CSEC640 Lab Assignment 2
Transcript of CSEC640 Lab Assignment 2
Disclaimer/Caveat/Disclosure/Whateveryouwouldliketocallthis:
You are more than welcome to use my lab work below as a reference. But, please be smart and do not simply copy and paste because your Prof. or TA will know. Justlike you, they have access to this website as well. So be nice and smart and don't set yourself up for a failure, at the very least you should rephrase/paraphrase/reword/Whateveryouprefertocallthis.Just a suggestion, but at the end of the day, it will be your decision. :)
Also, I have got at the very least 90% in each of my lab work, but that DOES NOT guarantee that you will get the same. It depends almost exclusively on how yourprofessor looks at your response and how s/he grades. The ones that I got were awesome professors and my workand my points went across to them, hence the higher grade. So, basically what I am trying to say here is that if you score less than 90% while using my lab workas reference or as a whole, don't curse me out, you just got a stricter professor. :)
Question 1:
What does each of the flags in this snort command line do?
snort -r snort.out -P 5000 -c csec640.rules -e -X -v –k
none -l log
Response:
-r snort.out = read from snort.out file.
-P 5000 = Set explicit snaplen of packets to 5000.
-c csec640.rules = use rules file csec640.rules.
-e = Display the second layer header info.
-X = Dump the raw packet data starting at the link layer.
-v = Be verbose.
-k none = Logging mode is "none".
-l log = log to directory "log".
edit log\alert.ids
The edit log\alert.ids command lets the user edit the alert.ids
file in the sub folder named "log".
Question 2 :
Rule #1:
alert tcp 192.168.1.0 any -> 192.168.1.1/24 80 (msg:"Non Secure
Protocol!"; sid:001;)
The above rule will send a message to the IP address 192.168.1.0
when IP addresses from 192.168.1.2 to 192.168.1.255 uses an http
protocol on TCP protocol, warning that the users are not using a
secure protocol. Snort ID for this alert is 001.
Snort Alert Output:
I ran rule # 1 in snort and snort was able to get the alert.ids
file, but with no data in it. The file is renamed as
alertRule1.ids in the screenshot below to separate it from the
other results.
Rule #2:
log udp any :800 -> 192.168.1.2 1:1600
The above rule will log udp traffic coming from ports less than
800 and going to ports ranging from 1 to 1600 for IP address
192.168.1.2.
Snort Alert Output:
I ran rule # 2 in snort and snort was able to get the alert.ids
file, but with no data in it, but log file was created. The file
is renamed as alertRule2.ids in the screenshot below to separate
it from the other results.
Rule #3:
log udp any any -> 192.168.1.2 !1024:2048
The above rule will log all of the traffic going through all of
the ports of IP address 192.168.1.2, except ports ranging from
1024 to 2048.
Snort Alert Output:
I ran rule # 3 in snort and snort was able to get the alert.ids
file, but with no data in it, but log file was created. The file
is renamed as alertRule3.ids in the screenshot below to separate
it from the other results.
Rule #4:
alert tcp 192.168.1.0 any -> 192.168.1.2 any (flags: P; msg: "PSH
Scan Detected"; sid:002;)
The above rule will alert IP Address 192.168.1.1 by raising a
flag on IP address 192.168.1.2 if it detects a PSH Scan on any of
its ports. The Snort ID number for the message is 002.
Snort Alert Output:
I ran rule # 4 in snort and snort was able to get the alert.ids
file, but with no data in it. The file is renamed as
alertRule4.ids in the screenshot below to separate it from the
other results.
Rule #5:
alert tcp 192.168.1.0 any -> 192.168.1.1/24 80 (content:
"adults"; msg: "Adult Oriented Material!"; react: block, msg;
sid:003;)
The above rule will alert IP address 192.168.1.0 if any of the IP
addresses from 192.168.1.2 to 192.168.1.255 tries to access a
website containing adult content using http. The rule will also
block access to the website and will send a message informing
that the website contains Adult material. The Snort ID number for
the message is 003.
Snort Alert Output:
I ran rule # 5 in snort and snort was able to get the alert.ids
file, but with no data in it. The file is renamed as
alertRule5.ids in the screenshot below to separate it from the
other results.
Rule #6:
alert tcp 192.168.1.0 any -> $EXTERNAL_NET 443 (msg:"Chase
Financial Web Request"; sid:004; content:"chase";)
The above rule will set an alert message when Chase website is
accessed using https protocol. The Snort ID number for the
message is 004.
