API tools faq
paste
LuciferAviSonicX

Untitled

LuciferAviSonicX
Dec 18th, 2018
582
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.15 KB | None | 0 0
raw download clone embed print report
  1. Session 16
  2. ==========
  3. Introduction to IDS | IPS | HoneyPots
  4. Network Security With Snort
  5. Log Analysis
  6. Honey Pot and Attack Analysis
  7.  
  8.  
  9. IDS --> Intrusion Detection Services
  10. ====================================
  11. It is the service in which we or the system tries to detect any kind of intrusion or presence of intrusion.
  12. IPS --> Intrusion Prevention Services
  13. =====================================
  14. It is the service in which after detection, what are the precautions which should be taken by the owner of the system.
  15.  
  16. IDS and IPS --> They work on the network level
  17.  
  18. They work on the content of the packets which are transmitted over|in the network.
  19. Which port
  20. Service
  21. Data
  22. Signature
  23.  
  24. Snort --> Corporate level IDS and IPS --> Best IDS and IPS. These are known as the Critical system for cybersecurity
  25.  
  26. www.snort.org
  27. Installing Snort
  28. ================
  29. #apt-get install snort
  30. #snort -V --> Version
  31. #snort --> For running
  32.  
  33. Rule Files
  34. ==========
  35. /etc/snort/rules
  36.  
  37. alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Jolt attack"; dsize:408; fragbits:M; reference:cve,1999-0345; classtype:attempted-dos; sid:268; rev:4;)
  38.  
  39. alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP MDTM overflow attempt"; flow:to_server,established; content:"MDTM"; nocase; isdataat:100,relative; pcre:"/^MDTM\s[^\n]{100}/smi"; reference:bugtraq,9751; reference:cve,2001-1021; reference:cve,2004-0330; reference:nessus,12080; classtype:attempted-admin; sid:2546; rev:5;)
  40.  
  41.  
  42. Format For Creating Snort Rules
  43. ===============================
  44. Basic Rule Syntax
  45. -----------------
  46. Syntax
  47. ------
  48. Action Protocol SourceIPAddress SourcePortNumber DirectionFlow DestinationIPAddress DestinationPortNumber (Body;)
  49.  
  50. Example
  51. -------
  52. alert any any any -> any any (msg:"Hello user";)
  53.  
  54. alert any 192.168.228.227 any -> any any (content:"www.facebook.com";msg:"Beta sudhar ja, facebook chalana bnd kr de";sid:10000001;)
  55.  
  56. The Rule Header
  57. ---------------
  58. Action(log, Alert)
  59. Protocol(TCP, UDP, IP, ICMP, any)
  60. Source IP Address
  61. Source Port Number
  62. Direction Operator ("->", "<>")
  63. Destination IP Address
  64. Destination Port Number
  65.  
  66. Source and Destination IP Address can be variable
  67. $EXTERNAL_NET --> Any External IP Address
  68. $HOME_NET --> Any IP Address from the intranet|Network
  69.  
  70. alert any $HOME_NET any -> $HOME_NET any (msg:"Hello Friends";)
  71. alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"Hello";)
  72.  
  73. Source IP Address
  74. 1. If I want to make it IP specific --> instead of any, I will give IP Address
  75. alert tcp 192.168.228.149 any -> any any (msg:"Sample alert";)
  76. alert tcp 192.168.228.149 any -> 192.168.228.187 any (msg:"Sample alert";)
  77. 2. If I want to make for Intranet
  78. alert tcp $HOME_NET any -> any any (msg:"Sample alert";)
  79. alert tcp 192.168.228.1/24 any -> any any (msg:"Sample alert";)
  80. 3. If I want to make for external IP Only
  81. alert tcp $EXTERNAL_NET any -> any any (msg:"Sample alert";)
  82. Same goes with Destination IP Address
  83.  
  84. alert any $HOME_NET any -> any any (msg:"Accessing Facebook";content:"facebook";content:"fb")
  85.  
