc s on T/TCP a le r c s
V
> 1___________________ !1___________________
Ncirrwl Ur! file
length: 25439 lines: 657
<
Ln: 106 Cot :45 S*l:0
UNIX
ANSI
ן
NS
Figure 1.9: Configuring Snoitconf File in Notepad++
39. Li Line 113 and 114 replace ../rules widi C:\Snort\ rules.
C:\Snort\etc\snort.conf - Notepad*
file tdit Search View Encoding Longuogc Settings Macro Run Plugre ftmdcvr J
! o 1 ׳MS a
4 * B| ♦» < ^ * * יו ^ צn!| ו ?פ
liiiiB
1*
'9־
H nato&rf I
103 f aucn a 3: c ! \ a n o r t \ r u i e a
104 v a r RtJLEPATfl C : \3 n o r t \r u le s
105 v a r SC_ROLE_PAIH C :\3 n o rt\s o _ r u l« »
:0 6 v a r PREPROCRULEPATH C :\S n o rtN p re p ro c _ ru le s
108
*.09
110
111
1*.?
77־
f z r you a re u a in a r e p u ta tio n p r e p r o c e s s o r a c t tn e a e
$ C u r r e n tly th e r e i s a bug w ith r e l a t i v e p a th s , th e y a r e r e l a t i v e
to
f n o t r e la c i v * co •norc.conX l i k e che above v a r ia b le •
• T h is 1a c o n p le e e ly in c o n a ia te n t w ith how e th e r v a ra w or*, BUG89986
4 Smt th • abaoluta path a p p ro p ria te ly
v a r white LISI PAIH c : \ s n o r t \ r u i e a l
117
4 Seen #3: C onfigure Che decoder.
where anore ia
71: Bmcmsi.EAii ciMaaalmltaJ
For More in fo rm a tio n , 9ee BSASME. decode
angth: 25d51 lines:657_______ Ln:1» Col:35 S«l:0
Figure 1.10: Configuring Snort.conf File in Notepad++
C E H L ab M anual Page 856
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 17 - Evading IDS, Firewalls and Honeypots
m The include keyword
allows other rule files to be
included within the rule file
indicated on die Snort
command line. It works
much like an #include
from die C programming
language, reading the
contents of the named file
and adding the contents in
the place where die include
statement appears in die
file.
40. Navigate to C:\Snort\rules and create two tiles and name them
w h itejist.ru les and blackjist.rules make sure die two dies extensions are
.rules.
41. Scroll down to Step #4: Configure dynamic loaded libraries section (Line
242). Configure dynamic loaded libraries in this section.
42. At padi to dynamic preprocessor libraries (Line 247), replace
/usr/local/lib/snort_dynamicpreprocessor/ with your dynamic preprocessor
libranes tolder location.
43. 111 tins lab, dynamic preprocessor libraries are located at
C:\Snort\lib\snort_dynamicpreprocessor.
.־ ־ן
C:\Sn0rl\etc\s1xxU 0nf Notepad ♦ ♦
7־ ־
x
Erie Ld!t Search Vie* Incoding Language Settings Macro Run PK1g<13 ftmdew J
O IM e
% l ‘ l|
M *a
*
*
ז
X
[E 3
V
H tno*.coti j
2
•U
S tep * 4: C o n fig u re dynamic lo a d ed l i b r a r i e s .
70- e o i i in f o r m a tio n , se e Snore M anual, C o n fig u rin g Snore - Syna c ic Modules
♦ e a r n t o dynamic p r e p r o c e s s o r l i b r a r i e s
245
246
242
2 ז־9
S0
2 צ252
253
2
H U Preprocessors are
loaded and configured
using the ‘preprocessor’
keyword. The format of die
preprocessor directive in
the Snort rules file is:
preprocessor <name>:
<options>.
f p a tn t o dynamic p r e p r o c e s s o r l i b r a r i e s
c i-a n ic p re p ro c e a a o r d ir e c to r y C : \ S n c r t \ l i b \ 3 n o r t dy n a ai ^ p re p ro c e s s o r |
* p a th t o b ase p r e p r o c e s s o r e ngine
ciyr.anlceng 1 ne /u 9 r/1 0 c a l/llb /sn 0 rL _ £ iy n a m lc e n g ln e /llb sr_ e r.g ir.e .3 0
V
t p a th t o dynamic r u l e s l i b r a r i e s
d y n a n lc d e te c c lo n d i r e c to r y / u s r / l o c a l / 1 lb /a n o rc_ d y n a m lc r u lea
255
4 s te p t s : C o n tia u re p r e p r o c e s s o r s
4 For more in fo rm a tio n , se e th e Snore M anual, C o n fig u rin g S n o rt ־P re p ro c esso »
4 STP C o n tro l C hannle P re p ro c e s s o r. For n o te in f o r m a tio n , se e PFA2ME. OTP
V p r e p r o c e s s o r oe ci p o r ta 1 2123 3386 2152 >
2 »צ
2<5i
t Z n lm « p a ck e t n o r m a liz a tio n . For moz• in f o r m a tio n , se e R £A D 2.norm alise
4 Does n o tn in a in IDS node
3r«pr0c«110r n o rnm lixe_ip4
p r e p r o c e s s o r r.crm ai1 s e _ to p 1 1p9 eon seream
p r e p r o c e s s o r norma l i e e i c m p i
p r e p r o c e s s o r n o rm a liz e lp «
N.mul u»t file
length: 2544S linttt: 657
In :247 Col :69 S*i:0
UNIX
ANSI
1NS
Figure 1.11: Configuring Snort.couf File in Notepad++
44. At padi to base preprocessor (or dynamic) engine (Line 250), replace
/usr/local/lib/snort_dynamicengine/libsf_engine.so
witii
your
base
preprocessor engine C:\Snort\lib\snort_dynamicengine\sf_engine.dll.
m Preprocessors allow
the functionality of Snort
to be extended by allowing
users and programmers to
drop modular plug-ins into
Snort fairly easily.
