In this test we will do the following:-
Run the Ethereal to capture packets on all the Hosts: Attacker, NIDS, Target.
Run the SnortIDS to detect the attacks on NIDS
Run the packet script called “project rule 1” from Target
Run the packet script called “project rules 2-10” from Attacker
Gather the result and evaluate the test attack.
Host NIDS
This is the snort server, we want to start snort to test is it going to detect the attacks as it suppose to be or not.
We have two options to start Snort:
1) Click on “Start Snort” button on the top tool bar of IDScenter.
2) From command line prompt, type the following commands
Cd c:\snort\bin
C:\Snort\bin\snort.exe -c C:\Snort\etc\snort.conf" –l
"c:\snort\log" -A full -h 172.16.1.1/32 -I -k all -z -i 3
You can also run ethereal, but it is not important since the result of the snort log will identify if we are going to detect the 10 attacks or not.
Host Attacker
We want to lunch the script “project rule 2-10” from this machine but after starting the sniffer “Ethereal”.
These attacks include: 1 icmp attack, 1 telnet attack, 1 rpc attack, 1 smtp attack, 5 http attack packets. In total, there are 9 packets.
Follow the following procedure:
Run Ethereal
From menu bar select capture, interface.
Click on prepare button to further tune our capture process by setting filters (see Fig. 7.1)
In the filter field type: not broadcast and not multicast then click start
Go to Packet Excalibur and load the script called “ project rules 2-10”
From action menu, click on run script
In the Packet Destination IP address field enter 172.16.1.2 (target ip address) 9 times for all the 9 rules we have in the script
Press on to lunch the attack
Fig. 7.1 Ethereal Capture Options
Host Target
We want to lunch the script “project rule 1” from this machine but after starting the sniffer “Ethereal”. This script has one attack called danger which runs on specific source and destination address and this packet should be a response message to the attacker.
Follow the following procedure:
Run Ethereal
From menu bar select capture, interface.
Click on prepare button to further tune our capture process by setting filters (see Fig. 6.2.1)
In the filter field type : not broadcast and not multicast then click start
Go to Packet Excalibur and load the script called “ project rules 1”
From action menu, click on run script
In the Packet Destination IP address field enter 137.207.234.252 (attacker ip address)
Press OK to lunch the attack
Note: To get a fewer number of undesired packets in ethereal try to lunch the scripts simultaneously. This will make your ethereal output much clearer and will not gather undesired packets on the network which will take a lot of your time to identify the packets you are looking for. Also try to use filter broadcast and multicast which is not desired in our case.
Ending the Test
You can check when the script ends by monitoring the result pane in the packet Excalibur window. When it is done, do the following procedure.
For Target, stop ethereal capture by clicking Stop button.
For Attacker, stop ethereal capture by clicking Stop button.
For NDIS snort, stop snort by pressing (Ctr X)
Results on snort NIDS
You should get a screen as Fig. 7.2.
Fig. 7.2 Result on NIDS
You can see from the previous window that snort was able to detect 11 attacks while we have sent only 10 packages. That is because one specific attack is catcher by 2 separate snort preprocessors.
Duple click the output log file called snort.ids on c:\snort\log and check it, which is shown in Fig. 7.3.
Fig. 7.3 Output Log File
You can see in the log file that we really have caught the 10 attacks plus one other attack. The last specific attack is related to web cgi attack and it is caught by rule file and by the (http_inspect) preprocessor. Http_inspect detects that this packet has a directory traverse which is considered an attack.
Results on Host Target
You should get something like this screen dump (Fig. 7.4).
Fig. 7.4 Ethereal Result on Host Target
As you see we have received 32 packets, to refine this output, do the following:
Type in the filter field the following content:
ip.src==137.207.234.252
Then press on Apply button to filter the captured packets.
Fig. 7.5 Refined Ethereal Result on Host Target
Wow, that really worked and made us see only the packets which have been sent from source address 137.207.234.252 (attacker IP address which we are interested to see), which is shown in Fig. 7.5.
We can see that we have received 11 packets among those the first 2 packets are actually a response to the packet we have sent from this machine in script rule 1. So we can also ignore the first 2 packets and look at the remaining 9 packets. Yeah, they are the 9 packets generated from the attacker script.
Results on Host Attacker
You should get something like this screen dump (Fig.7.6).
Fig. 7.6 Ethereal Result on Host Attacker
As you see we have also received 32 packets. To refine this output, type in the filter field the following content:
ip.src==172.16.1.2
Then press on Apply button to filter the captured packets.
Fig. 7.7 Refined Ethereal Result on Host Attacker
You can see the first packet is our desired packet rule 1 which was originated from Target. All the other packets are response to the 9 packets attack lunched from this server and that also guarantee that our packets has been sent and received correctly. The captured results can be viewed by importing the attached ethereal.
Test Result
The proposed scenario worked fine. All the output and deliverables can be found attached with this project. It includes:
Ethereal output on all servers
Snort.ids alert log file
Snort log file
Share with your friends: |