CSEC640 Lab Assignment 2

Disclaimer/Caveat/Disclosure/Whateveryouwouldliketocallthis:

You are more than welcome to use my lab work below as a reference. But, please be smart and do not simply copy and paste because your Prof. or TA will know. Justlike you, they have access to this website as well. So be nice and smart and don't set yourself up for a failure, at the very least you should rephrase/paraphrase/reword/Whateveryouprefertocallthis.Just a suggestion, but at the end of the day, it will be your decision. :)

Also, I have got at the very least 90% in each of my lab work, but that DOES NOT guarantee that you will get the same. It depends almost exclusively on how yourprofessor looks at your response and how s/he grades. The ones that I got were awesome professors and my workand my points went across to them, hence the higher grade. So, basically what I am trying to say here is that if you score less than 90% while using my lab workas reference or as a whole, don't curse me out, you just got a stricter professor. :)

Question 1:

What does each of the flags in this snort command line do?

snort -r snort.out -P 5000 -c csec640.rules -e -X -v –k

none -l log

Response:

-r snort.out = read from snort.out file.

-P 5000 = Set explicit snaplen of packets to 5000.

-c csec640.rules = use rules file csec640.rules.

-e = Display the second layer header info.

-X = Dump the raw packet data starting at the link layer.

-v = Be verbose.

-k none = Logging mode is "none".

-l log = log to directory "log".

edit log\alert.ids

The edit log\alert.ids command lets the user edit the alert.ids

file in the sub folder named "log".

Question 2 :

Rule #1:

alert tcp 192.168.1.0 any -> 192.168.1.1/24 80 (msg:"Non Secure

Protocol!"; sid:001;)

The above rule will send a message to the IP address 192.168.1.0

when IP addresses from 192.168.1.2 to 192.168.1.255 uses an http

protocol on TCP protocol, warning that the users are not using a

secure protocol. Snort ID for this alert is 001.

Snort Alert Output:

I ran rule # 1 in snort and snort was able to get the alert.ids

file, but with no data in it. The file is renamed as

alertRule1.ids in the screenshot below to separate it from the

other results.

Rule #2:

log udp any :800 -> 192.168.1.2 1:1600

The above rule will log udp traffic coming from ports less than

800 and going to ports ranging from 1 to 1600 for IP address

192.168.1.2.

Snort Alert Output:

I ran rule # 2 in snort and snort was able to get the alert.ids

file, but with no data in it, but log file was created. The file

is renamed as alertRule2.ids in the screenshot below to separate

it from the other results.

Rule #3:

log udp any any -> 192.168.1.2 !1024:2048

The above rule will log all of the traffic going through all of

the ports of IP address 192.168.1.2, except ports ranging from

1024 to 2048.

Snort Alert Output:

I ran rule # 3 in snort and snort was able to get the alert.ids

file, but with no data in it, but log file was created. The file

is renamed as alertRule3.ids in the screenshot below to separate

it from the other results.

Rule #4:

alert tcp 192.168.1.0 any -> 192.168.1.2 any (flags: P; msg: "PSH

Scan Detected"; sid:002;)

The above rule will alert IP Address 192.168.1.1 by raising a

flag on IP address 192.168.1.2 if it detects a PSH Scan on any of

its ports. The Snort ID number for the message is 002.

Snort Alert Output:

I ran rule # 4 in snort and snort was able to get the alert.ids

file, but with no data in it. The file is renamed as

alertRule4.ids in the screenshot below to separate it from the

other results.

Rule #5:

alert tcp 192.168.1.0 any -> 192.168.1.1/24 80 (content:

"adults"; msg: "Adult Oriented Material!"; react: block, msg;

sid:003;)

The above rule will alert IP address 192.168.1.0 if any of the IP

addresses from 192.168.1.2 to 192.168.1.255 tries to access a

website containing adult content using http. The rule will also

block access to the website and will send a message informing

that the website contains Adult material. The Snort ID number for

the message is 003.

Snort Alert Output:

I ran rule # 5 in snort and snort was able to get the alert.ids

file, but with no data in it. The file is renamed as

alertRule5.ids in the screenshot below to separate it from the

other results.

Rule #6:

alert tcp 192.168.1.0 any -> $EXTERNAL_NET 443 (msg:"Chase

Financial Web Request"; sid:004; content:"chase";)

The above rule will set an alert message when Chase website is

accessed using https protocol. The Snort ID number for the

message is 004.

