Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Session 16
- ==========
- Introduction to IDS | IPS | HoneyPots
- Network Security With Snort
- Log Analysis
- Honey Pot and Attack Analysis
- IDS --> Intrusion Detection Services
- ====================================
- It is the service in which we or the system tries to detect any kind of intrusion or presence of intrusion.
- IPS --> Intrusion Prevention Services
- =====================================
- It is the service in which after detection, what are the precautions which should be taken by the owner of the system.
- IDS and IPS --> They work on the network level
- They work on the content of the packets which are transmitted over|in the network.
- Which port
- Service
- Data
- Signature
- Snort --> Corporate level IDS and IPS --> Best IDS and IPS. These are known as the Critical system for cybersecurity
- www.snort.org
- Installing Snort
- ================
- #apt-get install snort
- #snort -V --> Version
- #snort --> For running
- Rule Files
- ==========
- /etc/snort/rules
- alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Jolt attack"; dsize:408; fragbits:M; reference:cve,1999-0345; classtype:attempted-dos; sid:268; rev:4;)
- alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP MDTM overflow attempt"; flow:to_server,established; content:"MDTM"; nocase; isdataat:100,relative; pcre:"/^MDTM\s[^\n]{100}/smi"; reference:bugtraq,9751; reference:cve,2001-1021; reference:cve,2004-0330; reference:nessus,12080; classtype:attempted-admin; sid:2546; rev:5;)
- Format For Creating Snort Rules
- ===============================
- Basic Rule Syntax
- -----------------
- Syntax
- ------
- Action Protocol SourceIPAddress SourcePortNumber DirectionFlow DestinationIPAddress DestinationPortNumber (Body;)
- Example
- -------
- alert any any any -> any any (msg:"Hello user";)
- alert any 192.168.228.227 any -> any any (content:"www.facebook.com";msg:"Beta sudhar ja, facebook chalana bnd kr de";sid:10000001;)
- The Rule Header
- ---------------
- Action(log, Alert)
- Protocol(TCP, UDP, IP, ICMP, any)
- Source IP Address
- Source Port Number
- Direction Operator ("->", "<>")
- Destination IP Address
- Destination Port Number
- Source and Destination IP Address can be variable
- $EXTERNAL_NET --> Any External IP Address
- $HOME_NET --> Any IP Address from the intranet|Network
- alert any $HOME_NET any -> $HOME_NET any (msg:"Hello Friends";)
- alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"Hello";)
- Source IP Address
- 1. If I want to make it IP specific --> instead of any, I will give IP Address
- alert tcp 192.168.228.149 any -> any any (msg:"Sample alert";)
- alert tcp 192.168.228.149 any -> 192.168.228.187 any (msg:"Sample alert";)
- 2. If I want to make for Intranet
- alert tcp $HOME_NET any -> any any (msg:"Sample alert";)
- alert tcp 192.168.228.1/24 any -> any any (msg:"Sample alert";)
- 3. If I want to make for external IP Only
- alert tcp $EXTERNAL_NET any -> any any (msg:"Sample alert";)
- Same goes with Destination IP Address
- alert any $HOME_NET any -> any any (msg:"Accessing Facebook";content:"facebook";content:"fb")
- Example
- =======
- Design a rule for Port Number 80
- --------------------------------
- Goto /etc/snort/rules
- #cd /etc/snort/rules
- #nano sidhhant.rule
- alert tcp $EXTERNAL_NET any -> 192.168.228.1/24 80 (msg:"Sidhhant's Message";)
- Implimenting Snort Rules
- ========================
- After creating snort rules in /etc/snort/rules
- We need to nevigate to the parent folder
- #cd ..
- There you will find a file
- snort.conf
- Open this file and include the file name
- #nano snort.conf
- include DestinationOfFileSidhhant.rules
- Types Of Rule Options
- =====================
- There are five type rule option
- 1. Metadata
- 2. Payload Data
- 3. Non-payload detection
- 4. Post-detection
- 5. Thresholding and suppression
- https://ufile.io/otsur --> PoC Configuration
- https://ufile.io/d9sfa --> Snort Installation
- HoneyPots
- =========
- It is a system designed to appear vulnerable to attackers. The goal of a honeypot is to log all the attacker's activity to study their behaviour, log their IP Addresses, track their locations and collect zero-day attacks.
- The idea of honeypot is nothing but a server that offers any kind of services to the attackers, from SSH to telnet, showning various well known exploitable ports.
- Pentbox --> Honeypot for linux/unix based systems.
- Download .tar.gz file for honeypot
- #cd Downloads
- #tar vzxf filename.tar.gz
- #cd pentbox-1.8
- #./pentbox.rb
- Log Analysis
- ============
- Syntax for a server's log
- -------------------------
- IP Address | Remote Log Name | Authentication Type | TimeStamp | Access Request | Response Code | Data Transfer (Bytes) | Referrer URL | User Agent
- 192.168.43.122 - - [17/Dec/2017:18:30:03 +0530] "GET /Priyal.apk HTTP/1.1" 200 68624 "" "Mozilla/5.0 (Linux; Android 4.4.4; Lenovo A6000 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.135 Mobile Safari/537.36"
- 127.0.0.1 - - [19/Jun/2018:11:32:13 +0530] "GET /dvwa/vulnerabilities/sqli_blind/?id=1%27+and+1%3D0+union+select+1%2C2+%23&Submit=Submit HTTP/1.1" 200 4851 "http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=1%27+and+1%3D1+order+by+3+%23&Submit=Submit" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:60.0) Gecko/20100101 Firefox/60.0"
- IP Address -> 127.0.0.1 --> IP Address of the visitor
- Remote Log Name --> Identity Check for browser '-'
- Authentication --> 1. Basic Authentication
- 2. Integrated Authentication
- 3. Form Based Authentication
- 4. Digest Authentication
- Time Stamp --> [19/Jun/2018:11:32:13 +0530]
- Access Report --> "GET /dvwa/vulnerabilities/sqli_blind/?id=1%27+and+1%3D0+union+select+1%2C2+%23&Submit=Submit HTTP/1.1"HTTP/1.1" --> The request made.
- Response Code --> 5 type of responses code
- 1xx --> Informational resource
- 2xx --> Successful redirection
- 3xx --> Redirection
- 4xx --> Client Side error
- 5xx --> Server Side error
- Data Transfer (Bytes) --> 4851 bytes
- Referrer URL --> "http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=1%27+and+1%3D1+order+by+3+%23&Submit=Submit" --> user was on this page before going to the current page
- User Agent --> "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:60.0) Gecko/20100101 Firefox/60.0"
Add Comment
Please, Sign In to add comment