API tools faq
paste
viprajput

g2s16

viprajput
Jul 29th, 2018
59
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.35 KB | None | 0 0
raw download clone embed print report
  1. Session 16
  2. ===========
  3. Introduction to IDS | IPS | Honeypots
  4. Network Securoty With Snort
  5. Log Analysis
  6. Honeypots and Attack Analysis
  7.  
  8. UTM - https://utm.trysophos.com/
  9.  
  10. IDS --> Intrusion Detection System|Servcies
  11. ===========================================
  12. It is the service which helps in detecting in any kind of intrusion and malicious activity of teh attacker in the network.
  13. eG. NIDS(Network IDS), HIDS(Host IDS), WIDS(Wireless IDS) etc.
  14. IPS --> Intrusion Prevention System|Servcies
  15. ============================================
  16. After, once the intrusion is detected, there comes the prevention phase. In this phase, the application or the software will tell you that these are the ways in which you can prevent your system from being intruded or from being compromised.
  17.  
  18. IDS and IPS are known as the anti virus of the network --> They work on the network level.
  19.  
  20. They work on the content of the packet which are transmitted in the network.
  21. Destination Port
  22. Source Port
  23. Services
  24. Data
  25. Signarute
  26. Source IP Address
  27. Destination IP Address
  28.  
  29. SNORT --> It is considered to be the world's best IDS and IPS used by the corporates.
  30. It works on the rule basis of the data and the packets.
  31.  
  32. For Installing SNORT
  33. ====================
  34. #apt-get install snort
  35. For Checking the SNORT Version
  36. ==============================
  37. #snort -V
  38. For Starting SNORT
  39. ==================
  40. #snort
  41.  
  42. Rule Files
  43. ==========
  44. /etc/snort/rules --> where all the rules are located, of snort.
  45.  
  46. alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER null request"; flow:to_server,established; content:"|00|"; reference:arachnids,377; classtype:attempted-recon; sid:324; rev:5;)
  47.  
  48. alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP MDTM overflow attempt"; flow:to_server,established; content:"MDTM"; nocase; isdataat:100,relative; pcre:"/^MDTM\s[^\n]{100}/smi"; reference:bugtraq,9751; reference:cve,2001-1021; reference:cve,2004-0330; reference:nessus,12080; classtype:attempted-admin; sid:2546; rev:5;)
  49.  
  50. Format For Creating Snort Rules
  51. ===============================
  52. Basic Rule Syntax
  53. -----------------
  54. Action Protocol SourceIPAddress SourcePortNumber DirectionOfFlow DestinationIPAddress DestinationPortNuber (Body;)
  55.  
  56. alert tcp any any -> any any (msg:"Sample Alert";)
  57.  
  58. ->
  59. <-
  60. <>
  61.  
  62. The Rule Header
  63. ---------------
  64. Action (log, Alert)
  65. Protocol (TCP, UDP, IP, ICMP, any)
  66. Source IP Address --> From where Data is originated
  67. Source Port Number --> Port Number of the source Device
  68. Direction Operator --> ("->" - Unidertional, "<>" - bidirectional)
  69. Destination IP Address --> To which IP Address data is going
  70. Destination Port Number --> To which port session is creating
  71.  
  72. Source and Destination IP Address can be variables
  73. ==================================================
  74. 1. $EXTERNAL_NET --> Any IP Address which is an external IP Address, outside the organisation.
  75. 2. $HOME_NET --> Any IP Address from the inernal organisation or the intranet.
  76.  
  77. Source IP Address
  78. =================
  79. 1. If I want to make it specific --> instead of any, i want to give an IP Address
  80. alert any 192.168.0.10 any -> $HOME_NET any (msg:"Arvind Sharma and Prabhankar Tripathi the BLACKHATS Is Again Attacking";)
  81.  
  82. 2. If I want the source IP Address for Intranet
  83. alert any $HOME_NET any -> any any (msg;)
  84.  
