SlideShare ist ein Scribd-Unternehmen logo

26.1.7 lab snort and firewall rules

Freddy Buenaño
Freddy Buenaño

REDES

Ingenieurwesen
1 von 14
Downloaden Sie, um offline zu lesen
© 2018 - 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 1 of 14 www.netacad.com Lab - Snort and Firewall Rules LABORATORIO 26.1.7 Nombre: Rafael Buenaño Semestre: 9no B Topology Objectives Part 1: Preparing the Virtual Environment Part 2: Firewall and IDS Logs Part 3: Terminate and Clear Mininet Process Background / Scenario In a secure production network, network alerts are generated by various types of devices such as security appliances, firewalls, IPS devices, routers, switches, servers, and more. The problem is that not all alerts are created equally. For example, alerts generated by a server and alerts generated by a firewall will be different and vary in content and format. In this lab, to get familiar with firewall rules and IDS signatures.
Lab - Snort and Firewall Rules © 2018 - 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 2 of 14 www.netacad.com Required Resources • CyberOps Workstation virtual machine • Internet connection Note: In this lab, the CyberOps Workstation VM is a container for holding the Mininet environment shown in the Topology. If a memory error is received in an attempt to run any command, quit out of the step, go to the VM settings, and increase the memory. The default is 1 GB; try 2GB. Instructions Part 1: Preparing the Virtual Environment a. Launch Oracle VirtualBox and change the CyberOps Workstation for Bridged mode, if necessary. Select Machine > Settings > Network. Under Attached To, select Bridged Adapter (or if you are using WiFi with a proxy, you may need NAT adapter) and click OK. b. Launch the CyberOps Workstation VM, open a terminal and configure its network by executing the configure_as_dhcp.sh script. Because the script requires super-user privileges, provide the password for the user analyst. [analyst@secOps ~]$ sudo ./lab.support.files/scripts/configure_as_dhcp.sh [sudo] password for analyst: [analyst@secOps ~]$ c. Use the ifconfig command to verify CyberOps Workstation VM now has an IP address on your local network. You can also test connectivity to a public webserver by pinging www.cisco.com. Use Ctrl+C to stop the pings. [analyst@secOps ~]$ ping www.cisco.com PING e2867.dsca.akamaiedge.net (23.204.15.199) 56(84) bytes of data. 64 bytes from a23-204-15-199.deploy.static.akamaitechnologies.com (23.204.15.199): icmp_seq=1 ttl=54 time=28.4 ms 64 bytes from a23-204-15-199.deploy.static.akamaitechnologies.com (23.204.15.199): icmp_seq=2 ttl=54 time=35.5 ms ^C --- e2867.dsca.akamaiedge.net ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1002ms rtt min/avg/max/mdev = 28.446/32.020/35.595/3.578 ms
Lab - Snort and Firewall Rules © 2018 - 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 3 of 14 www.netacad.com Part 2: Firewall and IDS Logs Firewalls and Intrusion Detection Systems (IDS) are often deployed to partially automate the traffic monitoring task. Both firewalls and IDSs match incoming traffic against administrative rules. Firewalls usually compare the packet header against a rule set while IDSs often use the packet payload for rule set comparison. Because firewalls and IDSs apply the pre-defined rules to different portions of the IP packet, IDS and firewall rules have different structures. While there is a difference in rule structure, some similarities between the components of the rules remain. For example, both firewall and IDS rules contain matching components and action components. Actions are taken after a match is found. • Matching component - specifies the packet elements of interest, such as: packet source; the packet destination; transport layer protocols and ports; and data included in the packet payload. • Action component - specifies what should be done with that packet that matches a component, such as: accept and forward the packet; drop the packet; or send the packet to a secondary rule set for further inspection. A common firewall design is to drop packets by default while manually specifying what traffic should be allowed. Known as dropping-by-default, this design has the advantage protecting the network from unknown
Lab - Snort and Firewall Rules © 2018 - 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 4 of 14 www.netacad.com protocols and attacks. As part of this design, it is common to log the events of dropped packets since these are packets that were not explicitly allowed and therefore, infringe on the organization’s policies. Such events should be recordxeteed for future analysis. Step 1: Real-Time IDS Log Monitoring a. From the CyberOps Workstation VM, run the script to start mininet. [analyst@secOps ~]$ sudo ./lab.support.files/scripts/cyberops_extended_topo_no_fw.py [sudo] password for analyst: *** Adding controller *** Add switches *** Add hosts *** Add links *** Starting network *** Configuring hosts R1 R4 H1 H2 H3 H4 H5 H6 H7 H8 H9 H10 H11 *** Starting controllers *** Starting switches *** Add routes *** Post configure switches and hosts *** Starting CLI: mininet> The mininet prompt should be displayed, indicating mininet is ready for commands. b. From the mininet prompt, open a shell on R1 using the command below: mininet> xterm R1 mininet>
Lab - Snort and Firewall Rules © 2018 - 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 5 of 14 www.netacad.com Question: The R1 shell opens in a terminal window with black text and white background. What user is logged into that shell? What is the indicator of this? El Usuario root. Esto se indica con el signo # después del mensaje c. From R1’s shell, start the Linux-based IDS, Snort. [root@secOps analyst]# ./lab.support.files/scripts/start_snort.sh Running in IDS mode --== Initializing Snort ==-- Initializing Output Plugins! Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file "/etc/snort/snort.conf" <output omitted>
Lab - Snort and Firewall Rules © 2018 - 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 6 of 14 www.netacad.com Note: You will not see a prompt as Snort is now running in this window. If for any reason, Snort stops running and the [root@secOps analysts]# prompt is displayed, rerun the script to launch Snort. Snort must be running to capture alerts later in the lab. d. From the CyberOps Workstation VM mininet prompt, open shells for hosts H5 and H10. mininet> xterm H5 mininet> xterm H10 mininet> e. H10 will simulate a server on the Internet that is hosting malware. On H10, run the mal_server_start.sh script to start the server. [root@secOps analyst]# ./lab.support.files/scripts/mal_server_start.sh [root@secOps analyst]# f. On H10, use netstat with the -tunpa options to verify that the web server is running. When used as shown below, netstat lists all ports currently assigned to services:
Lab - Snort and Firewall Rules © 2018 - 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 7 of 14 www.netacad.com [root@secOps analyst]# netstat -tunpa Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:6666 0.0.0.0:* LISTEN 1839/nginx: master [root@secOps analyst]# As seen by the output above, the lightweight webserver nginx is running and listening to connections on port TCP 6666. g. In the R1 terminal window, an instance of Snort is running. To enter more commands on R1, open another R1 terminal by entering the xterm R1 again in the CyberOps Workstation VM terminal window. You may also want to arrange the terminal windows so that you can see and interact with each device. h. In the new R1 terminal tab, run the tail command with the -f option to monitor the /var/log/snort/alert file in real-time. This file is where snort is configured to record alerts. [root@sec0ps analyst]# tail -f /var/log/snort/alert Because no alerts were yet recorded, the log should be empty. However, if you have run this lab before, old alert entries may be shown. In either case, you will not receive a prompt after typing this command. This window will display alerts as they happen. i. From H5, use the wget command to download a file named W32.Nimda.Amm.exe. Designed to download content via HTTP, wget is a great tool for downloading files from web servers directly from the command line. [root@secOps analyst]# wget 209.165.202.133:6666/W32.Nimda.Amm.exe --2017-04-28 17:00:04-- http://209.165.202.133:6666/W32.Nimda.Amm.exe Connecting to 209.165.202.133:6666... connected. HTTP request sent, awaiting response... 200 OK Length: 345088 (337K) [application/octet-stream] Saving to: 'W32.Nimda.Amm.exe' W32.Nimda.Amm.exe 100%[==========================================>] 337.00K --.-KB/s in 0.02s 2017-04-28 17:00:04 (16.4 MB/s) - 'W32.Nimda.Amm.exe' saved [345088/345088] [root@secOps analyst]# Question: What port is used when communicating with the malware web server? What is the indicator? TPuerto 6666, el Puerto se epecificó en la URL despues del separador : Was the file completely downloaded? Si Did the IDS generate any alerts related to the file download? Si j. As the malicious file was transiting R1, the IDS, Snort, was able to inspect its payload. The payload matched at least one of the signatures configured in Snort and triggered an alert on the second R1 terminal window (the tab where tail -f is running). The alert entry is show below. Your timestamp will be different:
