CISC180 - Project 3

docx

School

Northampton County Area Community College *

*We aren’t endorsed by this school

Course

180

Subject

Computer Science

Date

Feb 20, 2024

Type

docx

Pages

Uploaded by HighnessMeerkat3580

CISC180 – Project 3 Part 1: using the Microsoft online Security Bulletins Time Microsoft has made its security bulletins available in a searchable online database. All security professionals need to be familiar with using this database. In this project, you will explore the online database. 1. Open your web browser and enter the URL https://portal.msrc.microsoft.com/en-us/ . (The location of content on the Internet may change without warning. If you are no longer able to access the program through this URL, use a search engine to search for “Microsoft Security Response Center.”) 2. Click read the Security update Guide FAQ. 3. Click expand all to read through the information. 4. Click the link https://www.icasi.org/cvrf/ (or enter it into another tab in your browser). What is the Common Vulnerability Reporting Framework (CVRF)? How is it used? The CVRF is a standardized format for conveying information regarding software vulnerabilities. The Forum of Incident Response and Security Teams (FIRST) created it to give a common vocabulary and structure for reporting vulnerabilities, allowing businesses to share and understand vulnerability information more easily. 5. Return to the Microsoft Security Update Guide and then the MSRC main page. 6. Click the Go to the Security update Guide button. 7. If no security updates appear, adjust the From date to the first day of the previous month. 8. Scroll through the list of security updates. 9. Click the first link under Article. 10. Read through this information. 11. Now return to the previous page and select another article to read. 12. How useful is this information? Is it presented in a format that is helpful? I feel like the information is useful because it covers what has been fixed in the new update. And the format is good because it is short and to the point. 13. Now click the CVE link under details and read this information. Note the detail of this information. 14. Read the information under exploitability Assessment (if the exploit you selected does not list an Exploitability Assessment, then select another that does include the assessment). What does this mean? Open another tab on your web browser, and search for Microsoft exploitability Index. Read through the description that you find and keep this tab open. 15. Return to the Microsoft Security Update Guide and view the exploitability Assessment. How serious is this security vulnerability? 16. How important is this information to a security professional? How easy is this online database to use? 17. Now compare the Microsoft database with Apple’s. Enter the URL https://support.apple.com/en-us/HT201222 . (The location of content on the Internet may change

CISC180 – Project 3 without warning. If you are no longer able to access the program through the above URL, use a search engine to search for “Apple Security Updates.”) 18. Scroll down through the list of Apple security updates. How does this list compare with the updates from Microsoft? 19. Select a recent event under Name and information link 20. Read the information about the update. How does this information compare with Microsoft’s information? Why is there such a difference? Which provides better information for security professions? 21. Close all windows. Part 2: Software to Locate a Missing Laptop If a mobile device is lost or stolen, there are several different security features that can be used to locate the device or limit the damage. Many of these can be used through an installed third-party app. If you have Windows 10, there is a built-in location tracker, although it might be turned off. 1. Open your web browser and enter the URL https://account.microsoft.com/devices 2. Log in with your Microsoft account (if you have one). What are the limitations for enabling device tracking? Next, go to https://preyproject.com/ What does this software do? Do you think this would be useful in an enterprise environment? Why or why not? Part 3: Installing and configuring Snort rules on Windows Snort is an open-source IDS. Snort rules can be defined on any operating system. Here, we will configure Snort rules on Windows. (You can use Splashtop and install on the classroom computer if necessary.) Step one The first step is to download Snort itself After you have downloaded Snort, download Snort rules Because these rules are community rules, you can download without having to sign up. If you go for subscription rules (which will cost you around $30 a year for an individual), you can expect the greatest Snort rules and updates for new sets of rules. There is not much difference between the community rules and the subscribers' rules—they have the same structure, but you will get updates for new Snort rules very quickly if you are a subscriber.

CISC180 – Project 3 When installing Snort in root directory, a popup will appear for installing Winpcap. Install it if it’s not already installed in your Windows. To check whether Snort has successfully installed, Open Command Prompt and go to Snort Directory. cd Snort Check if there is a bin directory created under directory folder. Now, go to Bin directory and check Snort version. cd bin Snort -V Extract all the Snort rules folders that you downloaded before, and from there, copy all the content from the folder to c:\Snort\rules . Similarly, copy all the content from the preproc_rules folder to c:/Snort/preproc_rules . If it asks to overwrite the files, say yes to all. It will replace all the old versions with new preproc rules. After you have copied all the contents, the main task starts here. Go to c:/Snort/etc and open Snort.conf with notepad. CONF stands for configure. Snort.conf has nine different sections. First, we will set the variables. The first variable we have is HOME_NET . You can leave this to any, but it is preferred to put your machine IP address. In my case, the IP is 172.16.234.3. EXTERNAL_NET leave any line as it is. If you have a DNS SERVER, make changes in the DNS_SERVERS line by replacing $HOME_NET with your DNS server IP address. Otherwise, leave it blank. Now, scroll down to RULE_PATH , and replace ../rules with c:\Snort\rules and replace ../so_rules with c:\Snort\so_rules . At last, replace ../preproc_rules with c:\Snort\ preproc_rules Also, change the WHITE_LIST_PATH and BLACK_LIST_PATH from ../rules to c:\Snort\rules Now, navigate to c:\Snort\rules and create two text files named whitelist and blacklist and change their file extension from .txt to .rules, . If a pop up appears, click yes. Step two

