Project Report on
Running the 10 Packets attack
Download 2.35 Mb.
|
- Navigate this page:
- Host Attacker
- Ending the Test
- Results on snort NIDS
- Results on Host Target
- Results on Host Attacker
Running the 10 Packets attackIn this test we will do the following:- Run the Ethereal to capture packets on all the Hosts: Attacker, NIDS, Target. Run the SnortIDS to detect the attacks on NIDS Run the packet script called “project rule 1” from Target Run the packet script called “project rules 2-10” from Attacker Gather the result and evaluate the test attack. Host NIDS This is the snort server, we want to start snort to test is it going to detect the attacks as it suppose to be or not. We have two options to start Snort: 1) Click on “Start Snort” button on the top tool bar of IDScenter. 2) From command line prompt, type the following commands
C:\Snort\bin\snort.exe -c C:\Snort\etc\snort.conf" –l "c:\snort\log" -A full -h 172.16.1.1/32 -I -k all -z -i 3 You can also run ethereal, but it is not important since the result of the snort log will identify if we are going to detect the 10 attacks or not. Host Attacker We want to lunch the script “project rule 2-10” from this machine but after starting the sniffer “Ethereal”. These attacks include: 1 icmp attack, 1 telnet attack, 1 rpc attack, 1 smtp attack, 5 http attack packets. In total, there are 9 packets. Follow the following procedure: Run Ethereal From menu bar select capture, interface. Click on prepare button to further tune our capture process by setting filters (see Fig. 7.1) In the filter field type: not broadcast and not multicast then click start Go to Packet Excalibur and load the script called “ project rules 2-10” From action menu, click on run script In the Packet Destination IP address field enter 172.16.1.2 (target ip address) 9 times for all the 9 rules we have in the script Press on to lunch the attack 
Fig. 7.1 Ethereal Capture Options Host Target We want to lunch the script “project rule 1” from this machine but after starting the sniffer “Ethereal”. This script has one attack called danger which runs on specific source and destination address and this packet should be a response message to the attacker. Follow the following procedure: Run Ethereal From menu bar select capture, interface. Click on prepare button to further tune our capture process by setting filters (see Fig. 6.2.1) In the filter field type : not broadcast and not multicast then click start Go to Packet Excalibur and load the script called “ project rules 1” From action menu, click on run script In the Packet Destination IP address field enter 137.207.234.252 (attacker ip address) Press OK to lunch the attack Note: To get a fewer number of undesired packets in ethereal try to lunch the scripts simultaneously. This will make your ethereal output much clearer and will not gather undesired packets on the network which will take a lot of your time to identify the packets you are looking for. Also try to use filter broadcast and multicast which is not desired in our case. Ending the Test You can check when the script ends by monitoring the result pane in the packet Excalibur window. When it is done, do the following procedure. For Target, stop ethereal capture by clicking Stop button. For Attacker, stop ethereal capture by clicking Stop button. For NDIS snort, stop snort by pressing (Ctr X) Results on snort NIDS You should get a screen as Fig. 7.2. 
Fig. 7.2 Result on NIDS You can see from the previous window that snort was able to detect 11 attacks while we have sent only 10 packages. That is because one specific attack is catcher by 2 separate snort preprocessors. Duple click the output log file called snort.ids on c:\snort\log and check it, which is shown in Fig. 7.3. 
Fig. 7.3 Output Log File You can see in the log file that we really have caught the 10 attacks plus one other attack. The last specific attack is related to web cgi attack and it is caught by rule file and by the (http_inspect) preprocessor. Http_inspect detects that this packet has a directory traverse which is considered an attack. Results on Host Target You should get something like this screen dump (Fig. 7.4). 
Fig. 7.4 Ethereal Result on Host Target As you see we have received 32 packets, to refine this output, do the following: Type in the filter field the following content: ip.src==137.207.234.252 Then press on Apply button to filter the captured packets. 
Fig. 7.5 Refined Ethereal Result on Host Target Wow, that really worked and made us see only the packets which have been sent from source address 137.207.234.252 (attacker IP address which we are interested to see), which is shown in Fig. 7.5. We can see that we have received 11 packets among those the first 2 packets are actually a response to the packet we have sent from this machine in script rule 1. So we can also ignore the first 2 packets and look at the remaining 9 packets. Yeah, they are the 9 packets generated from the attacker script. Results on Host Attacker You should get something like this screen dump (Fig.7.6). 
Fig. 7.6 Ethereal Result on Host Attacker As you see we have also received 32 packets. To refine this output, type in the filter field the following content: ip.src==172.16.1.2 Then press on Apply button to filter the captured packets. 
Fig. 7.7 Refined Ethereal Result on Host Attacker You can see the first packet is our desired packet rule 1 which was originated from Target. All the other packets are response to the 9 packets attack lunched from this server and that also guarantee that our packets has been sent and received correctly. The captured results can be viewed by importing the attached ethereal.
Ethereal output on all servers Snort.ids alert log file Snort log file Directory: courses courses -> Algorithms for Register Allocation Andrew Pardoe courses -> Ieor 4600 Mixed-Integer Rounding Inequalities courses -> San José State University Social Science/Psychology Psych 175, Management Psychology, Section 1, Spring 2014 courses -> Kennan's Telegram (Excerpt) courses -> The university of british columbia courses -> A hurricane track density function and empirical orthogonal function approach to predicting seasonal hurricane activity in the Atlantic Basin Elinor Keith April 17, 2007 Abstract courses -> Cover page need figure & title by Proposed Table of Contents courses -> Objectives courses -> Dr. Jeff Masters' WunderBlog Download 2.35 Mb. Share with your friends:
|