Lab - Snort and Firewall Rules © 2018 - 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 8 of 14 www.netacad.com 04/28-17:00:04.092153 [**] [1:1000003:0] Malicious Server Hit! [**] [Priority: 0] {TCP} 209.165.200.235:34484 -> 209.165.202.133:6666 Questions: Based on the alert shown above, what was the source and destination IPv4 addresses used in the transaction? IP de la Fuente 209.165.200.235:58250 IP DESTINO 209.165.202.133:6666 Based on the alert shown above, what was the source and destination ports used in the transaction? Puerto de origen 58250 puerto destino 6666 Based on the alert shown above, when did the download take place? 2020-12-20 Aproximadamente 23:09:20 Based on the alert shown above, what was the message recorded by the IDS signature?
Lab - Snort and Firewall Rules © 2018 - 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 9 of 14 www.netacad.com Servidor malicioso Hit On H5, use the tcpdump command to capture the event and download the malware file again so you can capture the transaction. Issue the following command below start the packet capture: [root@secOps analyst]# tcpdump –i H5-eth0 –w nimda.download.pcap & [1] 5633 [root@secOps analyst]# tcpdump: listening on H5-eth0, link-type EN10MB (Ethernet), capture size 262144 bytes The command above instructs tcpdump to capture packets on interface H5-eth0 and save the capture to a file named nimda.download.pcap. The & symbol at the end tells the shell to execute tcpdump in the background. Without this symbol, tcpdump would make the terminal unusable while it was running. Notice the [1] 5633; it indicates one process was sent to background and its process ID (PID) is 5366. Your PID will most likely be different. k. Press ENTER a few times to regain control of the shell while tcpdump runs in background. l. Now that tcpdump is capturing packets, download the malware again. On H5, re-run the command or use the up arrow to recall it from the command history facility. [root@secOps analyst]# wget 209.165.202.133:6666/W32.Nimda.Amm.exe --2017-05-02 10:26:50-- http://209.165.202.133:6666/W32.Nimda.Amm.exe Connecting to 209.165.202.133:6666... connected. HTTP request sent, awaiting response... 200 OK Length: 345088 (337K) [application/octet-stream] Saving to: 'W32.Nimda.Amm.exe' W32.Nimda.Amm.exe 100%[===================>] 337.00K --.-KB/s in 0.003s 2017-05-02 10:26:50 (105 MB/s) - 'W32.Nimda.Amm.exe' saved [345088/345088]
Lab - Snort and Firewall Rules © 2018 - 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 10 of 14 www.netacad.com m. Stop the capture by bringing tcpdump to foreground with the fg command. Because tcpdump was the only process sent to background, there is no need to specify the PID. Stop the tcpdump process with Ctrl+C. The tcpdump process stops and displays a summary of the capture. The number of packets may be different for your capture. [root@secOps analyst]# fg tcpdump -i h5-eth0 -w nimda.download.pcap ^C316 packets captured 316 packets received by filter 0 packets dropped by kernel [root@secOps analyst]# n. On H5, Use the ls command to verify the pcap fls -lile was in fact saved to disk and has size greater than zero: [root@secOps analyst]# ls -l total 1400 drwxr-xr-x 2 analyst analyst 4096 Sep 26 2014 Desktop drwx------ 3 analyst analyst 4096 Jul 14 11:28 Downloads drwxr-xr-x 8 analyst analyst 4096 Jul 25 16:27 lab.support.files -rw-r--r-- 1 root root 371784 Aug 17 14:48 nimda.download.pcap drwxr-xr-x 2 analyst analyst 4096 Mar 3 15:56 second_drive -rw-r--r-- 1 root root 345088 Apr 14 15:17 W32.Nimda.Amm.exe -rw-r--r-- 1 root root 345088 Apr 14 15:17 W32.Nimda.Amm.exe.1 [root@secOps analyst]#
Lab - Snort and Firewall Rules © 2018 - 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 11 of 14 www.netacad.com Note: Your directory list may have a different mix of files, but you should still see the nimda.download.pcap file. fgQuestion: How can be this PCAP file be useful to the security analyst? Los archivos PCAP contienen los paquetes relacionados con el tráfico visto por la NIC de captura. De esa manera, el PCAP es muy útil para volver a rastrear eventos de red como la comunicación a puntos finales maliciosos. Se pueden utilizar herramientas como Wireshark para facilitar el análisis PCAP. Note: The analysis of the PCAP file will be performed in another lab. Step 2: Tuning Firewall Rules Based on IDS Alerts In Step 1, you started an internet-based malicious server. To keep other users from reaching that server, it is recommended to block it in the edge firewall. In this lab’s topology, R1 is not only running an IDS but also a very popular Linux-based firewall called iptables. In this step, you will block traffic to the malicious server identified in Step 1 by editing the firewall rules currently present in R1. Note: While a comprehensive study of iptables is beyond the scope of this course, iptables basic logic and rule structure is fairly straight-forward. The firewall iptables uses the concepts of chains and rules to filter traffic. Traffic entering the firewall and destined to the firewall device itself is handled by the INPUT chain. Examples of this traffic are ping packets coming from any other device on any networks and sent to any one of the firewall’s interfaces. Traffic originated in the firewall device itself and destined to somewhere else, is handled by the OUTPUT chain. Examples of this traffic are ping responses generated by the firewall device itself. Traffic originated somewhere else and passing through the firewall device is handled by the FORWARD chain. Examples of this traffic are packets being routed by the firewall.
Lab - Snort and Firewall Rules © 2018 - 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 12 of 14 www.netacad.com Each chain can have its own set of independent rules specifying how traffic is to be filtered for that chain. A chain can have practically any number of rules, including no rule at all. Rules are created to check specific characteristics of packets, allowing administrators to create very comprehensive filters. If a packet doesn’t match a rule, the firewall moves on to the next rule and checks again. If a match is found, the firewall takes the action defined in the matching rule. If all rules in a chain have been checked and yet no match was found, the firewall takes the action specified in the chain’s policy, usually allow the packet to flow through or deny it. a. In the CyberOps Workstation VM, start a third R1 terminal window. mininet > xterm R1 b. In the new R1 terminal window, use the iptables command to list the chains and their rules currently in use: [root@secOps ~]# iptables -L -v Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 6 packets, 504 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination [root@secOps ~]# Question: What chains are currently in use by R1? Entrada, salida y avance c. Connections to the malicious server generate packets that must transverse the iptables firewall on R1. Packets traversing the firewall are handled by the FORWARD rule and therefore, that is the chain that will
Lab - Snort and Firewall Rules © 2018 - 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 13 of 14 www.netacad.com receive the blocking rule. To keep user computers from connecting to the malicious server identified in Step 1, add the following rule to the FORWARD chain on R1: [root@secOps ~]# iptables -I FORWARD -p tcp -d 209.165.202.133 --dport 6666 - j DROP [root@secOps ~]# Where: o -I FORWARD: inserts a new rule in the FORWARD chain. o -p tcp: specifies the TCP protocol. o -d 209.165.202.133: specifies the packet’s destination o --dport 6666: specifies the destination port o -j DROP: set the action to drop. d. Use the iptables command again to ensure the rule was added to the FORWARD chain. The CyberOps Workstation VM may take a few seconds to generate the output: [root@secOps analyst]# iptables -L -v Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP tcp -- any any anywhere 209.165.202.133 tcp dpt:6666 Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination [root@secOps analyst]# e. On H5, try to download the file again: [root@secOps analyst]# wget 209.165.202.133:6666/W32.Nimda.Amm.exe --2017-05-01 14:42:37-- http://209.165.202.133:6666/W32.Nimda.Amm.exe Connecting to 209.165.202.133:6666... failed: Connection timed out. Retrying. --2017-05-01 14:44:47-- (try: 2) http://209.165.202.133:6666/W32.Nimda.Amm.exe Connecting to 209.165.202.133:6666... failed: Connection timed out. Retrying. Enter Ctrl+C to cancel the download, if necessary. Questions: Was the download successful this time? Explain. No. El cortafuegos bloquea las conexiones al servidor de alojamiento de malware What would be a more aggressive but also valid approach when blocking the offending server? En lugar de especificar IP, protocolo y puerto, una regla podría simplemente bloquear la dirección IP del servidor. Esto cortaría completamente el acceso a ese servidor desde la red interna.
Lab - Snort and Firewall Rules © 2018 - 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 14 of 14 www.netacad.com Part 3: Terminate and Clear Mininet Process a. Navigate to the terminal used to start Mininet. Terminate the Mininet by entering quit in the main CyberOps VM terminal window. b. After quitting Mininet, clean up the processes started by Mininet. Enter the password cyberops when prompted. [analyst@secOps scripts]$ sudo mn –c [sudo] password for analyst: End of document