Snort Alert Output:
I ran rule # 6 in snort and snort was able to get the alert.ids
file, but with no data in it. The file is renamed as
Question 3:
A network-aware warm is a virus that exploits the attacked
network's resources to spread over all of the devices connected
to that network. Like other Network-Aware Warms (NAW), Gimmiv.a
attacks a network and affects the system by enabling them to
remotely execute codes using the RPC DCOM protocols.
The Remote Procedure Call (RPC) is a protocol used by the
Windows operating system to provide seamless inter-process
communication between programs running on a local machine and a
remote machine. The Distributed Component Object Model (DCOM) is
a protocol that enables software components to communicate
directly across multiple network transports, including Internet
protocols such as HTTP. (Farrington, 2004)
According to Shevchenko in the blog, the Gimmiv.a worm:
“….it could technically be classified as a network-aware trojan that employs
functionality of a typical RPC DCOM network-aware worm to attack other hosts in
the network.”
Meaning that, even though, it is not a NAW, it still has all
the qualities of a NAW. As mentioned above, the Gimmiv.a spreads
over the network and starts remotely executing codes on clients
linked to the network. It collects the system information and
other personal information stored on the clients and then send
them over to a remote host. That personal information can include
the network password, system login credentials as well as email
server login credentials.
Detecting a Trojan requires multi-step process. An up-to-
date Antivirus definition, firewall and IDS on the network is one
way to protect a network from a Trojan like Gimmiv.a. Because
Gimmiv.a used encrypted strings to send the stolen information
over the network to its host, a network administrator can set up
a firewall and IDS that will detect any outgoing traffic
consisting of encrypted strings not authorized by the sender. The
Network Administrator can configure its firewall that will only
send the traffic over to the requesting server once it receives a
approval from the receiving server. That can be achieved by
sending a "token" from the requesting server to the source server
and once verified, the source server will send the packets. This
additional step will make sure that the firewall is not blocking
the legitimate encryption requests.
After the vulnerability was discovered, Emerging Threats
site posted a Snort Rule that was able to detect the Gimmiv.a
Trojan on a system. The Snort Rule is:
alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Gimiv
Infection Ping Outbound"; icode:0; itype:8; dsize:20;
content:"abcde12345fghij6789"; classtype:trojan-activity; sid:2008726;
rev:1;) (McKitrick, 2008)
Question 4:
You learned a covert channel in Week 6. Do you think IDS like
Snort can easily detect a covert channel? For example, can you
write an effective set of Snort rules to prevent any information
leak through a covert channel? Explain your answer in detail.
Simple answer, yes, an IDS like Snort can detect a covert
channel. Though there isn't one rule that can detect every covert
channel. Because there are different types covert channels, Snort
rules have to be customized for each covert channel intrusion
detection. Covert Channel can use different communication
protocols to leak data. A Covert Channel can be created using OSI
Layer, Application Layer and TCP Headers. The Open Systems
Interconnection (OSI) layer, Covert Channel can exploit OSI
Layers to intrude an organizational network because most of the
filters, firewalls and sniffers do not check OSI layer for
intrusions. In Application Layers an attacker can use the
Carriage Return and Line Feed (CRLF) in the HTTP header to create
a covert channel. In TCP headers, the attacker can use sequence
number, acknowledgment number, source port, flags and the TCP
timestamp option to establish a covert channel. (UMUC, 2013)
A specific Snort rule will have to be created to check each
one of these layers and headers to detect a Covert Channel. A
single Snort rule will not be sufficient to check the Covert
Channel on all of these layers and headers.
References:
Farrington, D. (2004). Microsoft RPC-DCOM Buffer Overflow Attack
using Dcom.c. Retrieved from,
http://www.giac.org/paper/gcih/548/microsoft-rpc-dcom-buffer-
overflow-attack-dcomc/100671
McKitrick, P. (2008). UPDATE - CCIP ALERT: Exploitation of MS08-
067. Retrieved from,
http://list.waikato.ac.nz/pipermail/nznog/2008-October/014630.htm
l
UMUC (2013). Covert Channel and Data Leakage. Retrieved from,
http://tychousa5.umuc.edu/CSEC640/1206/csec640_06/assets/csec640_
06.pdf