Figure 1.12: Configuring Snort.conf File in Notepad++
C E H L ab M an u al Page 857
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 17 - Evading IDS, Firewalls and Honeypots
45. Comment (#) die dynamic mles libraries line as you already configured die
libraries 111 dynamic preprocessor libraries (Line 253).
C:\Snort\et*V r c f < •f Notepad♦♦
- o
x
Be Ldit Search View Encoding Language Settings Macro Run Pfcjgns ftndcvr Z
' H e o־0 ^ ■ *•י31 יf 3
b i s b [1
***************mwm***************************
Note: Preprocessor
code is run before the
detection engine is called,
but after the packet has
been decoded. The packet
can be modified or
analyzed in an out-of-band
manner using this
mechanism.
* S tep * 4 : C o n fin u re dynamic lo a d ed l i b r a r i e s .
t For c o re ln lc rm a c io n , se e Snore M anual, C o n fig u rin g S n o rt - Dynamic Modules
###*#******#t«MM#####*********M****tM**********
249
250
* r a t h t o b ase p r e p r o c e s s o r eng ine
dyr.anu.ceng in - C : \3n o r t\li b \s n o r t_ d y n s n 1ic e n g in e \s f _ e n g i n e .d ll
♦ path to dynamic rules libraries
> d y n a c ic d e te c tlo n d ir e c to r y /u » r /lo c a l /'ll b /s n o r t_ a y n a » ls t..l e a |
V >t e c *M c o n ria u r e p r e p r o c e s s o r s
* Por more m fo rm ac io n , se e th e Snore M anual, C o n fig u rir.c S n o rt ־P rep ro c esso
4 GTP Control Chmnnlm Preprocessor. For *or. inforwation, ••יRSADME.GTP
t p r e p r o c e s s o r a sp : p o r t s ( 2123 3386 2152 )
I I n lin e p a ck e t n o r m a liz a tio n . For more ing o z m atio n , se a ZZZZXZ. n o rm alize
♦ Does n o ta in a in IDS mode
preprocessor normelize_ip4
p r e p r o c e s s o r r .c r x a l1 ze_ ־c p : ip s ecr. stream
p r e p r o c e s s o r ncrm011ze_1 cmp4
p r e p r o c e s s o r n o rm a liz e l p 6________________________________________________________
I teal fie
length :25*146 ling :557
Ln:253 Col ;3 Sd :0
________________ I
Figure 1.13: Configuring Snortconf File in Notepad++
46. Scroll down to Step #5: Configure Preprocessors section (Line 256), die
listed preprocessor. D o nothing 111 IDS mode, but generate errors at
mntime.
m IPs may be specified
individually, in a list, as a
CIDR block, or any
combination of die duee.
47. Comment all the preprocessors listed 111 diis section by adding # before
each preprocessors.
־ רי
C:\Sn0rt\etc\snort conf Notepad*
lit
1
*1
L3t Search View Encoding Language Settings Macro Run Plugre Amdcw I
o יh e » ־ii * ft r!| » e * > &׳- זBQ| s» י2 3 ® ■ שe ^ !״, ■?־
lilt llt t t t t t t t it iit lllllt t t t t t t t t t t t t t t t lllllt t t t t l
P re p ro c e ss o r
***************************************************
> README.GXP
*
*
♦
♦
I
*
♦
I n lin e p a c k e t n o r m a liz a tio n . For 1
Does nothing in ZDS node
p r e p r o c e s s o r normal1ze_1p4
p r e p r o c e s s o r n o r m a l is e t c p : ip s e!
p re p r o c e s s o r norm allze_lcm p4
p r e p r o c e s s o r norm al1 s e _ 1p 6
preprocessor norjralire icmpC
: in f o r m a tio n , se e REAEKE.normalize
• T a rg e t-b a se d IP d e fra g m e n ta tio n . For more inform ation, see RLADME. fra g 3
p r e p r o c e s s o r £ ra g S _ g lo b al: m ax_Iraga 6SSS6
p r e p r o c e s s o r tr o a 3 e n g in e: p o lic y windows d e te c t_ a r .* 1a i 1es c verlap_11m 1t 10 a 1 n _ fra o m e n t_ len g th 100 tim eo u t
m
Many configuration
and command line options
of Snort can be specified in
the configuration file.
Format: config <directive>
[: <value>]
V l a r g e t s is e a a e a te c u l in s p e c tio n /o tr c a m rca sse e D iy .
p r e p r o c e s s o r s c re o » S _ g lo b a l; t r a c k e c p y e s, \
tr* ck _ u d p y e a, \
t r a c k _ 1cnc no, \
MX_tcp 362144, \
rax_uap 131072, \
rax _ a c t1 v e _ re 3 p o n se s 2, \
m in re sp o n se seconds 5___________________
myth:25456 line.:557
f o r mere m r o r a tio n , ace h u .'j I'.l . s tr e a n b
1:269 Col :3 Sd 0
Figure 1.14: Configuring Snort.conf File in Notepad++
48. Scroll down to Step #6: Configure output plugins (Line 514). 111 tins step,
provide die location ol die classification.config and reference.config files.