Empfohlen

SSL & TLS Architecture short
SSL & TLS Architecture shortSSL & TLS Architecture short
SSL & TLS Architecture shortAvirot Mitamura
 
Hping Kullanarak TCP/IP Paketleriyle Oynama
Hping Kullanarak TCP/IP Paketleriyle OynamaHping Kullanarak TCP/IP Paketleriyle Oynama
Hping Kullanarak TCP/IP Paketleriyle OynamaBGA Cyber Security
 
Man in The Middle Attack
Man in The Middle AttackMan in The Middle Attack
Man in The Middle AttackDeepak Upadhyay
 
Firewalls
FirewallsFirewalls
FirewallsRam Dutt Shukla
 
Asp.net control
Asp.net controlAsp.net control
Asp.net controlPaneliya Prince
 
Nessus Basics
Nessus BasicsNessus Basics
Nessus Basicsamiable_indian
 
An introduction to X.509 certificates
An introduction to X.509 certificatesAn introduction to X.509 certificates
An introduction to X.509 certificatesStephane Potier
 
Server configuration
Server configurationServer configuration
Server configurationAisha Talat
 

Empfohlen

SSL & TLS Architecture short
SSL & TLS Architecture shortSSL & TLS Architecture short
SSL & TLS Architecture shortAvirot Mitamura
 
Hping Kullanarak TCP/IP Paketleriyle Oynama
Hping Kullanarak TCP/IP Paketleriyle OynamaHping Kullanarak TCP/IP Paketleriyle Oynama
Hping Kullanarak TCP/IP Paketleriyle OynamaBGA Cyber Security
 
Man in The Middle Attack
Man in The Middle AttackMan in The Middle Attack
Man in The Middle AttackDeepak Upadhyay
 
Firewalls
FirewallsFirewalls
FirewallsRam Dutt Shukla
 
Asp.net control
Asp.net controlAsp.net control
Asp.net controlPaneliya Prince
 
Nessus Basics
Nessus BasicsNessus Basics
Nessus Basicsamiable_indian
 
An introduction to X.509 certificates
An introduction to X.509 certificatesAn introduction to X.509 certificates
An introduction to X.509 certificatesStephane Potier
 
Server configuration
Server configurationServer configuration
Server configurationAisha Talat
 
Windows Security
Windows Security Windows Security
Windows Security Pooja Talreja
 
BAIT1103 Chapter 6
BAIT1103 Chapter 6BAIT1103 Chapter 6
BAIT1103 Chapter 6limsh
 
Block cipher modes of operation
Block cipher modes of operation Block cipher modes of operation
Block cipher modes of operation harshit chavda
 
Hping, TCP/IP Paket Üretici
Hping, TCP/IP Paket ÜreticiHping, TCP/IP Paket Üretici
Hping, TCP/IP Paket ÜreticiBGA Cyber Security
 
Open Source Soc Araçları Eğitimi 2020-II
Open Source Soc Araçları Eğitimi 2020-IIOpen Source Soc Araçları Eğitimi 2020-II
Open Source Soc Araçları Eğitimi 2020-IIBGA Cyber Security
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort webhostingguy
 
Apache web service
Apache web serviceApache web service
Apache web serviceManash Kumar Mondal
 
Nessus Software
Nessus SoftwareNessus Software
Nessus SoftwareMegha Sahu
 
SIEM - Varolan Verilerin Anlamı
SIEM - Varolan Verilerin AnlamıSIEM - Varolan Verilerin Anlamı
SIEM - Varolan Verilerin AnlamıBGA Cyber Security
 
Ch06 Wireless Network Security
Ch06 Wireless Network SecurityCh06 Wireless Network Security
Ch06 Wireless Network SecurityInformation Technology
 
Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Cleverence Kombe
 
Nagios
NagiosNagios
Nagiosguest7e7e305
 
Configure Cisco Routers for Syslog, NTP, and SSH Operations
Configure Cisco Routers for Syslog, NTP, and SSH Operations Configure Cisco Routers for Syslog, NTP, and SSH Operations
Configure Cisco Routers for Syslog, NTP, and SSH Operations Kelson Silva
 
S/MIME
S/MIMES/MIME
S/MIMEmaria azam
 
PHP Cookies and Sessions
PHP Cookies and SessionsPHP Cookies and Sessions
PHP Cookies and SessionsNisa Soomro
 
Intruders
IntrudersIntruders
IntrudersALOK KUMAR
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPSSantosh Khadsare
 
Adli Bilişim Açısından E-posta Sistemi
Adli Bilişim Açısından E-posta SistemiAdli Bilişim Açısından E-posta Sistemi
Adli Bilişim Açısından E-posta SistemiBGA Cyber Security
 
Ip Sec
Ip SecIp Sec
Ip SecRam Dutt Shukla
 
Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security modelPragati Rai
 
Tutorial mikrotik step by step
Tutorial mikrotik step by stepTutorial mikrotik step by step
Tutorial mikrotik step by stepDewa Ketut Setiawan
 
Final ProjectFinal Project Details Description Given a spec.docx
Final ProjectFinal Project Details Description Given a spec.docxFinal ProjectFinal Project Details Description Given a spec.docx
Final ProjectFinal Project Details Description Given a spec.docxAKHIL969626
 

Weitere ähnliche Inhalte

Was ist angesagt?

