Free Essay

Csec 630 Lab 2

In:

Submitted By duran805
Words 1170
Pages 5
C:\snort\bin\ *.conf *.rules *.pcap dir

PCAP file opened in Wireshark Wire shark TCP only filter

Snort cmd run Alert file after modifying Snort rules. Renamed alert file. Alert 2

1. When running Snort IDS why might there be no alerts?

There could be several different reasons for Snort not seeing any alerts. The number one reason, is that Snort has not been configured properly to listen for traffic. Snort needs to be configured properly on specific port for it too listen to traffic. Another reason according to the Snort FAQ, no alerts can be due to “the result of a checksum offloading issue.” (Snort FAQ, 2016) The use of –k none should be added in the cmd line to solve the issue of no alerts.

2. If you only went to a few web sites, why are there so many alerts?
Snort is an open-source intrusion detection system (IDS). Intrusion detection systems are able to analyze many different types of network traffic to detect abnormalities. Snort analyzes packets on a network depending on the traffic traversing the network. Traffic can include TCP, UDP, and HTTP traffic to name a few. Depending on which protocols where used when going to the website, different types of alerts can be produced by Snort.
3. What are the advantages of logging more information to the alerts file?
Advantages to logging more information to the alerts files is that one, it can be more useful to a system administrator trying to figure out what type of malware or attack is being carried on. The more information he or she has, the better to make an informed decision on what type of traffic to look for to better protect the network.
4. What are the disadvantages of logging more information to the alerts file?
The biggest disadvantage of logging more information is that as a system administrator going through the alerts is more work. It is more work because you have more information to sift through to get to real information needed. This delay in getting information leaves the network vulnerable longer till the information can be deciphered. Another disadvantage is that if an attacker were able to compromise the information gathered, he or she would know what specific ports and protocols you are monitoring. This would give an attacker the knowledge to use different ports and protocols that are not being monitored.
5. What are the advantages of using rule sets from the snort web site?

According to the Snort FAQ, Snort “Rules are a different methodology for performing detection, which bring the advantage of 0-day detection to the table. Unlike signatures, rules are based on detecting the actual vulnerability, not an exploit or a unique piece of data.” (Snort FAQ, 2016) Advantages of using the rule sets from the snort web site is that the rule sets have been specifically created for Snort. This means that these rules sets have been written to work with snort and have less issues than using a third party or homegrown rule set.

6. Describe (in plain English) at least one type of ruleset you would want to add to a high level security network and why?
The following rules sets from the snort website would be something to have in a high level security network.
• blacklist.rules – This category contains URI, USER-AGENT, DNS, and IP address rules that have been determined to be indicators of malicious activity. These rules are based on activity from the Talos virus sandboxes, public list of malicious URLs, and other data sources. (Snort.org, 2016) This rule set identifies known malicious activity that you would not want on your network.
7. If a person with malicious intent were to get into your network and have read/write access to your IDS log or rule set how could they use that information to their advantage?
If a person with malicious intent were to get read/write access to the IDS, he or she can do a number of things. The biggest advantage they would have, is have access to the IDS log and rule sets gives an attacker intimate knowledge of your network. It opens up the network to the attacker. An attacker could re-write or modify rule sets to stop monitoring specific traffic on which he or she can come in and out of your network undetected.
8. An intrusion prevention system can either wait until it has all of the information it needs, or can allow packets through based on statistics (guessed or previously known facts). What are the advantages and disadvantages of each approach?

Advantages
• Can detect malicious signatures and stopping any detected malicious signatures before they enter the network.
• IPS can help to prevent exposure in software that would allow hackers to damage data.
• Allows for the use of stream normalization techniques. ("Ubiquity: Intrusion prevention systems", 2005)
Disadvantages
• False positive and false negatives- Legitimate activity being blocked and malicious activity being let through.
• Having multiple IPS on the network to better protect the network drives cost of appliance. Can be expensive.
• If IPS is overwhelmed with too much traffic, it can have a negative impact on the network by slowing it down. ("Ubiquity: Intrusion prevention systems", 2005)

9. So, the “bad guy” decides to do a Denial of Service on your Intrusion Prevention System. At least two things can happen, the system can allow all traffic through (without being checked) or can deny all traffic until the system comes back up. What are the factors that you must consider in making this design decision?
If an administrator would let all traffic through without being checked, it could let the attacker into the network. This could allow an attacker into the network to launch further attacks. Denying all traffic would block any attacker from coming into the network, the downside of that is that all legitimate traffic going out of the network would also be denied from leaving the network. It’s a catch 22 scenario for an administrator.