49. These two files are 111 C:\Snort\etc. Provide diis location o l files 111 configure
output plugins (111 Lines 540 and 541).
C E H L ab M an u al Page 858
E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 17 - Evading IDS, Firewalls and Honeypots
CASnort\ett\snm conf Notepad* ♦
lit
'-
Iם
idit Search view Encoding language Settings Macro Run Plugns ftmdcw I
0 יhh«
a , & * * r !| סe m % > * ־ ־ י י- זdjae s i s c e
)"B •ncCcorf
ףstep 46: cor.rioure cutput plugins
4 5 *׳j ?or more information, see Snort Manual, Configuring Snort - Output Modules[
5!«
=j r —
il<"
51fl * unified?
519 4 aeeonsenaaa rcr !cost installs
520 4 cutput u n ified 2: filename merged.log,
521
Si'i4 ־A d d itio n a l c o n f ig u r a tio n f o r s p e c i f i c
c a Tlie frag3
preprocessor is a targetbased IP defragmentation
module for Snort.
523
524
lim it 128, nosts3«r, wpls_eTrent_types, vlon_event_type3
tjp e s of in s t a ll s
# cutput alert_uni£ied2: filename snort.alert, liiait 125, nosCaap
f o u tp u t lo g un 1 r1 ed 2 : rile n arae s n a r e .lo o , l i m i t 123, n c s ta s p
4 o a ta ta s e
4 o u tp u t d a ta b a s e : a l e r t , <db_type>, us?r« < u sern an !> pa9 9wsrd~
» *e ta d a ti rercrcr.ee aata.
-•
do not *e a itv t£e
11 1 0 10l
include C:\Snarc\ece\elass f eat on.e nf
lii_________ laclud# C; \Sac r \ «c c \r»C«r«nc«. eonti g_|
length :25482 lina:6S7________In :541 Co) :22 S*l:0
Figure 1.15: Configuring SnorT.coiif File in Notepad++
lrigure 1 .i כ: V_on11gunng snort.coni rile in !Notepad1 ־!־50.
11 1
step #6,
th is
d u m p a ll lo g s
111
a d d th e lin e
d ie
alerts.ids
output alert_fast: alerts.ids.
fo r S n o rt to
d ie .
*C:\Soon\elc\snoM-conf - Notepad *
file £d!t Search Ukw Encoding Language Settings Macro Run PHigns ftmdcvr I
׳₪ ^ *־e&| * % d 9 c » ף8 4 > 139 \ ו?״Wz2 י ו$ ן ! ו
o
?׳ »׳
*H «nc< corf ן
m Note: ’ipvar’s are
enabled only with IPv 6
support. Without IPv6
support, use a regular ’var.’
6 .1
515
4 s te p t e : c o n n o u re o u tp u t p lu g in s
4 For more information, see Snort Manual, Configuring Snort ־Cutput Modules
517
'*.fi
519
S?0
521
4 u n if ie d :
V ftccoescnaca co r !coat i n s t a l l s
4 c u tp u t u n if ie d 2 : file n am e m erged. 100, l i m i t 128, nosta*p» * p ls _ e 'r e n t_ ty p e s , v la n _ e v e n t_ ty p e s
4 A d d itio n a l
525
524
c o n f ig u r a tio n f o r s p e c i f i c ty p e s o f i n s t a l l s
4 c u tp u t a lo r t _ u n if i » d 2 : fila n an w a n o rt . a l . r t , l i m i t 129, r.o>ca>p
4 c u tp u t lo g un1E1ed2: rile n arae s n o r t . is o , l i m i t 126, r.: ־ יaxt
- --
4 catafcase
533 4 cutput database: alert, <db_type>, uaer-<useman-> pea3*:rc<־fa3sword
534 4 cutput dataoa3e: loo, <db type>, u3er=<u3emaEe> pa33w:ro=
539
540
541
|c-;־. p u t a l e r t _ f a 3 t : a l e r t s . id s |
m e ta d a ta r e f e r e n c e d a ta , do n o t m odify t c e s e l i n e s
f
include C:\Snort\ecc\cla331f1cat1on.c0nf10
ln c lu d • C :\3 n Q rt\8 c c \re C e re n c e .c o n f l q
׳
|hc«nwl U*t file
Itngth: 25511 lin»:657
1 6 ?5: מ
CoJ:30 S«l:0
Figure 1.16: Configuring Snort.conf File in Notepad++
5 1 . B y d e fa u lt, d ie
C:\Snort\log
Ii=yj Frag3 is intended as a
replacement for die &ag2
defragmentation module
and was designed with the
following goals:
1. Faster execution than
frag2 with less complex
data management.
2. Target-based host
modeling anti-evasion
techniques.
C E H L ab M anual Page 859
C:\Snort\log
f o l d e r is e m p t y , w i d i o u t a n y f ile s
f o l d e r , a n d c r e a t e a n e w t e x t file w i t h d i e n a m e
5 2 . E n s u r e d i a t e x t e n s i o n o f d i a t file is
111
it. G o t o d i e
alerts.ids.
.ids.