Your preview ends here

Eager to read complete document? Join bartleby learn and gain access to the full version

Access to all documents
Unlimited textbook solutions
24/7 expert homework help

CISC180 – Project 3 That’s all for step one, and there is nothing much to do in step two but set #config logdir: to config logdir:c:\Snort\log . This will help Snort write the output in a particular location. Step four Now, straightaway go to step four. In this, we have to configure dynamic loaded libraries. At path to dynamic preprocessor libraries, replace usr/local/lib/snort_dynamicpreprocessor with your dynamic preprocessor, which is C:\Snort\lib\snort_dynamicpreprocessor . Similarly, replace usr/local/lib/snort_dynamicengine/libsf_engine.so with your base preprocessor engine, which is C:\Snort\lib\snort_dynamicengine\sf_engine.dll . Comment (#) the dynamic rule libraries line, as we have already configured the libraries. Step five Now, we are on step five. Add a comment(#) before all the listed preprocessors under inline packet normalization. They do nothing but generate errors at the runtime. Step six In step six, configuring output plugins, provide the location of the classification.config and replace it with C:\Snort\etc\classification.config . Similarly, provide the location of the reference.config and replace it with C:\Snort\etc\reference.config . In the next line, add output alert_fast: alert.ids for snort to dump all logs in alert.ids In Snort.conf file, find and replace ipvar to var . By default, the string ipvar is not recognized by snort, so we replace it with var. To find and replace, press Ctrl + H . In the "find what" field, write "ipvar," and in the replace field, write "var." Then, click Replace all. Step seven The last step is to remove the backslash and add comment characters # on lines 501–507. These lines can be found above step six. Also, comment any line under this section that has a $Rule_Path for a rule that doesn’t exist in your rules folder Save the snort.conf file and close the window.

CISC180 – Project 3 Now it's time to set the Snort rule. Go to c:\Snort\rules and create an icmp-info.rules in wordpad. At the end, add a rule (required), such as: alert tcp any any -> any any(msg: "Testing Alert" ; sid:1000001) In my case, I don’t have any criteria, so it will load on any ICMP packet it receives. In the above rule, we have also provide a signature id (sid), which is highly required. By convention, when you write your own Snort rules, you have to start above 999999. To verify the snort is actually generating alerts, open the Command prompt and go to c:\Snort\ bin and write a command. snort -iX -A console -c C:\snort\etc\snort.conf -l C:\Snort\log -K ascii Here, X is your device index number. In my case, it's 1 . Hit Enter, and you are all set. You should see Snort start and go into monitoring mode. If not, you will have to troubleshoot your snort.conf file to see what went wrong. (You can also check the manual if you need extra help.) Performance considerations If Snort occupies high CPU usage without high amounts of traffic to analyze, it may be indicative of too high a volume of traffic, insufficient system resources, or some other process that is consuming most of the CPU. Sometimes, too many rules are added, which means the packet queue drops the packet because it fills before Snort has a chance to look at them. Best practice is to only enable rules you need so Snort can spend more time grabbing packets from the queue. Never enable all rules, or you will most likely experience performance issues. For example, if you are in a Windows-only environment, only enable Windows-related rules. In addition, use Berkeley Packet Filters (BPF) to limit traffic to machines or ports that need to be inspected. For example, if you have a network backup server, it’s best to tell Snort to ignore traffic from it,

CISC180 – Project 3 since it will generate a large amount of traffic. BPFs are added as the last command-line options to Snort: snort -iX -A console -c C:\snort\etc\snort.conf -l C:\Snort\log -K ascii 'not host 192.168.1.100' --== Initializing Snort ==-- Initializing Output Plugins! Snort BPF option: not host 192.168.1.100 Another performance consideration is to only log alerts in the unified2 binary format rather than ascii. This will speed up the process of writing out logs.

Your preview ends here

Eager to read complete document? Join bartleby learn and gain access to the full version

Access to all documents
Unlimited textbook solutions
24/7 expert homework help

CISC180 - Project 3

Related Documents