  86. Example
  87. =======
  88. Design a rule for Port Number 80
  89. --------------------------------
  90. Goto /etc/snort/rules
  91. #cd /etc/snort/rules
  92. #nano sidhhant.rule
  93.  
  94. alert tcp $EXTERNAL_NET any -> 192.168.228.1/24 80 (msg:"Sidhhant's Message";)
  95.  
  96. Implimenting Snort Rules
  97. ========================
  98. After creating snort rules in /etc/snort/rules
  99. We need to nevigate to the parent folder
  100. #cd ..
  101. There you will find a file
  102. snort.conf
  103. Open this file and include the file name
  104. #nano snort.conf
  105. include DestinationOfFileSidhhant.rules
  106.  
  107. Types Of Rule Options
  108. =====================
  109. There are five type rule option
  110. 1. Metadata
  111. 2. Payload Data
  112. 3. Non-payload detection
  113. 4. Post-detection
  114. 5. Thresholding and suppression
  115.  
  116. https://ufile.io/otsur --> PoC Configuration
  117. https://ufile.io/d9sfa --> Snort Installation
  118.  
  119.  
  120. HoneyPots
  121. =========
  122. It is a system designed to appear vulnerable to attackers. The goal of a honeypot is to log all the attacker's activity to study their behaviour, log their IP Addresses, track their locations and collect zero-day attacks.
  123. The idea of honeypot is nothing but a server that offers any kind of services to the attackers, from SSH to telnet, showning various well known exploitable ports.
  124.  
  125. Pentbox --> Honeypot for linux/unix based systems.
  126. Download .tar.gz file for honeypot
  127. #cd Downloads
  128. #tar vzxf filename.tar.gz
  129. #cd pentbox-1.8
  130. #./pentbox.rb
  131.  
  132. Log Analysis
  133. ============
  134.  
  135.  
  136. Syntax for a server's log
  137. -------------------------
  138. IP Address | Remote Log Name | Authentication Type | TimeStamp | Access Request | Response Code | Data Transfer (Bytes) | Referrer URL | User Agent
  139.  
  140.  
  141. 192.168.43.122 - - [17/Dec/2017:18:30:03 +0530] "GET /Priyal.apk HTTP/1.1" 200 68624 "" "Mozilla/5.0 (Linux; Android 4.4.4; Lenovo A6000 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.135 Mobile Safari/537.36"
  142.  
  143.  
  144.  
  145.  
  146.  
  147. 127.0.0.1 - - [19/Jun/2018:11:32:13 +0530] "GET /dvwa/vulnerabilities/sqli_blind/?id=1%27+and+1%3D0+union+select+1%2C2+%23&Submit=Submit HTTP/1.1" 200 4851 "http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=1%27+and+1%3D1+order+by+3+%23&Submit=Submit" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:60.0) Gecko/20100101 Firefox/60.0"
  148.  
  149.  
  150. IP Address -> 127.0.0.1 --> IP Address of the visitor
  151. Remote Log Name --> Identity Check for browser '-'
  152.  
  153. Authentication --> 1. Basic Authentication
  154. 2. Integrated Authentication
  155. 3. Form Based Authentication
  156. 4. Digest Authentication
  157.  
  158.  
  159.  
  160. Time Stamp --> [19/Jun/2018:11:32:13 +0530]
  161. Access Report --> "GET /dvwa/vulnerabilities/sqli_blind/?id=1%27+and+1%3D0+union+select+1%2C2+%23&Submit=Submit HTTP/1.1"HTTP/1.1" --> The request made.
  162. Response Code --> 5 type of responses code
  163. 1xx --> Informational resource
  164. 2xx --> Successful redirection
  165. 3xx --> Redirection
  166. 4xx --> Client Side error
  167. 5xx --> Server Side error
  168. Data Transfer (Bytes) --> 4851 bytes
  169. Referrer URL --> "http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=1%27+and+1%3D1+order+by+3+%23&Submit=Submit" --> user was on this page before going to the current page
  170. User Agent --> "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:60.0) Gecko/20100101 Firefox/60.0"
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!