BAIT1103 Chapter 6
BAIT1103 Chapter 6BAIT1103 Chapter 6
BAIT1103 Chapter 6limsh
 
Block cipher modes of operation
Block cipher modes of operation Block cipher modes of operation
Block cipher modes of operation harshit chavda
 
Open Source Soc Araçları Eğitimi 2020-II
Open Source Soc Araçları Eğitimi 2020-IIOpen Source Soc Araçları Eğitimi 2020-II
Open Source Soc Araçları Eğitimi 2020-IIBGA Cyber Security
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort webhostingguy
 
Nessus Software
Nessus SoftwareNessus Software
Nessus SoftwareMegha Sahu
 
SIEM - Varolan Verilerin Anlamı
SIEM - Varolan Verilerin AnlamıSIEM - Varolan Verilerin Anlamı
SIEM - Varolan Verilerin AnlamıBGA Cyber Security
 
Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Cleverence Kombe
 
Configure Cisco Routers for Syslog, NTP, and SSH Operations
Configure Cisco Routers for Syslog, NTP, and SSH Operations Configure Cisco Routers for Syslog, NTP, and SSH Operations
Configure Cisco Routers for Syslog, NTP, and SSH Operations Kelson Silva
 
PHP Cookies and Sessions
PHP Cookies and SessionsPHP Cookies and Sessions
PHP Cookies and SessionsNisa Soomro
 
Adli Bilişim Açısından E-posta Sistemi
Adli Bilişim Açısından E-posta SistemiAdli Bilişim Açısından E-posta Sistemi
Adli Bilişim Açısından E-posta SistemiBGA Cyber Security
 
Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security modelPragati Rai
 

Was ist angesagt? (20)

Windows Security
Windows Security Windows Security
Windows Security
 
BAIT1103 Chapter 6
BAIT1103 Chapter 6BAIT1103 Chapter 6
BAIT1103 Chapter 6
 
Block cipher modes of operation
Block cipher modes of operation Block cipher modes of operation
Block cipher modes of operation
 
Hping, TCP/IP Paket Üretici
Hping, TCP/IP Paket ÜreticiHping, TCP/IP Paket Üretici
Hping, TCP/IP Paket Üretici
 
Open Source Soc Araçları Eğitimi 2020-II
Open Source Soc Araçları Eğitimi 2020-IIOpen Source Soc Araçları Eğitimi 2020-II
Open Source Soc Araçları Eğitimi 2020-II
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort
 
Apache web service
Apache web serviceApache web service
Apache web service
 
Nessus Software
Nessus SoftwareNessus Software
Nessus Software
 
SIEM - Varolan Verilerin Anlamı
SIEM - Varolan Verilerin AnlamıSIEM - Varolan Verilerin Anlamı
SIEM - Varolan Verilerin Anlamı
 
Ch06 Wireless Network Security
Ch06 Wireless Network SecurityCh06 Wireless Network Security
Ch06 Wireless Network Security
 
Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems
 
Nagios
NagiosNagios
Nagios
 
Configure Cisco Routers for Syslog, NTP, and SSH Operations
Configure Cisco Routers for Syslog, NTP, and SSH Operations Configure Cisco Routers for Syslog, NTP, and SSH Operations
Configure Cisco Routers for Syslog, NTP, and SSH Operations
 
S/MIME
S/MIMES/MIME
S/MIME
 
PHP Cookies and Sessions
PHP Cookies and SessionsPHP Cookies and Sessions
PHP Cookies and Sessions
 
Intruders
IntrudersIntruders
Intruders
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPS
 
Adli Bilişim Açısından E-posta Sistemi
Adli Bilişim Açısından E-posta SistemiAdli Bilişim Açısından E-posta Sistemi
Adli Bilişim Açısından E-posta Sistemi
 
Ip Sec
Ip SecIp Sec
Ip Sec
 
Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security model
 

Ähnlich wie 26.1.7 lab snort and firewall rules

Final ProjectFinal Project Details Description Given a spec.docx
Final ProjectFinal Project Details Description Given a spec.docxFinal ProjectFinal Project Details Description Given a spec.docx
Final ProjectFinal Project Details Description Given a spec.docxAKHIL969626
 
Tutorial mikrotik step by step anung muhandanu
Tutorial mikrotik step by step anung muhandanu Tutorial mikrotik step by step anung muhandanu
Tutorial mikrotik step by step anung muhandanu theviper0308
 
How to Use GSM/3G/4G in Embedded Linux Systems
How to Use GSM/3G/4G in Embedded Linux SystemsHow to Use GSM/3G/4G in Embedded Linux Systems
How to Use GSM/3G/4G in Embedded Linux SystemsToradex
 
Basic Cisco ASA 5506-x Configuration (Firepower)
Basic Cisco ASA 5506-x Configuration (Firepower)Basic Cisco ASA 5506-x Configuration (Firepower)
Basic Cisco ASA 5506-x Configuration (Firepower)NetProtocol Xpert
 
Tutorial mikrotik step by step anung muhandanu
Tutorial mikrotik step by step anung muhandanu Tutorial mikrotik step by step anung muhandanu
Tutorial mikrotik step by step anung muhandanu Alessandro De Suoodh
 
7 hands on
7 hands on7 hands on
7 hands onvideos
 
Laporan Praktikum Keamanan Siber - Tugas 4 -Kelas C - Kelompok 3.pdf
Laporan Praktikum Keamanan Siber - Tugas 4 -Kelas C - Kelompok 3.pdfLaporan Praktikum Keamanan Siber - Tugas 4 -Kelas C - Kelompok 3.pdf
Laporan Praktikum Keamanan Siber - Tugas 4 -Kelas C - Kelompok 3.pdfIGedeArieYogantaraSu
 
Com 135 final project user manual
Com 135 final project user manualCom 135 final project user manual
Com 135 final project user manualbiasimistfur1984
 
2232016 Sample Implementation Plan1.htmlfileCUsers.docx
2232016 Sample Implementation Plan1.htmlfileCUsers.docx2232016 Sample Implementation Plan1.htmlfileCUsers.docx
2232016 Sample Implementation Plan1.htmlfileCUsers.docxeugeniadean34240
 
Positive Hack Days. Pavlov. Network Infrastructure Security Assessment
Positive Hack Days. Pavlov. Network Infrastructure Security AssessmentPositive Hack Days. Pavlov. Network Infrastructure Security Assessment
Positive Hack Days. Pavlov. Network Infrastructure Security AssessmentPositive Hack Days
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationOlehLevytskyi1
 
Automating cloud security - Jonny Griffin
Automating cloud security - Jonny GriffinAutomating cloud security - Jonny Griffin
Automating cloud security - Jonny GriffinJonnathan Griffin
 
Laporan Praktikum Keamanan Siber - Tugas 7 -Kelas C - Kelompok 3.pdf
Laporan Praktikum Keamanan Siber - Tugas 7 -Kelas C - Kelompok 3.pdfLaporan Praktikum Keamanan Siber - Tugas 7 -Kelas C - Kelompok 3.pdf
Laporan Praktikum Keamanan Siber - Tugas 7 -Kelas C - Kelompok 3.pdfIGedeArieYogantaraSu
 
Advanced RAC troubleshooting: Network
Advanced RAC troubleshooting: NetworkAdvanced RAC troubleshooting: Network
Advanced RAC troubleshooting: NetworkRiyaj Shamsudeen
 
Penetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityPenetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityIOSR Journals
 
INFA 620Laboratory 4 Configuring a FirewallIn this exercise.docx
INFA 620Laboratory 4 Configuring a FirewallIn this exercise.docxINFA 620Laboratory 4 Configuring a FirewallIn this exercise.docx
INFA 620Laboratory 4 Configuring a FirewallIn this exercise.docxcarliotwaycave
 
Security Gateway CP R70
Security Gateway CP R70Security Gateway CP R70
Security Gateway CP R70dzihiro
 

