Snort and Wireshark
Snort and Wireshark
1. When running Snort IDS why might there be no alerts?
There are couple reasons when running Snort IDS there might be no alerts. The first one could be related to settings because the administrator has to set Snort IDS to its optimum settings in order to get any alerts. Since Snort works by ruleset, it can be mistakenly set up to a port other than what the network is using. The mistake can be done by either keeping the Snort default settings, or when users try to adjust them to their own network requirements. The point is when changing Snort default settings to rules other than what the website provided, the administrator might have disabled a packet sniffing on a specific port that needed to be enabled, therefore producing no alerts on that specific port. Also the ranges of ports that are set by the administrator to be scanned by Snort IDS for sniffing and incoming traffic may not be passing through any of those ports, therefore causing no alerts on the network.
2. If we only went to a few web sites, why are there so many alerts?
Typically, an Intrusion Detection System (IDS) is designed to monitor all inbound and outbound network activity and identify any suspicious patterns using techniques such as packet sniffing. There would be a lot of alerts because Snort is public domain intrusion detection system which would monitors traffic by examining every packet on a network using a process called packet sniffing. Since Snort is a rule-based IDS, when a packet comes in, its source and destination IP addresses and ports are then compared to the rules in the ruleset. If any of them are applicable to the packet, then the options are compared to the packet. If all of these comparisons return a match, then the specified action is taken
3. What are the advantages of logging more information to the alerts file?
The advantage of logging more information in the alerts file is that it would lay out in details the attacks and the weaknesses of the network. Also having more information would help the network administrator prevent future attacks or apply necessary patches within the network. Finally, gathering all this information would enable the network administrator adjust the IDS to attacks specific to the network.
4. What are the disadvantages of logging more information to the alerts file?
The disadvantage of logging more information to the alerts file is that it would reveal all the weaknesses and defenses of the network to an attacker. Also having that information, the attacker can tailor his attack by using all other ports that are not being scanned by the IDS. Worst the system can be compromise without anyone noticing.
5. What are the advantages of using rule sets from the snort web site?
The advantages of using rule sets from the Snort website is that Snort has a very flexible rule sets configuration which can enable the administrator to write his own rule sets based on previously seen vulnerability. This flexibility therefore can help the administrator insert new rule sets into the rule base for a newly found attack. Also each rule is developed and tested using the same rigorous credentials and standards the VRT uses for Sourcefire customers. 6. Describe (in plain English) at least one type of ruleset you would want to add to a high level security network and why? Couple of rules that can be added to a high level security network could be:
This Rule is to detect direct exploits and generally if we are looking for a windows exploit, such as Veritas, etc, they will be here. Attack-Response Rules:
These are designed to catch the results of a successful attack. Things like “id=root”, or error messages that indicate a compromise may have happened
This is a large ruleset that intends to catch specific attacks on specific applications. There are some general SQL injection rules that work pretty well to catch most of Web-SQL-Injection attacks. But these rules are much more specific to apps and web servers.
7. If a person with malicious intent were to get into your network and have read/write access to your IDS log or rule set how could they use that information to their advantage? If a person with malicious intents gets a read/write access to an IDS log and/or rule set, would have the same right as an administrator, therefore having the right to modify, adjust and re-write rules, in order to be able to lunch new attacks on the network.
Also the person can adjust the ruleset to have his identity not being capture by the IDS. This can be done by altering for example ports that should be used for packet sniffing and intrusion detection, giving him a perfect map for future attacks on the network. Worst he can disable the IDS.
8. An intrusion prevention system can either wait until it has all of the information it needs, or can allow packets through based on statistics (guessed or previously known facts). What are the advantages and disadvantages of each approach?
Stops trigger packets
Can use stream normalization techniques
Sensor issues might affect network traffic
Sensor overloading impacts the network
Must have a well-thought out security policy
Some impact on network (latency,jitter)
9. So, the “bad guy “decides to do a Denial of Service on your Intrusion Prevention System. At least two things can happen; the system can allow all traffic through (without being checked) or can deny all traffic until the system comes back up. What are the factors that you must consider in making this design decision? If the IPS allows all the traffic through, it would then expose the whole network system to all sort of vulnerability which can be exploited later on. This would give for example an open door for an attacker to launch attacks, have access to sensitive data, inserting malware to the network and even leave a backdoors for future access when the system comes up.
On the other hand, denying all traffic would ensure that nothing bad can compromise the network security but at the same time would restrict the traffic to even genuine traffic coming through the network. Both decisions have inconvenient so therefore the final decision should be a consensus between the security team and the senior management because they have to take in consideration both consequences of denying communications to the network, and an attacker being able to compromise the network.
10. What did you find particularly useful about this lab (please be specific)? What if anything was difficult to follow?
What would you change to make it better? Snort’s flexibility, ease of configuration, raw packet analysis and the fact that we could create and insert new rules sets into the rule base make it a powerful intrusion detection device even though it is free. However I think the questions were not directly related to what I have experienced doing the lab, Even though the questions enabled me to do a lot of outside research. Meaning that performing the lab did not help me to answer the questions as much I thought it should.
CSEC 630 Lab2 -Intrusion Detection System and Protocol Analysis Lab (n.d.). University of Maryland University College. Retrieved from: https://learn.umuc.edu/d2l/common/viewFile.d2lfile/Database/NzkyMzkw/CSEC630_lab2_LEO.pdf?ou=33745
Caswell, Brian. “Snort-The Open Source Network IDS : More info about Snort” URL: http://www.snort.org/about.htm
Cisco Systems, Inc. Cisco IOS Intrusion Prevention System (IPS): Cisco IOS IPS Supported Signature List in 4.x Signature Format, http://www.cisco.com/en/US/partner/products/ps6634/products_white_paper0900aecd8039e2e4.shtml
The NSS Group “Snort 1.8.1. Questionnaire” 25 November 2001 URL:http://www.nss.co.uk/ids/snort/snort_questionnaire.htm
Andrew R. Baker “Deploying Snort” 17 April 2000. URL:http://www.dpo.uab.edu/~andrewb/snort/deploying.html