10. What did you find particularly useful about this lab (please be specific)? What if anything was difficult to follow? What would you change to make it better?
What I found useful about this lab was the use of Snort. I have not used Snort much, and having the ability to use and to modify rule-sets was very enlightening. The instructions were pretty well written and found them easy to follow. The only thing I could think of expanding in this lab would be the rule set portion. Give more instruction on what you are actually modifying, or why a particular rule set is useful.
References
Explanation of Rules. (2016). snort.org. Retrieved 27 June 2016, from https://www.snort.org/rules_explanation
Snort FAQ. (2016). Snort.org. Retrieved 26 June 2016, from https://www.snort.org/faq/i-m-not-receiving-alerts-in-snort
Ubiquity: Intrusion prevention systems. (2005). Ubiquity.acm.org. Retrieved 27 June 2016, from http://ubiquity.acm.org/article.cfm?id=1071927

Similar Documents

Premium Essay

Csec 630 Lab 1

...Lab Assignment #1: Introduction to Encryption Algorithms CSEC 630 University of Maryland University College Professor Jingyu Zhang 1. Which tool or technique would be most effective for a cryptanalyst to use to decipher a text encrypted with the Caesar cipher, and why? The best analysis tool to break the Caesar cipher is histogram because it performs a statistical analysis on cipher text which shows the frequency of each letter used in the file. This can later be compared and matched to the frequency of letters in the English language. 2. What do you notice about the histogram results when text is encrypted with the Vigenère cipher in comparison to the results of the Caesar cipher? Why is this the case? Histogram simply gives the frequency of each individual letter in cipher text without taking the plaintext into consideration. Since in Caesar cipher the relationship between plaintext and cipher text is one to one, histogram is more efficient to break the cipher. Since the key in vigenere is somewhat random the histogram shown below seems random as well. 3. There is an error in the following cipher text representation of this quote, what is it? The original unencrypted message is: TH ED IF FE RE NC EB ET WE EN ST UP ID IT YA ND GE NI US IS TH AT GE NI US HA SI TS LI MI TS The original encrypted message is: THE CORRECT CIPHERTEXT SD AH FO HL AR ST RE AS YL BS CI MQ TF NI VE TG HB SN QC NC SD TD HB SN QC DE CN IC IF OT IC This is the error example: SD...

Words: 1083 - Pages: 5

Premium Essay

I Got You

...CSEC 630 Mac Virtual Lab Access Instructions Part I - Downloading, Installing and Connecting the CISCO VPN Client 1. a. Type https://vpn.csvcl.net in the address bar of your browser b. Type your assigned username and password and click Login in the Login box 2. To connect to he VPN for the first time, click Start AnyConnect - If you get the warning as seen above about the Java plu-in, please click Trust to move forward. You may notice the two windows below. Please, click on run in the warning window to continue. 3. When you get to this the window above, click on “Mac OS X 10.6+ (Intel)” to download the installer of the VPN client. - The installer will be downloaded to your default download location 4. Navigate to your default download location and locate the downloaded “anyconnect…-k9.dmg” file. Then, start the installation process of the client. - Once you locate the “.dmg” file, lunch it and a temporary drive will be created on your desktop. Access the “AnyConnect VPN 3.xxxx” drive and lunch the “vpn.pkg” file that it contains. - Once the “vnp.pkg” file is lunched you will be guided through the installation process as indicated in the window above. 5. Once the installation process has completed, locate the “Cisco” folder in the “Applications” folder and lunch the “Cisco AnyConnect Secure Mobility Client” . - Once lunched, you’ll be prompted to enter the address, “vpn.csvcl.net”, in the box below. - Once you type the address...

Words: 807 - Pages: 4

Premium Essay

Chem Syllabus

...CARIBBEAN EXAMINATIONS COUNCIL Caribbean Secondary Education Certificate CSEC® CHEMISTRY SYLLABUS Effective for examinations from May–June 2015 CXC 21/G/SYLL 13 Published by the Caribbean Examinations Council. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form, or by any means electronic, photocopying, recording or otherwise without prior permission of the author or publisher. Correspondence related to the syllabus should be addressed to: The Pro-Registrar Caribbean Examinations Council Caenwood Centre 37 Arnold Road, Kingston 5, Jamaica Telephone Number: + 1 (876) 630-5200 Facsimile Number: + 1 (876) 967-4972 E-mail Address: cxcwzo@cxc.org Website: www.cxc.org Copyright © 2013 by Caribbean Examinations Council The Garrison, St Michael BB14038, Barbados CXC 21/G/SYLL 13 Contents RATIONALE ................................................................................................................................... AIMS ............................................................................................................................................. CANDIDATE POPULATION ............................................................................................................. SUGGESTED TIME-TABLE ALLOCATION ........................................................................................ ORGANISATION OF THE SYLLABUS .................................................

Words: 24316 - Pages: 98

Free Essay

Information Tech

...CARIBBEAN EXAMINATIONS COUNCIL Caribbean Secondary Education Certificate CSEC ® INFORMATION TECHNOLOGY SYLLABUS Effective for examinations from May/June 2010 C XC 30/G /S YLL 08 1 Published by the Caribbean Examinations Council All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form, or by any means electronic, photocopying, recording or otherwise without prior permission of the author or publisher. Correspondence related to the syllabus should be addressed to: The Pro-Registrar Caribbean Examinations Council Caenwood Centre 37 Arnold Road, Kingston 5, Jamaica, W.I. Telephone: (876) 630-5200 Facsimile Number: (876) 967-4972 E-mail address: cxcwzo@cxc.org Website: www.cxc.org Copyright © 2008, by Caribbean Examinations Council The Garrison, St Michael BB14038, Barbados CXC 30/G/SYLL 08 Contents RATIONALE .............................................................................................................................................. AIMS ...................................................................................................................................................... 1 2 2 2 3 4 5 5 7 7 8 10 12 13 15 16 19 21 23 46 47 ORGANIZATION OF THE SYLLABUS .................................................................................................. SUGGESTED TIME-TABLE ALLOCATION .......................................................................................... FORMAT...

Words: 16882 - Pages: 68