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 17 - Evading IDS, Firewalls and Honeypots
_
log
v
Search log
C
P
alerts.ids
Favorites
■
ם
Desktop
£ Downloads
M i Recent places
Libraries
)=״ יז
1 item
Figure 1.17: Configuring Snort.conf File in Notepad++
53. 111 die snort.conf tile, find and replace die ipvar string widi var. By default
die string is ipvar, which is not recognized by Snort, so replace it widi die
var string.
Note: Snort now supports multiple configurations based on VLAN Id or IP
subnet widiui a single instance o f Snort. Tins allows administrators to specify
multiple snort configuration files and bind each configuration to one or more
VLANs or subnets radier dian running one Snort for each configuration
required.
Replace
m
Find
Three types of
variables may be defined in
Snoit:
ש
Replace Find in Files | Mark
| ■S
Find Next
vl
|var
־Var
Replace
□ in selection
■ Portvar
Replace A|l
Replace All in All Opened
Documents
■ ipvar
I IMatch rase
@ Wrae around
Search Mode
Direction
(•> Normal
O u>
(§) On losing focus
C Extended Op, V, \t, VO, \x...)
® Dawn
O Always
O Regular expression
Q Lmatches newline
0 Transparency
=
0
=
Figure 1.18: Configuring Snort.conf File in Notepad++
54. Save die snort.conf file.
55. Before running Snort you need to enable detection mles 111 die Snort mles
tile; for diis lab we have enabled ICMP mle so diat Snort can detect any
host discovery ping probes to die system running Snort.
56. Navigate to C:\Snort\rules and open die icmp-info.rules file widi Notepad
++.
57. Uncomment the Line number 47 and save and close die file.
C E H L ab M anual Page 860
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 17 - Evading IDS, Firewalls and Honeypots
C:\Srxwi\rules\icrnp info.rules Nofepad♦
E*e Edit Search View Encoding Language SetDngs Macro Run Plugns ftndcw
0- > H «
4m * ורו
o ־a
P c* f t *ta -t -ז
J
r פ |״, T,[ | כ
>
S i l i f l
« >
Pi—!<■1 H trp+Tfo1ute«|
נ
29
30
31
32
♦
*
#
*
*
isrsp $EXI ERNAL_NET any ->
le a p SEXTERNAL_NET any > ־
1
any
lc n p SEXTERNAL_NET any ->
i=r^> SEXTERNALNET any ->
S
# a l e r t icnj? SEXTERNAL_NET any ->
# a l e r t le a p $EXTERNAL_NET any ->
* a l e r t ic n p SEXTERNAL~NET any ->
a le r t
a le r t
a le r t
a le r t
a le r t
$H0KE_NET any cnsj:"ICXE-INFC I REP r o u te r a d v e r tis e m e n t" ; 1 ty p e :9 ; r e r e r e n ׳-SHOMEKET any (m sg: ־ICXP-IKyC IRDP r o u te r s e le c tio n " ; ity p e :1 0 ; r e f e r e n c e :ו
(nsg: ■־I-XP-IKFC
lc y p e :S ; c o n te n t :
1
13 12 11 1
SH0HE_KET any (r\sg: ״ICMP ־INF0 PING BSDtype"; 1ty p e : 8; c o n te n t:| ״O0 09 0A 01
SH0KE_NET any (o sg : "IS 'P -IN T C PING BayRS R o u te r"; i t y p e : 8; c o n te n t:■ | 01 02
leap $SXIERNA_NET -> $HOKE_NETany
FUJG*HIX•;
10■״
33 * alert res© EXIERNAL_NETany-> $H0KE_NETany (m3?:"XCXP-lNFOrIUGSeOSI.x"; ltype:8; content:"|QQ00 00 0׳
34
35
36
£H0KE_NET any (n s g : ״ICM?-IK7C ?IUG C isco T ype. x " ; i t y p e : 8; c o n te n t:" |A B CD
$HOKE_NET any (n s g : ־irxP-IKFC PING D elpiH -P iecL e Windows"; lty p e :S ; c o n ien
SHOHEJJET any ( n s g : ״ICMP-INF0 PIHG F lo *pom t2200 o r Networlc Management Sof־
34 ־alert icnp SEXTERNALNETany -> SHOKENET any (xasg:"ICXP-IK7C PIHGIP HetMonitor Macintosh"; itype:B; cont•■
38 t alert 1st® $exiernal_net any ->Shoke_nei any (n3g:1״cxp-lKFCpibg li2i־jx/35״d ;״a31ze:8; 1a:13170; 1type:8
40
♦ a le r t
I a le r t
*a le r t
ic n p SEXTERNAL_NET any -> SH0XE_NET any (msg:*ICKP-IK7C PIHG M ic ro so ft Windows"; i t y p e : 8; c o n te n t:"0
le a p $EXIERNA1_NET any -> $HOXE_KET any ( n s g :" I 3 ( ? ־XKFC POTG n etw ork T oolbox 3 Windows"; 1 typ e : 8; coi
ic n p SEXTERNAL_NET any > ־SH0KE_NET any (msg:"ICMP-INF0 PIHG Pm g-O -H eterW indow s"; lty p e :9 * c o n te n t:
42 « alert
SEXTERNAL~NETany >־SH0KE~NETany (rasg:״ICKP-IKFCPIHG Pinger Windows"; itype:8; content:"Oata
43 * alert 1cnpcexiernal_net any >־Shoxe_nei any (n93:”1cxff-iKF0pihg seer wmdowa ;״ltypese; content«18״a 04
“
44 • a l e r t 1 a 1p SEXTERNAL NET any > ־SHOKE NET
45 f a l e r t le a p $EXTERNAL_NET any -> $H0XE_KIT
a l e r t icrap
any
alert icnp
->
KET
a le r t
S m o x ejjet any
CEXTERNAL_NET
49 • a l e r t 1cr«p SEXTERNALNET any > ־SH0KE_NET
50 t a l e r t le a p $SXTERKAL_NET any -> $K0KE_KET
51 ♦ a l e r t 1 סג מSEXIERNAL_NET any > ־SH0XE_NET
9
»
any (m sg: ״ICXP-INF0 PING O ra c le S o l a n s " ; d s 1 s e : 8; 1ty p e « 0j c la s .