Ähnlich wie 26.1.7 lab snort and firewall rules (20)

Tutorial mikrotik step by step
Tutorial mikrotik step by stepTutorial mikrotik step by step
Tutorial mikrotik step by step
 
Final ProjectFinal Project Details Description Given a spec.docx
Final ProjectFinal Project Details Description Given a spec.docxFinal ProjectFinal Project Details Description Given a spec.docx
Final ProjectFinal Project Details Description Given a spec.docx
 
Tutorial mikrotik step by step anung muhandanu
Tutorial mikrotik step by step anung muhandanu Tutorial mikrotik step by step anung muhandanu
Tutorial mikrotik step by step anung muhandanu
 
How to Use GSM/3G/4G in Embedded Linux Systems
How to Use GSM/3G/4G in Embedded Linux SystemsHow to Use GSM/3G/4G in Embedded Linux Systems
How to Use GSM/3G/4G in Embedded Linux Systems
 
Basic Cisco ASA 5506-x Configuration (Firepower)
Basic Cisco ASA 5506-x Configuration (Firepower)Basic Cisco ASA 5506-x Configuration (Firepower)
Basic Cisco ASA 5506-x Configuration (Firepower)
 
Tutorial mikrotik step by step anung muhandanu
Tutorial mikrotik step by step anung muhandanu Tutorial mikrotik step by step anung muhandanu
Tutorial mikrotik step by step anung muhandanu
 
7 hands on
7 hands on7 hands on
7 hands on
 
Laporan Praktikum Keamanan Siber - Tugas 4 -Kelas C - Kelompok 3.pdf
Laporan Praktikum Keamanan Siber - Tugas 4 -Kelas C - Kelompok 3.pdfLaporan Praktikum Keamanan Siber - Tugas 4 -Kelas C - Kelompok 3.pdf
Laporan Praktikum Keamanan Siber - Tugas 4 -Kelas C - Kelompok 3.pdf
 
Com 135 final project user manual
Com 135 final project user manualCom 135 final project user manual
Com 135 final project user manual
 
2232016 Sample Implementation Plan1.htmlfileCUsers.docx
2232016 Sample Implementation Plan1.htmlfileCUsers.docx2232016 Sample Implementation Plan1.htmlfileCUsers.docx
2232016 Sample Implementation Plan1.htmlfileCUsers.docx
 
Positive Hack Days. Pavlov. Network Infrastructure Security Assessment
Positive Hack Days. Pavlov. Network Infrastructure Security AssessmentPositive Hack Days. Pavlov. Network Infrastructure Security Assessment
Positive Hack Days. Pavlov. Network Infrastructure Security Assessment
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentation
 
Automating cloud security - Jonny Griffin
Automating cloud security - Jonny GriffinAutomating cloud security - Jonny Griffin
Automating cloud security - Jonny Griffin
 
Laporan Praktikum Keamanan Siber - Tugas 7 -Kelas C - Kelompok 3.pdf
Laporan Praktikum Keamanan Siber - Tugas 7 -Kelas C - Kelompok 3.pdfLaporan Praktikum Keamanan Siber - Tugas 7 -Kelas C - Kelompok 3.pdf
Laporan Praktikum Keamanan Siber - Tugas 7 -Kelas C - Kelompok 3.pdf
 
Advanced RAC troubleshooting: Network
Advanced RAC troubleshooting: NetworkAdvanced RAC troubleshooting: Network
Advanced RAC troubleshooting: Network
 
Penetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityPenetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utility
 
INFA 620Laboratory 4 Configuring a FirewallIn this exercise.docx
INFA 620Laboratory 4 Configuring a FirewallIn this exercise.docxINFA 620Laboratory 4 Configuring a FirewallIn this exercise.docx
INFA 620Laboratory 4 Configuring a FirewallIn this exercise.docx
 
Backtrack Manual Part4
Backtrack Manual Part4Backtrack Manual Part4
Backtrack Manual Part4
 
FreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerFreeBSD and Hardening Web Server
FreeBSD and Hardening Web Server
 
Security Gateway CP R70
Security Gateway CP R70Security Gateway CP R70
Security Gateway CP R70
 

Mehr von Freddy Buenaño

27.2.15 lab investigating a malware exploit
27.2.15 lab investigating a malware exploit27.2.15 lab investigating a malware exploit
27.2.15 lab investigating a malware exploitFreddy Buenaño
 
27.2.14 lab isolate compromised host using 5-tuple
27.2.14 lab isolate compromised host using 5-tuple27.2.14 lab isolate compromised host using 5-tuple
27.2.14 lab isolate compromised host using 5-tupleFreddy Buenaño
 
27.2.12 lab interpret http and dns data to isolate threat actor
27.2.12 lab interpret http and dns data to isolate threat actor27.2.12 lab interpret http and dns data to isolate threat actor
27.2.12 lab interpret http and dns data to isolate threat actorFreddy Buenaño
 
27.2.10 lab extract an executable from a pcap
27.2.10 lab extract an executable from a pcap27.2.10 lab extract an executable from a pcap
27.2.10 lab extract an executable from a pcapFreddy Buenaño
 
27.2.9 lab regular expression tutorial
27.2.9 lab regular expression tutorial27.2.9 lab regular expression tutorial
27.2.9 lab regular expression tutorialFreddy Buenaño
 
27.1.5 lab convert data into a universal format
27.1.5 lab convert data into a universal format27.1.5 lab convert data into a universal format
27.1.5 lab convert data into a universal formatFreddy Buenaño
 
25.3.11 packet tracer logging from multiple sources
25.3.11 packet tracer logging from multiple sources25.3.11 packet tracer logging from multiple sources
25.3.11 packet tracer logging from multiple sourcesFreddy Buenaño
 
25.3.10 packet tracer explore a net flow implementation
25.3.10 packet tracer explore a net flow implementation25.3.10 packet tracer explore a net flow implementation
25.3.10 packet tracer explore a net flow implementationFreddy Buenaño
 

Mehr von Freddy Buenaño (8)

27.2.15 lab investigating a malware exploit
27.2.15 lab investigating a malware exploit27.2.15 lab investigating a malware exploit
27.2.15 lab investigating a malware exploit
 
27.2.14 lab isolate compromised host using 5-tuple
27.2.14 lab isolate compromised host using 5-tuple27.2.14 lab isolate compromised host using 5-tuple
27.2.14 lab isolate compromised host using 5-tuple
 
27.2.12 lab interpret http and dns data to isolate threat actor
27.2.12 lab interpret http and dns data to isolate threat actor27.2.12 lab interpret http and dns data to isolate threat actor
27.2.12 lab interpret http and dns data to isolate threat actor
 
27.2.10 lab extract an executable from a pcap
27.2.10 lab extract an executable from a pcap27.2.10 lab extract an executable from a pcap
27.2.10 lab extract an executable from a pcap
 
27.2.9 lab regular expression tutorial
27.2.9 lab regular expression tutorial27.2.9 lab regular expression tutorial
27.2.9 lab regular expression tutorial
 
27.1.5 lab convert data into a universal format
27.1.5 lab convert data into a universal format27.1.5 lab convert data into a universal format
27.1.5 lab convert data into a universal format
 
25.3.11 packet tracer logging from multiple sources
25.3.11 packet tracer logging from multiple sources25.3.11 packet tracer logging from multiple sources
25.3.11 packet tracer logging from multiple sources
 
25.3.10 packet tracer explore a net flow implementation
25.3.10 packet tracer explore a net flow implementation25.3.10 packet tracer explore a net flow implementation
25.3.10 packet tracer explore a net flow implementation
 