Snort Alert Output:

I ran rule # 6 in snort and snort was able to get the alert.ids

file, but with no data in it. The file is renamed as

alertRule6.ids in the screenshot below to separate it from the

other results.

Question 3:

A network-aware warm is a virus that exploits the attacked

network's resources to spread over all of the devices connected

to that network. Like other Network-Aware Warms (NAW), Gimmiv.a

attacks a network and affects the system by enabling them to

remotely execute codes using the RPC DCOM protocols.

The Remote Procedure Call (RPC) is a protocol used by the

Windows operating system to provide seamless inter-process

communication between programs running on a local machine and a

remote machine. The Distributed Component Object Model (DCOM) is

a protocol that enables software components to communicate

directly across multiple network transports, including Internet

protocols such as HTTP. (Farrington, 2004)

According to Shevchenko in the blog, the Gimmiv.a worm:

“….it could technically be classified as a network-aware trojan that employs

functionality of a typical RPC DCOM network-aware worm to attack other hosts in

the network.”

Meaning that, even though, it is not a NAW, it still has all

the qualities of a NAW. As mentioned above, the Gimmiv.a spreads

over the network and starts remotely executing codes on clients

linked to the network. It collects the system information and

other personal information stored on the clients and then send

them over to a remote host. That personal information can include

the network password, system login credentials as well as email

server login credentials.

Detecting a Trojan requires multi-step process. An up-to-

date Antivirus definition, firewall and IDS on the network is one

way to protect a network from a Trojan like Gimmiv.a. Because

Gimmiv.a used encrypted strings to send the stolen information

over the network to its host, a network administrator can set up

a firewall and IDS that will detect any outgoing traffic

consisting of encrypted strings not authorized by the sender. The

Network Administrator can configure its firewall that will only

send the traffic over to the requesting server once it receives a

approval from the receiving server. That can be achieved by

sending a "token" from the requesting server to the source server

and once verified, the source server will send the packets. This

additional step will make sure that the firewall is not blocking

the legitimate encryption requests.

After the vulnerability was discovered, Emerging Threats

site posted a Snort Rule that was able to detect the Gimmiv.a

Trojan on a system. The Snort Rule is:

alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Gimiv

Infection Ping Outbound"; icode:0; itype:8; dsize:20;

content:"abcde12345fghij6789"; classtype:trojan-activity; sid:2008726;

rev:1;) (McKitrick, 2008)

Question 4:

You learned a covert channel in Week 6. Do you think IDS like

Snort can easily detect a covert channel? For example, can you

write an effective set of Snort rules to prevent any information

leak through a covert channel? Explain your answer in detail.

Simple answer, yes, an IDS like Snort can detect a covert

channel. Though there isn't one rule that can detect every covert

channel. Because there are different types covert channels, Snort

rules have to be customized for each covert channel intrusion

detection. Covert Channel can use different communication

protocols to leak data. A Covert Channel can be created using OSI

Layer, Application Layer and TCP Headers. The Open Systems

Interconnection (OSI) layer, Covert Channel can exploit OSI

Layers to intrude an organizational network because most of the

filters, firewalls and sniffers do not check OSI layer for

intrusions. In Application Layers an attacker can use the

Carriage Return and Line Feed (CRLF) in the HTTP header to create

a covert channel. In TCP headers, the attacker can use sequence

number, acknowledgment number, source port, flags and the TCP

timestamp option to establish a covert channel. (UMUC, 2013)

A specific Snort rule will have to be created to check each

one of these layers and headers to detect a Covert Channel. A

single Snort rule will not be sufficient to check the Covert

Channel on all of these layers and headers.

References:

Farrington, D. (2004). Microsoft RPC-DCOM Buffer Overflow Attack

using Dcom.c. Retrieved from,

http://www.giac.org/paper/gcih/548/microsoft-rpc-dcom-buffer-

overflow-attack-dcomc/100671

McKitrick, P. (2008). UPDATE - CCIP ALERT: Exploitation of MS08-

067. Retrieved from,

http://list.waikato.ac.nz/pipermail/nznog/2008-October/014630.htm

l

UMUC (2013). Covert Channel and Data Leakage. Retrieved from,

http://tychousa5.umuc.edu/CSEC640/1206/csec640_06/assets/csec640_

06.pdf