any ( n » g :2 ״CXff-IKFC PIHG Window•": lc y p e :8; c o n te n t: "abcderg fcljk.
SEXIERNAI_NEI
>SH0KE_KEI any !naa:*1atP-lNfCtr a c e r o u te " ; 1 s v c c :8; t t l i l ; claaat!tt: a t t c n
SFXTRRXALNFTany SH0XE any (mag:•׳:CMP-IKFC PIKG"; icode:0; itype:8; classtyp-:»iac-activ1|
isno
->
any
i.src Aaareaa mask Rcpiv"> ic o d c io ; l t v p e u s ; cia®.
any (m sg: ״ICKP-INF0 A ddress Maslr Reply u n d e fin e d code"* 1 eode:>0
any ( e s g :” Z:X9-X):FC Add:««« Ka»k R vquest"; lc o d « :0 ; lty p e :1 7 ; cl•
any (ns3:"ICJ4P ־lNfO A ddress Mask R eauest u n d e tin e d c o d e"; !co d e ::
52 « alert
SEXTERNAL~NET any-> $HOKE~NET any (Mgr-ICVP-INFCAlternate Ho«t Addre ;"״״icode:0; itype:6; c
f alert isnp «exiernal_net any « >־hoxe_net any (nss:1״cxp-1NFCAlternate Host ״aareaa undermed code ;״iced•
>4
55
<|
* a l e r t 1 cnp SEXTERNAL_NET any -> SH0KE_NET any
f a l e r t le a p fEXTERNAL NET any ->
111
NcinwlUxlfile
length: 17357 lines: 123
(e1sj:*IC H P ־INF0 D atagrati C onversion E r ro r " ; lcodesO ; 1ty p e :3
(tasg: "ZCXr-IKFC S a ta g ra a C onveralon E r ro r u n d e fin e d c o d e" ? 1■v
>
Ln:47 Cc4:1 S«1:0
UMX
ANSI
IMS
Figure 1.19: Configuring Snort.coiif File iti N’otepad++
58. N o w navigate to C:\Snort and nght-click folder bin, select CmdHere from
die context menu to open it 111 die command prompt.
Validate
Configurations
59. Type snort -iX -A con sole -c C:\Snort\etc\snort.conf -I C:\Snort\log -K
ascii and press Enter to start Snort (replace X with your device index
number; 111 diis lab: X is 1).
60. If you enter all the command information correctly, you receive a graceful
exit as shown 111 the following figure.
y ’To run Snort as a
daemon, add -D switch to
any combination. Notice
that if you want to be able
to restart Snort by sending
a SIGHUP signal to die
daemon, specify the full
path to die Snort binary
when you start it, for
example:
/usr/local/bin/snort -d -11
192.168.1.0/24 \ - l
/var/log/snordogs -c
/usr/local/etc/snort.conf s-D
61. If you receive a fatal error, you should first verify diat you have typed all
modifications correcdy into the snort.conf tile and then search dirough the
tile for entries matching your fatal error message.
62. If you receive an error stating “Could not create the registry key,” then
run the command prompt as an Administrator.
Administrator: C:\Windows\system32\cmd.exe
C :\S n o r t \ b ir O s n o r t
a s c ii
- i4
-A
c o n s o le
-c
C :\S n o rt\e tc \s n o rt.c o n f
-1
C : \ S n o 1* t \ l o g
-K
Figure 2.18: Snort Successfully Validated Configuration Window
t a s k s
Start Snort
C E H L ab M anual Page 861
63. Start Snort in IDS mode, 111 the command prompt type snort
C:\Snort\etc\snort.conf -I C:\Snort\log -i 2 and dien press Enter.
E th ical H a ck in g a nd C ounterm easures Copynght © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 17 - Evading IDS, Firewalls and Honeypots
Figure 2.19: Start Snort in IDS Mode Command
64. Snort starts running in IDS mode. It first initializes output plug-ins,
preprocessors, plug-ins, load dynamic preprocessors libranes, rale chains o f
Snort, and dien logs all signatures.
GO
C:\Snort\etc\snort.conf is
the location of the
configuration file
65. After initializing interface and logged signatures, Snort starts and waits for
an attack and tngger alert when attacks occur on the machine.
- *>
■ Option: -l to log the
output to C:\Snort\log
folder
י
Option: -i 2 to specify
the interface
m Run Snort as a
Daemon syntax:
/usr/local/bin/snort -d -h
192.168.1.0/24 \ -1
/var/log/snortlogs -c
/usr/local/etc/snort.conf s -D .
£ 0 1 When Snort is run as
a Daemon, the daemon
creates a PID file in the log
directory.
