Lab 8 Snort_Student22-1

.docx

School

Northern Kentucky University *

*We aren’t endorsed by this school

Course

285

Subject

Information Systems

Date

Dec 6, 2023

Type

docx

Pages

Uploaded by JusticeStarGiraffe9

CIT 285 - Lab #8: Snort and Nmap 1: Introduction In this lab, we will learn about network intrusion detection with the open source tool, Snort while its running on your server (i.e. Metasploit VM). We will also use tshark, the text interface to Wireshark, to examine captured packets and Nmap port scanner. Nmap is an industry standard tool because few port scanning tools match its capabilities, particularly considering Nmap is open source. Both your Kali and Metasploitable VMs should be powered on to perform the necessary pings and scans. In this lab your Metasploit VM will act as a server running the IDS program (Snort), you’re your Kali VM will be the client (the device being pinged). 1.1: In Metasploit, change to root then verify the tshark version on Metasploit is up to date. The Metasploit login and password are both msfadmin . sudo su - apt-get install snort tshark Configure the snort.conf file to use your Metasploit VM IP address . This ensures traffic is captured by snort when sent to and from your Metasploit VM. nano /etc/snort/snort.conf Find the line highlighted in the image and change the IP listed to your Meta VM IP . Keep the /24 mask. References:  Nmap.org – Reference Guide  Nmap.org – Port Scanning Techniques 2: Detecting Network Scans In the questions below, if multiple alerts are generated of the same type, indicate the number of alerts of that type. Note: you can view your VMs in their own window be holding down and dragging the tab of the VM outside the VMware window. This can help you view alert messages in real time without having to switch between your Kali and Metasploit VM in one window. Updated 2022 p1

In your Linux server (the Metasploit VM) run the following commands to watch for alerts. The tail command allows you to view new data that is added to the snort alert log. snort -c /etc/snort/snort.conf -D tail -f /var/log/snort/alert 2.1: From the client ( your Kali VM ), ping a server hosted by Nmap for testing purposes using the command below. When the pings complete, view the alerts in snort log running on your Linux server ( your Metasploit VM ).  Does anything show up in the snort alert log? o If there is an alert, list the snort alert name (found in the first line of the alert) and the classification (if included) found in the second line, in the table below. ping -c 3 scanme.nmap.org Alerts Seen [Y/N] Snort Alert Name Classification N 2.2: Next, ping your Linux server from your client server. Notice that alerts captured by Snort, have a time stamp, new alerts are listed at the bottom of the log file. Then use nmap to scan your Linux server.  What alerts show up in the snort alert log  List the snort alert name (found in the first line of the alert) and the classification, which is found in the second line, in the box below. ping -c 3 METASPLOIT_SERVER_IP nmap -sT METASPLOIT_SERVER_IP Alerts Seen for ping and nmap [Y/N] Snort Alert Name Classification/Priority Y TCP Portscan 3 2.3: Use a stealthy FIN scan to identify open ports on your Linux server.  How many alerts show up in the snort alert log?  Is the FIN (-sF) scan more or less stealthy than the TCP connection (-sT) scan?  Include one of the alerts in the box below, along with answers to the questions.  If there are no alerts, write “no alerts”. nmap -sF METASPOIT_SERVER_IP Number of Alerts Snort Alert Name Classification/Priority Updated 2022 p2

No alerts More or Less Stealthy (?) Alert Example What does the –sF scan do when packets are sent? 2.4: Use a stealthy XMAS scan to identify open ports on your Linux server.  How many alerts appear in the snort alert log?  Is the XMAS (-sX) scan more or less stealthy than the TCP connection (-sT) scan?  Include one of the alerts in the box below, along with answers to the questions. nmap -sX METASPLOIT_SERVER_IP Total Number of Alerts Snort Alert Name Classification/Priority No alerts More or Less Stealthy (?) Alert Example What does the –sX scan do? 2.5: Attempt to make a scan stealthier by using IP fragmentation and the null scan.  Does anything show up in the snort alert log?  If there is an alert, list the snort alert name (found in the first line of the alert) and the classification, which is found in the second line, in the box below.  If nothing, just write “no alert.” nmap -f -sN METASLPOIT_SERVER_IP Alerts Seen [Y/N] Snort Alert Name Classification/Priority Y Fragmentation Overlap 3 Number of Alerts ( 0 – 9) More or Less Stealthy (?) 2 More Alert Example Updated 2022 p3

Your preview ends here

Eager to read complete document? Join bartleby learn and gain access to the full version

Access to all documents
Unlimited textbook solutions
24/7 expert homework help