CSEC630 Lab Assignment 2
1. When running Snort IDS why might there be no alerts?
It is possible that a user might not get any alerts while using Snort IDS. One reason could be that the user didn't set up the Snort with optimum settings. The user may have set it up on a port that is not been used by the network. Snort works by using a set of rules. The user can either download and use these rules from the Snort website with default settings, or can modify them to his/her network requirements and needs. By changing the default settings of the rules provided on the Snort website, there is a chance that the user might disable packet sniffing on a port that needs to be enabled, causing no alerts on that port. There is also a possibility that user may have set a range of ports to be scanned by Snort IDS for sniffing and the traffic that is coming in the network is not through any of those ports, muting the alerts.

2. If we only went to a few web sites, why are there so many alerts?
An Intrusion Detection System (IDS) provides a wide range of monitoring techniques including packet sniffing, file integrity monitoring, and even artificial intelligence algorithms that detect anomalies in network traffic. Snort, a public domain intrusion detection system, monitors traffic by analyzing every packet on a network, looking for malevolent content. It does this by putting the network adaptor in promiscuous mode so that it can see all network traffic on the wire, a process referred to as packet sniffing. Snort is a rule-based IDS, which means that it applies a set of rules to each packet based on known attack signatures. When it detects an attack signature, it performs the action designated in the rule.

3. What are the advantages of logging more information to the alerts file?
The advantage of logging more information in the alerts file gives the network administrator details of the attacks or vulnerabilities. The more information the alerts file gathers, the better understanding a network administrator can have of how to prevent and deal with the future attacks. The network administrator can finely tune his/her IDS and IPS by the gathered information in the alerts file to deal with the network attacks specific to his/her network.

4. What are the disadvantages of logging more information to the alerts file?
The disadvantage of logging more information to the alerts file is that, if compromised, it gives away all of the network defense secrets. An attacker can use all of that information to avoid the ports that Snort is sniffing on and can customize his/her attack to use alternate ports that are not been watched by any IDS or IPS and cause maximum damage to the attacked network without the raising any red-flags to the network administrator 5. What are the advantages of using rule sets from the snort web site?
Rules are a different methodology for performing detection, which bring the advantage of 0-day detection to the table. Unlike signatures, rules are based on detecting the actual vulnerability, not an exploit or a unique piece of data. Developing a rule requires an acute understanding of how the vulnerability actually works (Snort.org). One of the advantages of Snort is its ease of configuration. Rules are very flexible, easily written, and easily inserted into the rule base. If a new exploit or attack is found a rule for the attack can be added to the rule base in a matter of seconds (Brennan, 2002). Another advantage of using rule sets from snort website is that each rule is developed and tested using the same rigorous standards the VRT uses for Sourcefire customers (Snort.org).

6. Describe (in plain English) at least one type of rule set you would want to add to a high level security network and why?
I would want to add the following three rule sets to a high level security network.
Backdoor.rules:
This rule detects traffic generated by backdoor network connections, including those created by attackers using root-kits and stealthy remote control applications, such as subseven, netbus and deepthroat. By adding this rule, the network administrator will be able to keep track of such traffic. (Cox & Gerg, 2004)
Chat.rules:
This rule watches for people using Instant Messengers (IM) and other internet chat protocols. Some of the files transferred over the IM via file sharing can introduce malware to the network. (Cox & Gerg, 2004)
Exploit.rules:
This rule includes signatures of many known exploits. This rule indicates that an exploit attempt has occurred. When the network administrator sees one of these alerts, s/he can verify that the target system is, in fact, vulnerable to the attack, which can lead to a system patch and update to address the vulnerability the exploit attempted to attack. (Cox & Gerg, 2004)

7. If a person with malicious intent were to get into your network and have read/write access to your IDS log or rule set how could they use that information to their advantage?
If a person with malicious intents gets a read/write access to an IDS log and/or rule set, s/he can use it to his/her advantages in many ways. The biggest advantage that s/he can have is that the whole network will be open to the person as his/her play ground. S/he can re-write all the of rules, allowing any future attacks on the network. The person can also delete all of the logs that points to his/her presence on the network, can set up a rule where the log will not save any intrusion from his IP address or can disable the IDS altogether. The person can also see and modify the ports that are being used for packet sniffing and intrusion detection, hence giving him/her a clear idea to avoid those ports for his/her future attacks on the network.
8. An intrusion prevention system can either wait until it has all of the information it needs, or can allow packets through based on statistics (guessed or previously known facts). What are the advantages and disadvantages of each approach? Advantages:
- The user can configure an IPS sensor to perform a packet drop that can stop the trigger packet, the packets in a connection, or packets from a source IP address. - Being inline, an IPS sensor can use stream normalization techniques to reduce or eliminate many of the network evasion capabilities that exist. - Can use stream normalization techniques
Disadvantages:
- An IPS sensor must be inline and, therefore, IPS sensor errors or failure can have a negative effect on network traffic. - Overrunning IPS sensor capabilities with too much traffic does negatively affect the performance of the network. - Users deploying IPS sensor response actions must have a well thought-out security policy combined with a good operational understanding of their IPS deployments. - An IPS sensor will affect network timing because of latency, jitter, and so on. An IPS sensor must be appropriately sized and implemented so that time-sensitive applications, such as VoIP, are not negatively affected. - Packets that are dropped based on false alarms can result in network disruption if the dropped packets are required for mission-critical applications downstream of the IPS sensor. 9. So, the “bad guy” decides to do a Denial of Service on your Intrusion Prevention System.
At least two things can happen, the system can allow all traffic through (without being checked) or can deny all traffic until the system comes back up. What are the factors that you must consider in making this design decision?
By allowing all the traffic through, the IPS can compromise the stability and security of the network. This can result in partial or complete inaccessibility of resources to both internal and external individuals if the Denial of Service (DoS) is launched on a new target internal to the network. Even worse, the attacker can have an un-filtered route to launch exploits on a network, such as stealing information or planting malware and backdoors for future access. Alternatively, denying all traffic removes the ability for remote hosts to send legitimate traffic into the network, but it also ensures that the attacker won't get anything through a compromised security device. When considering this design decision the network administrator must consider the consequences of denying communications to the network, and the consequences of an attacker compromising his/her network.

10. What did you find particularly useful about this lab (please be specific)? What if anything was difficult to follow? What would you change to make it better?
The ability to create rules and then run them to monitor the activities performed on the personal network was very useful to me. It gave me a personal hands on experience to perform these activities. To me, switching back to the command prompt to run Snort was a bit challenging. Not because the instructions were unclear, but more because I have been out of the DOS environment for a little while. Took me a few moments but I was able to get a hold of it after a few attempts. I personally that this exercise would be easier to use if not done in VM. I was having a bit problem with the mouse lag in the Windows 98 running in VM. Other than that, overall, I think that this lab is a good way to expose a novice user to the Snort IDS.

References:
Brennan, M. P., (2002). Using Snort for a Distributed Intrusion Detection System. Retrieved from, http://www.sans.org/reading_room/whitepapers/detection/snort-distributed- intrusion-detection-system_352

Cox, K. & Gerg, C., (2004). Deploying Snort, Snorts and IDS Tools. (pp. 114 - 115). Sebastopol, CA: O'Reilly Media Inc. Snort.org (2013). Snort FAQ. Retrieved from, http://www.snort.org/snort/faq/#2.1