Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Session 16
- ===========
- Introduction to IDS | IPS | Honeypots
- Network Securoty With Snort
- Log Analysis
- Honeypots and Attack Analysis
- UTM - https://utm.trysophos.com/
- IDS --> Intrusion Detection System|Servcies
- ===========================================
- It is the service which helps in detecting in any kind of intrusion and malicious activity of teh attacker in the network.
- eG. NIDS(Network IDS), HIDS(Host IDS), WIDS(Wireless IDS) etc.
- IPS --> Intrusion Prevention System|Servcies
- ============================================
- After, once the intrusion is detected, there comes the prevention phase. In this phase, the application or the software will tell you that these are the ways in which you can prevent your system from being intruded or from being compromised.
- IDS and IPS are known as the anti virus of the network --> They work on the network level.
- They work on the content of the packet which are transmitted in the network.
- Destination Port
- Source Port
- Services
- Data
- Signarute
- Source IP Address
- Destination IP Address
- SNORT --> It is considered to be the world's best IDS and IPS used by the corporates.
- It works on the rule basis of the data and the packets.
- For Installing SNORT
- ====================
- #apt-get install snort
- For Checking the SNORT Version
- ==============================
- #snort -V
- For Starting SNORT
- ==================
- #snort
- Rule Files
- ==========
- /etc/snort/rules --> where all the rules are located, of snort.
- alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER null request"; flow:to_server,established; content:"|00|"; reference:arachnids,377; classtype:attempted-recon; sid:324; rev:5;)
- alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP MDTM overflow attempt"; flow:to_server,established; content:"MDTM"; nocase; isdataat:100,relative; pcre:"/^MDTM\s[^\n]{100}/smi"; reference:bugtraq,9751; reference:cve,2001-1021; reference:cve,2004-0330; reference:nessus,12080; classtype:attempted-admin; sid:2546; rev:5;)
- Format For Creating Snort Rules
- ===============================
- Basic Rule Syntax
- -----------------
- Action Protocol SourceIPAddress SourcePortNumber DirectionOfFlow DestinationIPAddress DestinationPortNuber (Body;)
- alert tcp any any -> any any (msg:"Sample Alert";)
- ->
- <-
- <>
- The Rule Header
- ---------------
- Action (log, Alert)
- Protocol (TCP, UDP, IP, ICMP, any)
- Source IP Address --> From where Data is originated
- Source Port Number --> Port Number of the source Device
- Direction Operator --> ("->" - Unidertional, "<>" - bidirectional)
- Destination IP Address --> To which IP Address data is going
- Destination Port Number --> To which port session is creating
- Source and Destination IP Address can be variables
- ==================================================
- 1. $EXTERNAL_NET --> Any IP Address which is an external IP Address, outside the organisation.
- 2. $HOME_NET --> Any IP Address from the inernal organisation or the intranet.
- Source IP Address
- =================
- 1. If I want to make it specific --> instead of any, i want to give an IP Address
- alert any 192.168.0.10 any -> $HOME_NET any (msg:"Arvind Sharma and Prabhankar Tripathi the BLACKHATS Is Again Attacking";)
- 2. If I want the source IP Address for Intranet
- alert any $HOME_NET any -> any any (msg;)
- 3. If I want the source IP Address for Internet
- alert any $EXTERNAL_NET any -> any any (;)
- Same Thing Goes With Destination IP Address.
- alert any any any <> any any (content:"www.facebook.com";msg:"Someone is accessing facebook.")
- We will create these rules and save them in /etc/snort/rules.
- vallari.rules ---> rule file
- But we havenot implemented those rules.
- For Implementing we need to edit a configuration file of snort.
- /etc/snort/
- /etc/snort/snort.conf
- Types Of Rule Options
- =====================
- There are 5 types of rule Options
- 1. Metadata
- 2. Payload Data
- 3. Non Payload Data
- 4. Post Detection
- 5. Thresholding and suppression
- Honeypots
- =========
- It is a system designed to appear vulnerable to attackers. The goal of a Honeypot is to log all the attacker's activity to study their behavious, log their IP Addresses, Track their locations and collect the data about 0-day exploits. The idea of Honeypot is nothing but a server that offers any kind of services to the attackers, from ssh to telnet, showing various well known exploitable ports.
- Pentbox --> HoneyPot for Linux/unix based OS.
- Download .tar.gz file from sourceforge.net
- Open the terminal
- #cd Downloads
- #tar vzxf Filename.tar.gz
- #cd pentbox-1.0
- #./pentbox.rb
- Yesman Scanner - https://samsclass.info/124/proj11/p17N-123-yesman.html
- Log Analysis
- ============
- Syntax of Log Of A Server
- -------------------------
- IP Address | Authentication Type | TimeStamp | Access Request | Response Code | Data | Remote Log Name |Transfer (Bytes) | Referrer URL | User Agent
- 192.168.195.162 - - [24/Apr/2018:17:47:27 +0530] "GET /dashboard/javascripts/modernizr.js HTTP/1.1" 200 51365 "http://192.168.195.162/dashboard/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:59.0) Gecko/20100101 Firefox/59.0"
- 127.0.0.1 - - [19/Jun/2018:11:32:13 +0530] "GET /dvwa/vulnerabilities/sqli_blind/?id=1%27+and+1%3D0+union+select+1%2C2+%23&Submit=Submit HTTP/1.1" 200 4851
- "http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=1%27+and+1%3D1+order+by+3+%23&Submit=Submit" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:60.0) Gecko/20100101 Firefox/60.0"
- IP Address -> 127.0.0.1 --> IP Address of the visitor
- Remote Log Name --> Identity Check for browser '-'
- Authentication --> 1. Basic Authentication
- 2. Integrated Authentication
- 3. Form Based Authentication
- 4. Digest Authentication
- Time Stamp --> [19/Jun/2018:11:32:13 +0530]
- Access Report --> "GET /dvwa/vulnerabilities/sqli_blind/?id=1%27+and+1%3D0+union+select+1%2C2+%23&Submit=Submit HTTP/1.1"HTTP/1.1" --> The request made.
- Response Code --> 5 type of responses code
- 1xx --> Informational resource
- 2xx --> Successful redirection
- 3xx --> Redirection
- 4xx --> Client Side error
- 5xx --> Server Side error
- Data Transfer (Bytes) --> 4851 bytes
- Referrer URL --> "http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=1%27+and+1%3D1+order+by+3+%23&Submit=Submit" --> user was on this page before going to the current page
- User Agent --> "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:60.0) Gecko/20100101 Firefox/60.0"
Add Comment
Please, Sign In to add comment