Snort T <*-
Uersion 2.9.3.1-UIN32 GRE <Build 40>
By Martin Roesch 8r The Snort Team: />Copyright <C> 1998-2012 Sourcefire, Inc., et al.
Using PCRE version: 8.10 2010-06-25
Using ZLIB version: 1.2.3
Rules Engine: SF_SNORT_DETECTION_ENGI HE Uersion 1.16 <Build 18>
Preprocessor Object SF_SSLPP Uersion 1.1 <Build 4>
Uersion 1.1 <Build 3>
Preprocessor Object SF_SSH
Uersion 1.1 <Build 9>
Preprocessor Object SF.SMTP
Uersion 1.1 <Build 1>
Preprocessor Object SF_SIP
Uersion 1.1 <Build 1>
Preprocessor Object SF.SDF
Preprocessor Object SF_REPUTATION Uersion 1.1 <Build 1>
Uersion1.0 <Build 1>
Preprocessor Object SF_POP
Preprocessor Object SF_T10DBUS Uersion 1.1 <Build 1>
Uersion1.0 <Build 1>
Preprocessor Object SF_IMAP
Uersion 1.1 <Build 1>
Preprocessor Object SF_GTP
Preprocessor Object SFJFTPTELNET Uersion 1.2 <Build 13>
Uersion 1.1 <Build 4>
Preprocessor Object SF_DNS
Uersion 1.1 <Build 1>
Preprocessor Object SF_DNP3
Preprocessor Object SF_PCERPC2 Uersion 1.0 <Build 3>
Commencing packet processing
Figure 1.20: Initializing Snort Rule Chains Window
66. After initializing the interface and logged signatures. Snort starts and waits
for an attack and trigger alert when attacks occur on the maclune.
67. Leave die Snort command prompt mnning.
68. Attack your own machine and check whedier Snort detects it or not.
^
TASK
6
Attack Host
Machine
69. Launch your Windows 8 Virtual ]Maclune (Attacker Machine).
70. Open die command prompt and type ping XXX.XXX.XXX.XXX -t from die
Attacker Machine (XXX.XXX.XXX.XX is your Windows Server 2012 IP
address;.
71. G o to Windows Server 2012, open die Snort command prompt, and press
Ctrl+C to stop Snort. Snort exits.
72. N ow go to die C:\Snort\log\10.0.0.12 folder and open the ICMP_ECHO.ids
text file.
m Note that to view the
snort log file, always stop
snort and dien open snort
log file.
C E H L ab M anual Page 862
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 17 - Evading IDS, Firewalls and Honeypots
ICMP.ECHO.idT- Notepad
File
Edit
|[* * ]
Format
View
!
' ־’ םx
Help
IC M P -IN F O PING [ * * ]
11/14-12:24:17.131365 1 0 .0 .0 .1 2 -> 1 0.0.0.1 0
ICMP TTL:128 TOS:0x0 ID:31479 IpLen:20 DgmLen:60
Type:8 Code:0 ID :1
Seq:198 ECHO
[ * * ] ICHP-INFO PING [ * * ]
11/14-12:24:18.146991 1 0 .0 .0 .1 2 -> 10 .0 .0 .1 0
ICMP TTL:128 TOS:0x0 ID :31480 IpLen:20 DgmLen:60
Type:8 Code:0 ID :1
Seq:199 ECHO
[ • • ] ICMP-INFO PING [ * * ]
11/14-12:24:19.162664 1 0 .0 .0 .1 2 -> 1 0.0.0.1 0
ICMP TTL:128 TOS:0x0 ID :31481 IpLen:20 DgmLen:60
Type:8 Code:0 ID :1
Seq:200 ECHO
[ • • ] ICMP-INFO PING [ * * ]
11/14-12:24:20.178236 1 0 .0 .0 .1 2 -> 1 0.0.0.1 0
ICMP TTL:128 TOS:0x0 ID:31482 IpLen:20 DgmLen:60
Type:8 Code:0 ID :1
Seq:201 ECHO
[ * * ] ICMP-INFO PING [ * * ]
11/14-12:24:21.193933 1 0 .0 .0 .1 2 -> 10 .0 .0 .1 0
ICMP TTL:128 TOS:0X0 ID :31483 IpLen:20 DgmLen:60
Type:8 Code:0 ID :1
Seq:202 ECHO
[ * * ] ICMP-INFO PING [ * * ]
11/14-12:24:22.209548 1 0 .0 .0 .1 2 -> 10 .0 .0 .1 0
ICMP TTL:128 TOS:0x0 ID :31484 IpLen:20 DgmLen:60
Type:8 Code:0 ID :1
Seq:203 ECHO
Figure 1.21:Snort Alertsids Window Listing Snort Alerts
73. You see that all the log entries are saved 111 die ICMP_ECHO.ids die. Tins
means diat your Snort is working correcdy to trigger alert when attacks
occur 011 your maclune.
Lab Analysis
Analyze and document die results related to dus lab exercise. Give your opinion 011
yoiu ־target’s security posture and exposure.
PLEASE TALK TO
T o o l/U tility
Snort
Y O U R I N S T R U C T O R IF YOU
R E L A T E D T O T H I S LAB.
HAVE
QUESTIONS
Information C o llected /O b jectives Achieved
Output: victim maclune log are capuired
Questions
1.
C E H L ab M anual Page 863
Determine and analyze die process to identify and monitor network ports
after intnision detection.