  85. 3. If I want the source IP Address for Internet
  86. alert any $EXTERNAL_NET any -> any any (;)
  87.  
  88. Same Thing Goes With Destination IP Address.
  89.  
  90. alert any any any <> any any (content:"www.facebook.com";msg:"Someone is accessing facebook.")
  91.  
  92. We will create these rules and save them in /etc/snort/rules.
  93. vallari.rules ---> rule file
  94. But we havenot implemented those rules.
  95. For Implementing we need to edit a configuration file of snort.
  96. /etc/snort/
  97. /etc/snort/snort.conf
  98.  
  99. Types Of Rule Options
  100. =====================
  101. There are 5 types of rule Options
  102. 1. Metadata
  103. 2. Payload Data
  104. 3. Non Payload Data
  105. 4. Post Detection
  106. 5. Thresholding and suppression
  107.  
  108. Honeypots
  109. =========
  110. It is a system designed to appear vulnerable to attackers. The goal of a Honeypot is to log all the attacker's activity to study their behavious, log their IP Addresses, Track their locations and collect the data about 0-day exploits. The idea of Honeypot is nothing but a server that offers any kind of services to the attackers, from ssh to telnet, showing various well known exploitable ports.
  111.  
  112. Pentbox --> HoneyPot for Linux/unix based OS.
  113. Download .tar.gz file from sourceforge.net
  114. Open the terminal
  115. #cd Downloads
  116. #tar vzxf Filename.tar.gz
  117. #cd pentbox-1.0
  118. #./pentbox.rb
  119.  
  120. Yesman Scanner - https://samsclass.info/124/proj11/p17N-123-yesman.html
  121.  
  122.  
  123. Log Analysis
  124. ============
  125. Syntax of Log Of A Server
  126. -------------------------
  127.  
  128. IP Address | Authentication Type | TimeStamp | Access Request | Response Code | Data | Remote Log Name |Transfer (Bytes) | Referrer URL | User Agent
  129.  
  130.  
  131.  
  132. 192.168.195.162 - - [24/Apr/2018:17:47:27 +0530] "GET /dashboard/javascripts/modernizr.js HTTP/1.1" 200 51365 "http://192.168.195.162/dashboard/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:59.0) Gecko/20100101 Firefox/59.0"
  133.  
  134.  
  135. 127.0.0.1 - - [19/Jun/2018:11:32:13 +0530] "GET /dvwa/vulnerabilities/sqli_blind/?id=1%27+and+1%3D0+union+select+1%2C2+%23&Submit=Submit HTTP/1.1" 200 4851
  136. "http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=1%27+and+1%3D1+order+by+3+%23&Submit=Submit" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:60.0) Gecko/20100101 Firefox/60.0"
  137.  
  138.  
  139. IP Address -> 127.0.0.1 --> IP Address of the visitor
  140. Remote Log Name --> Identity Check for browser '-'
  141.  
  142. Authentication --> 1. Basic Authentication
  143. 2. Integrated Authentication
  144. 3. Form Based Authentication
  145. 4. Digest Authentication
  146.  
  147.  
  148.  
  149. Time Stamp --> [19/Jun/2018:11:32:13 +0530]
  150. Access Report --> "GET /dvwa/vulnerabilities/sqli_blind/?id=1%27+and+1%3D0+union+select+1%2C2+%23&Submit=Submit HTTP/1.1"HTTP/1.1" --> The request made.
  151. Response Code --> 5 type of responses code
  152. 1xx --> Informational resource
  153. 2xx --> Successful redirection
  154. 3xx --> Redirection
  155. 4xx --> Client Side error
  156. 5xx --> Server Side error
  157. Data Transfer (Bytes) --> 4851 bytes
  158. Referrer URL --> "http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=1%27+and+1%3D1+order+by+3+%23&Submit=Submit" --> user was on this page before going to the current page
  159. User Agent --> "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:60.0) Gecko/20100101 Firefox/60.0"
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!