Kürzlich hochgeladen

HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKAR
HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKARHAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKAR
HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKARKOUSTAV SARKAR
 
DeepFakes presentation : brief idea of DeepFakes
DeepFakes presentation : brief idea of DeepFakesDeepFakes presentation : brief idea of DeepFakes
DeepFakes presentation : brief idea of DeepFakesMayuraD1
 
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptxHOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptxSCMS School of Architecture
 
Thermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.pptThermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.pptDineshKumar4165
 
A Study of Urban Area Plan for Pabna Municipality
A Study of Urban Area Plan for Pabna MunicipalityA Study of Urban Area Plan for Pabna Municipality
A Study of Urban Area Plan for Pabna MunicipalityMorshed Ahmed Rahath
 
S1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptx
S1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptxS1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptx
S1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptxSCMS School of Architecture
 
"Lesotho Leaps Forward: A Chronicle of Transformative Developments"
"Lesotho Leaps Forward: A Chronicle of Transformative Developments""Lesotho Leaps Forward: A Chronicle of Transformative Developments"
"Lesotho Leaps Forward: A Chronicle of Transformative Developments"mphochane1998
 
Introduction to Serverless with AWS Lambda
Introduction to Serverless with AWS LambdaIntroduction to Serverless with AWS Lambda
Introduction to Serverless with AWS LambdaOmar Fathy
 
Moment Distribution Method For Btech Civil
Moment Distribution Method For Btech CivilMoment Distribution Method For Btech Civil
Moment Distribution Method For Btech CivilVinayVitekari
 
Verification of thevenin's theorem for BEEE Lab (1).pptx
Verification of thevenin's theorem for BEEE Lab (1).pptxVerification of thevenin's theorem for BEEE Lab (1).pptx
Verification of thevenin's theorem for BEEE Lab (1).pptxchumtiyababu
 
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Service
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best ServiceTamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Service
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Servicemeghakumariji156
 
data_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdfdata_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdfJiananWang21
 
Hostel management system project report..pdf
Hostel management system project report..pdfHostel management system project report..pdf
Hostel management system project report..pdfKamal Acharya
 
Generative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTGenerative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTbhaskargani46
 
Double Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueDouble Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueBhangaleSonal
 
1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf
1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf
1_Introduction + EAM Vocabulary + how to navigate in EAM.pdfAldoGarca30
 
Orlando’s Arnold Palmer Hospital Layout Strategy-1.pptx
Orlando’s Arnold Palmer Hospital Layout Strategy-1.pptxOrlando’s Arnold Palmer Hospital Layout Strategy-1.pptx
Orlando’s Arnold Palmer Hospital Layout Strategy-1.pptxMuhammadAsimMuhammad6
 
PE 459 LECTURE 2- natural gas basic concepts and properties
PE 459 LECTURE 2- natural gas basic concepts and propertiesPE 459 LECTURE 2- natural gas basic concepts and properties
PE 459 LECTURE 2- natural gas basic concepts and propertiessarkmank1
 

Kürzlich hochgeladen (20)

HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKAR
HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKARHAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKAR
HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKAR
 
DeepFakes presentation : brief idea of DeepFakes
DeepFakes presentation : brief idea of DeepFakesDeepFakes presentation : brief idea of DeepFakes
DeepFakes presentation : brief idea of DeepFakes
 
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptxHOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
 
Thermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.pptThermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.ppt
 
A Study of Urban Area Plan for Pabna Municipality
A Study of Urban Area Plan for Pabna MunicipalityA Study of Urban Area Plan for Pabna Municipality
A Study of Urban Area Plan for Pabna Municipality
 
S1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptx
S1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptxS1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptx
S1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptx
 
FEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced Loads
FEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced LoadsFEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced Loads
FEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced Loads
 
"Lesotho Leaps Forward: A Chronicle of Transformative Developments"
"Lesotho Leaps Forward: A Chronicle of Transformative Developments""Lesotho Leaps Forward: A Chronicle of Transformative Developments"
"Lesotho Leaps Forward: A Chronicle of Transformative Developments"
 
Introduction to Serverless with AWS Lambda
Introduction to Serverless with AWS LambdaIntroduction to Serverless with AWS Lambda
Introduction to Serverless with AWS Lambda
 
Moment Distribution Method For Btech Civil
Moment Distribution Method For Btech CivilMoment Distribution Method For Btech Civil
Moment Distribution Method For Btech Civil
 
Verification of thevenin's theorem for BEEE Lab (1).pptx
Verification of thevenin's theorem for BEEE Lab (1).pptxVerification of thevenin's theorem for BEEE Lab (1).pptx
Verification of thevenin's theorem for BEEE Lab (1).pptx
 
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Service
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best ServiceTamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Service
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Service
 
data_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdfdata_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdf
 
Hostel management system project report..pdf
Hostel management system project report..pdfHostel management system project report..pdf
Hostel management system project report..pdf
 
Generative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTGenerative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPT
 
Double Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueDouble Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torque
 
1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf
1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf
1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf
 
Orlando’s Arnold Palmer Hospital Layout Strategy-1.pptx
Orlando’s Arnold Palmer Hospital Layout Strategy-1.pptxOrlando’s Arnold Palmer Hospital Layout Strategy-1.pptx
Orlando’s Arnold Palmer Hospital Layout Strategy-1.pptx
 
Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7
Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7
Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7
 
PE 459 LECTURE 2- natural gas basic concepts and properties
PE 459 LECTURE 2- natural gas basic concepts and propertiesPE 459 LECTURE 2- natural gas basic concepts and properties
PE 459 LECTURE 2- natural gas basic concepts and properties
 