Etliical H a ck in g a nd C o untenneasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 17 - Evading IDS, Firewalls and Honeypots
2.
Evaluate how you process Snort logs to generate reports.
Internet Connection Required
□ Yes
0 No
Platform Supported
0 Classroom
C E H L ab M an u al Page 864
0 !Labs
E th ical H a ck in g a nd C ountem ieasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 17 - Evading IDS, Firewalls and Honeypots
Lab
Logging Snort Alerts to Kiwi
Syslog Server
Sno/t is an open source network intrusionprevention and detection system
(IDS/IPS).
I CON
KEY
_ Valuable
information
Test your
knowledge
Web exercise
m
Workbook review
Lab Scenario
Increased connectivity and the use ot the Internet have exposed organizations to
subversion, thereby necessitating the use ot mtnision detection systems to protect
information systems and communication networks from malicious attacks and
unauthorized access. An intrusion detection system (IDS) is a security system diat
monitors computer systems and network traffic, analyzes that traffic to identity
possible security breaches, and raises alerts. An IDS tnggers thousands o f alerts per
day, making it difficult for human users to analyze them and take appropriate
actions. It is important to reduce the redundancy of alerts, mtelligendy integrate and
correlate diem, and present high-level view of the detected security issues to the
administrator. An IDS is used to inspect data for malicious 01 ־anomalous activities
and detect attacks 01 ־unaudiorized use of system, networks, and related resources.
111 order to become an expert penetration tester and security administrator, you
must possess sound knowledge ot network mtnision prevention system (IPSes),
IDSes, identify network malicious activity, and log information, stop, or block
malicious network activity.
Lab Objectives
H Tools
dem onstrated in
this lab are
located at D:\CEHTools\CEHv8
Module 17
Evading IDS,
Firewalls, and
Honeypots
Tlie objective of tins lab is to help students learn and understand IPSes and IDSes.
111
tins lab, vou need to:
■
Install Snort and configure snortconf file
■ Validate configuration settings
■ Perform an attack 011 the Host Machine
■ Perform an intrusion detection
■ Attempt to stop detected possible incidents
C E H L ab M an u al Page 865
E th ical H a ck in g a nd C ountem ieasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 17 - Evading IDS, Firewalls and Honeypots
Lab Environment
To carry-out tins lab, you need:
£ 7 You can also
download Kiwi Syslog
Server from
m
■
A computer running Windows Server 2012 as a host macliine
■
Windows 8 running on virtual machine as an attacker macliine
■
WinPcap drivers installed on die host macliine
■
Kiwi Syslog Server installed on die host macliine
■
Admniistrative privileges to configure settings and mil tools
Lab Duration
Tune: 10 Minutes
Overview of of IPSes and IDSes
An intrusion detection system (IDS) is a device or softw are application diat
monitors network and/or system activities for m alicious activities or polio,’
violations and produces reports to a management station.
Intrusion detection and prevention systems (IDPS) are primarily tocused on
identifying possible incidents, logging information about them, attempting to stop
diem, and reporting diem to security administrators.
™ TASK 1
Log Snort Alerts
to Syslog Server
Lab Tasks
1. Navigate to D:\CEH-Tools\CEHv8 Module 17 Evading IDS, Firewalls, and
Honeypots\lntrusion Detection Tools\Kiwi Syslog Server double click on
Kiwi_Syslog_Server_9.3.4.Eval.setup.exe and install Kiwi Syslog Server
on die Windows Server 2012 host machine.
2. The L icense Agreement window appears, Click I Agree.
Figure 2.1: kiwi syslogserverinstallation
C E H L ab M anual Page 866
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 17 - Evading IDS, Firewalls and Honeypots
3.
111 die Choose Operating Mode wizard, check die Install Kiwi Syslog
Server a s an Application check box and click Next >.
Kiwi Syslog Server 9.3.4 Installer
ן ־° זx
C h o o s e O p e r a t in g M o d e
solarwinds ־׳
O
The program can be run as a Service or Application
I n s t a l l K iw i S y s lo g S e i v e i a s a S e i v ic e
This option installs Kiwi Syslog Server as a Windows service, alowing the
program to run without the need for a user to logn to Windows. This option also
retails the Kiwi Syslog Server Manager which is used to control the service.
| ( * I n s t a l l K iw i S y s lo g S e i v e i a s a n A p p l i c a t io n |
This op bon retails Kiwi Syslog Server as a typical Windows appkcabon,
requrng a user to login to Windows before rim n g the application.
& Tools
dem onstrated in
this lab are
located at D:\CEH■
Tools\CEHv8
Module 17
Evading IDS,
Firewalls, and
Honeypots
SolarWinds, Inc.
Figure22: Kiwi Syslogserverinstallation
4.
111 die Install Kiwi Syslog Web A c c e ss wizard, uncheck die option
selected and click Next >.
Kiwi Syslog Server 9.3.4 Installer
X
I n s ta ll K iw i S y s lo g W e b A c c e s s
solarwinds
I
Remote viewing, filtering and highlighting of Syslog events...
I I n s t a l l K iw i S y s lo g W e b A c c e s s
V
C r e a t e a n e w W e b A c c e s s lo g g in g ■ u le in K iw i S y s lo g S e i v e i
Kiwi Syslog Web Access can be enabled in the licensed or evaluation versions of Kiwi
Syslog Server.
SolarWinds, Inc.
Figure 23: kiwi syslogserver
5. Leave die settings as their defaults in the Choose Components wizard and
click Next >.
C E H L ab M anual Page 867
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 17 - Evading IDS, Firewalls and Honeypots
Kiwi Syslog Server 9.3.4 Installer
I ־־I
C h o o s e C o m p o n e n ts
s o la r w in d s
Choose which features of Kiwi Syslog Server 9.3.4 youwantto
install.
This wll install Kiwi Syslog Server version 9.3.4
Select the type of install:
Normal
Or, select the optional
components you wish to
instal:
Program files (required)
0 Shortcuts apply to all users
0 Add Start menu shortcut
b^J Add Desktop shortcut
p i Add QuickLaunch shortcut
O Add Start-up shortcut
V
Desa 1ptx>n
Space requred: 89.5MB
Position your mouse over a component to see its
description.
SolarWinds, In c .-------------------------------------------------------------------------------------------------< Back
|
Next >
| |
Cancel
|
Figure 2.4: addingcomponents
6. 111 die Choose Install Location wizard, leave the settings as their defaults
and click Install to continue.
Kiwi Syslog Server 9.3.4 Installer
C h o o s e In s ta ll L o c a t io n
solarwinds ׳׳
Choose the folder n whkh to nstal Kiwi Syslog Server 9.3.4 .
Setup w! nstal Kiwi Syslog Server 9.3.4 n the folowng folder. To nstal in a different
folder, dick Browse and select another folder, dick Instal to start the installation.
Destination Folder
41'
Space requred: 89.5MB
Space available: 50.1GB
SolarWinds, Inc.
1
Figure2.5: Givedestinationfolder
7.
Click Finish to complete the installation.
You should see a test
message appear, which
indicates Kiwi is working.
C E H L ab M anual Page 868
Etliical H a ck in g a nd C o untenneasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 17 - Evading IDS, Firewalls and Honeypots
Kiwi Syslog Server 9.3.4 Installer
[_“ I 1 ם
x
C o m p le tin g th e Kiwi S yslo g S e rve r
9 .3 .4 S e tu p W iza rd
Kiwi Syslog Server 9.3.4 has been installed on your
computer.
Click Finish to dose this wizard.
@ Run Kiwi Syslog Server 9.3.4
Visit the SotorWmds website
< Back
|
Ftnoh
|
Cancel
j
Figure 2.6: kiwi syslogserverfinishwindow
8.
Click OK ill the Kiwi Syslog Server - Default Settings Applied dialog box.
TU
Kiwi Syslog Server - Default settings applied
Thank you fo r choosing Kiwi Syslog Server.
This is the first tim e the program has been run on this machine.
The follow ing default 'A ction' settings have been applied...
’ Display all messages
* Log all messages to file: SyslogCatchAll.txt
These settings can be changed fro m the File | Setup menu.
Happy Syslogging...
OK
Figure2.7: Default settingappliedwindow
9. To launch die Kiwi Syslog Server Console move your mouse cursor to
lower-left corner o f your desktop and click Start.
Q j Yiiwi Syslog Server is
a free
syslog
server forlogs.
indow
s. It receives
Windows.
logs,
displays and forwards
syslogmessages fromhosts
such as routers, switches,
UNIX hosts and other
syslog-enabled devices.
C E H L ab M anual Page 869
Figure2.8: startingmenuinwindows server 2012
10. 111 die Start menu apps
r r click Kiwi Syslog
J J Server Console to launch die
app
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 17 - Evading IDS, Firewalls and Honeypots
'׳ ״ יי ״
*
MojiB*
Chiomo
©
•
x
Command
Notepad•
Jnmtdl
R
a
Control
?artel
E/ykxef
V
O
pr
M)pw-Y
Manage!
Ne!aus
web Client
h
■
a.
S i 51* 9
'
■
5 ^ r >,Sl09 |
5
V
KKl
Package
I
C* ׳-־T
1
Figure2.9: clickkkvi syslogserver application
11. Configure Syslog alerts 111 die snort.conf file.
12. To contigiire Syslog alerts, first exit from the Snort command prompt
(press Ctrl+C).
13. Go to C:\Snort\etc and open die snort.conf file widi Notepad++.
14. Scroll down to Step #6: Configure output plugins, in the syslog section
(Line 527), remove # and modify die line to output alert_syslog:
host=127.0.0.1:514, LOG_AUTH LOG ALERT.
Snort.conf before modification Syslog
0
C\Sn rt\«c\srx>ftc
fectng* Marre Run Pluglni Window J
« ׳mc . >a >■׳r 3c • > יוqj75!11@ י ן•ןw■bj wa a 131*
t Step te: Coaflgrare output plugins
* Additional configuration for 9E«c1r1c typea or lnatalla
* output al*rt_unlfled2: filename snort.alert. U n it 128, n08ta*p
* output log_«UT ea : niecaae 9rtort.log, u n i t
, rostairp
12
128
flo g ; LOO AJIg 100 ALERT|
I output log.topdja
טThe reasonwhy you
have to run snortstart.bat
batch file as an
administrator is that, in
your current configuration,
you need to maintain rights
to not only output your
alerts to Kiwi, but to write
themto a log file.
C E H L ab M anual Page 870
I output aaratase:
I output aataease:
»t-<B03tnaa1e>
Figiue 2.10: Snortconfigbeforemodification
Snort.conf after modification Syslog
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