26.1.7 lab snort and firewall rules

  • 1. © 2018 - 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 1 of 14 www.netacad.com Lab - Snort and Firewall Rules LABORATORIO 26.1.7 Nombre: Rafael Buenaño Semestre: 9no B Topology Objectives Part 1: Preparing the Virtual Environment Part 2: Firewall and IDS Logs Part 3: Terminate and Clear Mininet Process Background / Scenario In a secure production network, network alerts are generated by various types of devices such as security appliances, firewalls, IPS devices, routers, switches, servers, and more. The problem is that not all alerts are created equally. For example, alerts generated by a server and alerts generated by a firewall will be different and vary in content and format. In this lab, to get familiar with firewall rules and IDS signatures.
  • 2. Lab - Snort and Firewall Rules © 2018 - 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 2 of 14 www.netacad.com Required Resources • CyberOps Workstation virtual machine • Internet connection Note: In this lab, the CyberOps Workstation VM is a container for holding the Mininet environment shown in the Topology. If a memory error is received in an attempt to run any command, quit out of the step, go to the VM settings, and increase the memory. The default is 1 GB; try 2GB. Instructions Part 1: Preparing the Virtual Environment a. Launch Oracle VirtualBox and change the CyberOps Workstation for Bridged mode, if necessary. Select Machine > Settings > Network. Under Attached To, select Bridged Adapter (or if you are using WiFi with a proxy, you may need NAT adapter) and click OK. b. Launch the CyberOps Workstation VM, open a terminal and configure its network by executing the configure_as_dhcp.sh script. Because the script requires super-user privileges, provide the password for the user analyst. [analyst@secOps ~]$ sudo ./lab.support.files/scripts/configure_as_dhcp.sh [sudo] password for analyst: [analyst@secOps ~]$ c. Use the ifconfig command to verify CyberOps Workstation VM now has an IP address on your local network. You can also test connectivity to a public webserver by pinging www.cisco.com. Use Ctrl+C to stop the pings. [analyst@secOps ~]$ ping www.cisco.com PING e2867.dsca.akamaiedge.net (23.204.15.199) 56(84) bytes of data. 64 bytes from a23-204-15-199.deploy.static.akamaitechnologies.com (23.204.15.199): icmp_seq=1 ttl=54 time=28.4 ms 64 bytes from a23-204-15-199.deploy.static.akamaitechnologies.com (23.204.15.199): icmp_seq=2 ttl=54 time=35.5 ms ^C --- e2867.dsca.akamaiedge.net ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1002ms rtt min/avg/max/mdev = 28.446/32.020/35.595/3.578 ms
  • 3. Lab - Snort and Firewall Rules © 2018 - 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 3 of 14 www.netacad.com Part 2: Firewall and IDS Logs Firewalls and Intrusion Detection Systems (IDS) are often deployed to partially automate the traffic monitoring task. Both firewalls and IDSs match incoming traffic against administrative rules. Firewalls usually compare the packet header against a rule set while IDSs often use the packet payload for rule set comparison. Because firewalls and IDSs apply the pre-defined rules to different portions of the IP packet, IDS and firewall rules have different structures. While there is a difference in rule structure, some similarities between the components of the rules remain. For example, both firewall and IDS rules contain matching components and action components. Actions are taken after a match is found. • Matching component - specifies the packet elements of interest, such as: packet source; the packet destination; transport layer protocols and ports; and data included in the packet payload. • Action component - specifies what should be done with that packet that matches a component, such as: accept and forward the packet; drop the packet; or send the packet to a secondary rule set for further inspection. A common firewall design is to drop packets by default while manually specifying what traffic should be allowed. Known as dropping-by-default, this design has the advantage protecting the network from unknown
  • 4. Lab - Snort and Firewall Rules © 2018 - 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 4 of 14 www.netacad.com protocols and attacks. As part of this design, it is common to log the events of dropped packets since these are packets that were not explicitly allowed and therefore, infringe on the organization’s policies. Such events should be recordxeteed for future analysis. Step 1: Real-Time IDS Log Monitoring a. From the CyberOps Workstation VM, run the script to start mininet. [analyst@secOps ~]$ sudo ./lab.support.files/scripts/cyberops_extended_topo_no_fw.py [sudo] password for analyst: *** Adding controller *** Add switches *** Add hosts *** Add links *** Starting network *** Configuring hosts R1 R4 H1 H2 H3 H4 H5 H6 H7 H8 H9 H10 H11 *** Starting controllers *** Starting switches *** Add routes *** Post configure switches and hosts *** Starting CLI: mininet> The mininet prompt should be displayed, indicating mininet is ready for commands. b. From the mininet prompt, open a shell on R1 using the command below: mininet> xterm R1 mininet>
  • 5. Lab - Snort and Firewall Rules © 2018 - 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 5 of 14 www.netacad.com Question: The R1 shell opens in a terminal window with black text and white background. What user is logged into that shell? What is the indicator of this? El Usuario root. Esto se indica con el signo # después del mensaje c. From R1’s shell, start the Linux-based IDS, Snort. [root@secOps analyst]# ./lab.support.files/scripts/start_snort.sh Running in IDS mode --== Initializing Snort ==-- Initializing Output Plugins! Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file "/etc/snort/snort.conf" <output omitted>
  • 6. Lab - Snort and Firewall Rules © 2018 - 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 6 of 14 www.netacad.com Note: You will not see a prompt as Snort is now running in this window. If for any reason, Snort stops running and the [root@secOps analysts]# prompt is displayed, rerun the script to launch Snort. Snort must be running to capture alerts later in the lab. d. From the CyberOps Workstation VM mininet prompt, open shells for hosts H5 and H10. mininet> xterm H5 mininet> xterm H10 mininet> e. H10 will simulate a server on the Internet that is hosting malware. On H10, run the mal_server_start.sh script to start the server. [root@secOps analyst]# ./lab.support.files/scripts/mal_server_start.sh [root@secOps analyst]# f. On H10, use netstat with the -tunpa options to verify that the web server is running. When used as shown below, netstat lists all ports currently assigned to services:
  • 7. Lab - Snort and Firewall Rules © 2018 - 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 7 of 14 www.netacad.com [root@secOps analyst]# netstat -tunpa Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:6666 0.0.0.0:* LISTEN 1839/nginx: master [root@secOps analyst]# As seen by the output above, the lightweight webserver nginx is running and listening to connections on port TCP 6666. g. In the R1 terminal window, an instance of Snort is running. To enter more commands on R1, open another R1 terminal by entering the xterm R1 again in the CyberOps Workstation VM terminal window. You may also want to arrange the terminal windows so that you can see and interact with each device. h. In the new R1 terminal tab, run the tail command with the -f option to monitor the /var/log/snort/alert file in real-time. This file is where snort is configured to record alerts. [root@sec0ps analyst]# tail -f /var/log/snort/alert Because no alerts were yet recorded, the log should be empty. However, if you have run this lab before, old alert entries may be shown. In either case, you will not receive a prompt after typing this command. This window will display alerts as they happen. i. From H5, use the wget command to download a file named W32.Nimda.Amm.exe. Designed to download content via HTTP, wget is a great tool for downloading files from web servers directly from the command line. [root@secOps analyst]# wget 209.165.202.133:6666/W32.Nimda.Amm.exe --2017-04-28 17:00:04-- http://209.165.202.133:6666/W32.Nimda.Amm.exe Connecting to 209.165.202.133:6666... connected. HTTP request sent, awaiting response... 200 OK Length: 345088 (337K) [application/octet-stream] Saving to: 'W32.Nimda.Amm.exe' W32.Nimda.Amm.exe 100%[==========================================>] 337.00K --.-KB/s in 0.02s 2017-04-28 17:00:04 (16.4 MB/s) - 'W32.Nimda.Amm.exe' saved [345088/345088] [root@secOps analyst]# Question: What port is used when communicating with the malware web server? What is the indicator? TPuerto 6666, el Puerto se epecificó en la URL despues del separador : Was the file completely downloaded? Si Did the IDS generate any alerts related to the file download? Si j. As the malicious file was transiting R1, the IDS, Snort, was able to inspect its payload. The payload matched at least one of the signatures configured in Snort and triggered an alert on the second R1 terminal window (the tab where tail -f is running). The alert entry is show below. Your timestamp will be different:
  • 8. Lab - Snort and Firewall Rules © 2018 - 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 8 of 14 www.netacad.com 04/28-17:00:04.092153 [**] [1:1000003:0] Malicious Server Hit! [**] [Priority: 0] {TCP} 209.165.200.235:34484 -> 209.165.202.133:6666 Questions: Based on the alert shown above, what was the source and destination IPv4 addresses used in the transaction? IP de la Fuente 209.165.200.235:58250 IP DESTINO 209.165.202.133:6666 Based on the alert shown above, what was the source and destination ports used in the transaction? Puerto de origen 58250 puerto destino 6666 Based on the alert shown above, when did the download take place? 2020-12-20 Aproximadamente 23:09:20 Based on the alert shown above, what was the message recorded by the IDS signature?
  • 9. Lab - Snort and Firewall Rules © 2018 - 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 9 of 14 www.netacad.com Servidor malicioso Hit On H5, use the tcpdump command to capture the event and download the malware file again so you can capture the transaction. Issue the following command below start the packet capture: [root@secOps analyst]# tcpdump –i H5-eth0 –w nimda.download.pcap & [1] 5633 [root@secOps analyst]# tcpdump: listening on H5-eth0, link-type EN10MB (Ethernet), capture size 262144 bytes The command above instructs tcpdump to capture packets on interface H5-eth0 and save the capture to a file named nimda.download.pcap. The & symbol at the end tells the shell to execute tcpdump in the background. Without this symbol, tcpdump would make the terminal unusable while it was running. Notice the [1] 5633; it indicates one process was sent to background and its process ID (PID) is 5366. Your PID will most likely be different. k. Press ENTER a few times to regain control of the shell while tcpdump runs in background. l. Now that tcpdump is capturing packets, download the malware again. On H5, re-run the command or use the up arrow to recall it from the command history facility. [root@secOps analyst]# wget 209.165.202.133:6666/W32.Nimda.Amm.exe --2017-05-02 10:26:50-- http://209.165.202.133:6666/W32.Nimda.Amm.exe Connecting to 209.165.202.133:6666... connected. HTTP request sent, awaiting response... 200 OK Length: 345088 (337K) [application/octet-stream] Saving to: 'W32.Nimda.Amm.exe' W32.Nimda.Amm.exe 100%[===================>] 337.00K --.-KB/s in 0.003s 2017-05-02 10:26:50 (105 MB/s) - 'W32.Nimda.Amm.exe' saved [345088/345088]
  • 10. Lab - Snort and Firewall Rules © 2018 - 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 10 of 14 www.netacad.com m. Stop the capture by bringing tcpdump to foreground with the fg command. Because tcpdump was the only process sent to background, there is no need to specify the PID. Stop the tcpdump process with Ctrl+C. The tcpdump process stops and displays a summary of the capture. The number of packets may be different for your capture. [root@secOps analyst]# fg tcpdump -i h5-eth0 -w nimda.download.pcap ^C316 packets captured 316 packets received by filter 0 packets dropped by kernel [root@secOps analyst]# n. On H5, Use the ls command to verify the pcap fls -lile was in fact saved to disk and has size greater than zero: [root@secOps analyst]# ls -l total 1400 drwxr-xr-x 2 analyst analyst 4096 Sep 26 2014 Desktop drwx------ 3 analyst analyst 4096 Jul 14 11:28 Downloads drwxr-xr-x 8 analyst analyst 4096 Jul 25 16:27 lab.support.files -rw-r--r-- 1 root root 371784 Aug 17 14:48 nimda.download.pcap drwxr-xr-x 2 analyst analyst 4096 Mar 3 15:56 second_drive -rw-r--r-- 1 root root 345088 Apr 14 15:17 W32.Nimda.Amm.exe -rw-r--r-- 1 root root 345088 Apr 14 15:17 W32.Nimda.Amm.exe.1 [root@secOps analyst]#
  • 11. Lab - Snort and Firewall Rules © 2018 - 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 11 of 14 www.netacad.com Note: Your directory list may have a different mix of files, but you should still see the nimda.download.pcap file. fgQuestion: How can be this PCAP file be useful to the security analyst? Los archivos PCAP contienen los paquetes relacionados con el tráfico visto por la NIC de captura. De esa manera, el PCAP es muy útil para volver a rastrear eventos de red como la comunicación a puntos finales maliciosos. Se pueden utilizar herramientas como Wireshark para facilitar el análisis PCAP. Note: The analysis of the PCAP file will be performed in another lab. Step 2: Tuning Firewall Rules Based on IDS Alerts In Step 1, you started an internet-based malicious server. To keep other users from reaching that server, it is recommended to block it in the edge firewall. In this lab’s topology, R1 is not only running an IDS but also a very popular Linux-based firewall called iptables. In this step, you will block traffic to the malicious server identified in Step 1 by editing the firewall rules currently present in R1. Note: While a comprehensive study of iptables is beyond the scope of this course, iptables basic logic and rule structure is fairly straight-forward. The firewall iptables uses the concepts of chains and rules to filter traffic. Traffic entering the firewall and destined to the firewall device itself is handled by the INPUT chain. Examples of this traffic are ping packets coming from any other device on any networks and sent to any one of the firewall’s interfaces. Traffic originated in the firewall device itself and destined to somewhere else, is handled by the OUTPUT chain. Examples of this traffic are ping responses generated by the firewall device itself. Traffic originated somewhere else and passing through the firewall device is handled by the FORWARD chain. Examples of this traffic are packets being routed by the firewall.
  • 12. Lab - Snort and Firewall Rules © 2018 - 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 12 of 14 www.netacad.com Each chain can have its own set of independent rules specifying how traffic is to be filtered for that chain. A chain can have practically any number of rules, including no rule at all. Rules are created to check specific characteristics of packets, allowing administrators to create very comprehensive filters. If a packet doesn’t match a rule, the firewall moves on to the next rule and checks again. If a match is found, the firewall takes the action defined in the matching rule. If all rules in a chain have been checked and yet no match was found, the firewall takes the action specified in the chain’s policy, usually allow the packet to flow through or deny it. a. In the CyberOps Workstation VM, start a third R1 terminal window. mininet > xterm R1 b. In the new R1 terminal window, use the iptables command to list the chains and their rules currently in use: [root@secOps ~]# iptables -L -v Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 6 packets, 504 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination [root@secOps ~]# Question: What chains are currently in use by R1? Entrada, salida y avance c. Connections to the malicious server generate packets that must transverse the iptables firewall on R1. Packets traversing the firewall are handled by the FORWARD rule and therefore, that is the chain that will
  • 13. Lab - Snort and Firewall Rules © 2018 - 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 13 of 14 www.netacad.com receive the blocking rule. To keep user computers from connecting to the malicious server identified in Step 1, add the following rule to the FORWARD chain on R1: [root@secOps ~]# iptables -I FORWARD -p tcp -d 209.165.202.133 --dport 6666 - j DROP [root@secOps ~]# Where: o -I FORWARD: inserts a new rule in the FORWARD chain. o -p tcp: specifies the TCP protocol. o -d 209.165.202.133: specifies the packet’s destination o --dport 6666: specifies the destination port o -j DROP: set the action to drop. d. Use the iptables command again to ensure the rule was added to the FORWARD chain. The CyberOps Workstation VM may take a few seconds to generate the output: [root@secOps analyst]# iptables -L -v Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP tcp -- any any anywhere 209.165.202.133 tcp dpt:6666 Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination [root@secOps analyst]# e. On H5, try to download the file again: [root@secOps analyst]# wget 209.165.202.133:6666/W32.Nimda.Amm.exe --2017-05-01 14:42:37-- http://209.165.202.133:6666/W32.Nimda.Amm.exe Connecting to 209.165.202.133:6666... failed: Connection timed out. Retrying. --2017-05-01 14:44:47-- (try: 2) http://209.165.202.133:6666/W32.Nimda.Amm.exe Connecting to 209.165.202.133:6666... failed: Connection timed out. Retrying. Enter Ctrl+C to cancel the download, if necessary. Questions: Was the download successful this time? Explain. No. El cortafuegos bloquea las conexiones al servidor de alojamiento de malware What would be a more aggressive but also valid approach when blocking the offending server? En lugar de especificar IP, protocolo y puerto, una regla podría simplemente bloquear la dirección IP del servidor. Esto cortaría completamente el acceso a ese servidor desde la red interna.
  • 14. Lab - Snort and Firewall Rules © 2018 - 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 14 of 14 www.netacad.com Part 3: Terminate and Clear Mininet Process a. Navigate to the terminal used to start Mininet. Terminate the Mininet by entering quit in the main CyberOps VM terminal window. b. After quitting Mininet, clean up the processes started by Mininet. Enter the password cyberops when prompted. [analyst@secOps scripts]$ sudo mn –c [sudo] password for analyst: End of document