-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathIntrusionDetectionSystemLabEasy.html
More file actions
206 lines (172 loc) · 16.7 KB
/
IntrusionDetectionSystemLabEasy.html
File metadata and controls
206 lines (172 loc) · 16.7 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
<!-- saved from url=(0080)http://mountrouidoux.people.cofc.edu/CyberPaths/intrusiondetectionsystem_v2.html -->
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Intrusion Detection System Lab</title>
<link rel="stylesheet" style="text/css" href="./css/skeleton.css" media="screen">
<link rel="stylesheet" style="text/css" href="./css/skeleton.css" media="print">
<script src="js/jquery.js"></script>
<script src="js/main.js"></script>
</head>
<body>
<div class="container">
<div id="header">
<div id="header_info">
<center><h1 id="logo_cyber">Cyberpaths</h1></center>
</div>
</div>
<div id="site_body">
<div id="actual_content">
<center><div id="main_title"><h5>- Intrusion Detection Systems Lab -</h5></div></center><br>
<br><div class="title_bg"><h3>Lab Goals</h3></div><hr>
<div class="subcontent">
<ol class="instructions">
<li>To get you acquainted with different Intrusion Detection Systems (IDSs)</li>
<li>To install an IDS on a real machine on GENI</li>
<li>To use the IDS to detect Distributed Denial of Service Attacks</li>
<li>To create and study IDS rules</li>
<li>To study IDS logs and understand them</li>
</ol>
</div>
<br><div class="title_bg"><h3>Quick introduction to Software Defined Networks (SDN)</h3></div><hr>
<div class="subcontent">
<ol class="instructions">
This lab is using a powerful network architecture, Software Defined Networking (SDN). SDN is a flexible, agile, and fully programmable network paradigm. Openflow is the framework that offers this standardization and programmability for the software swiches that are used in SDN architectures.
In the SDN architecture, the network and control plane are separated, offering a logically centralized Controller that can be easily programmable. This is pretty powerful, and, in more complicated topologies, can allow for the duplication of traffic through a switch to a monitor, a machine decentralized from the network and dedicated to monitoring for attacks. We call this a mirroring port. We will see its value when we install a Monitoring node where all traffic that goes through the switch is duplicated to it through the morriring port.
The following videos give good introductions to SDN and Openflow:
<ul>
<li><a href="https://www.youtube.com/watch?v=DiChnu_PAzA" target="_blank">Intro to SDN</a> </li>
<li><a href="https://www.youtube.com/watch?v=rYW7kQRyUvA" target="_blank">Intro to OpenvSwitch</a></li>
</ul>
</ol>
</div>
<br><div class='title_bg'><h3>Prerequisites</h3></div><hr>
<div class='subcontent'>
<ol class='instructions'>
<li>You will need basic command line knowledge to complete this lab. Codecademy has a great <a href='https://www.codecademy.com/learn/learn-the-command-line' target=_blank>tutorial</a> on this topic. </li>
<li>In this lab, you will implement a computer network attack, Denial of Service (DoS). This attack is designed to deprive services, such as web content, from legitimate users. From Wikipedia: "In computing, a denial-of-service attack is a cyber-attack where the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet." You can watch a <a href='https://www.linkedin.com/learning/ethical-hacking-denial-of-service/understanding-denial-of-service' target=_blank> video</a> about this attack and <a href='https://www.symantec.com/connect/blogs/iot-devices-being-increasingly-used-ddos-attacks' target=_blank> read more</a> about recent DDoS attacks using the Internet of Things interconnected devices. </li>
<li>To analyze the computer network traffic from this attack, we will use tool called <a href='https://www.wireshark.org/' target=_blank>Wireshark</a>. Here is a quick <a href='https://www.youtube.com/watch?v=TkCSr30UojM' target=_blank> video tutorial</a> for this tool.</li>
<li>Iperf is a tool that is used through command line to generate computer network traffic that resembles regular usage of a computer network. You can read more about this tool <a href='https://www.techrepublic.com/blog/linux-and-open-source/iperf-a-simple-but-powerful-tool-for-troubleshooting-networks/' target=_blank> here</a>.</li>
<li>Hping3 is another computer networking tool that you will use. This tool, with the proper command line options, can generate a flood of computer network traffic that can overwhelm and take over networking resources. You can read more about this tool <a href='https://en.wikipedia.org/wiki/Hping' target=_blank> here</a>.</li>
<li>Snort is an Intrusion Detection System that alerts about computer network attacks by crossckecking their characteristics against a database of attack signatures. You can learn more about Snort by reading the original <a href='https://www.usenix.org/legacy/event/lisa99/full_papers/roesch/roesch.pdf' target=_blank> publication</a> and the <a href='http://manual-snort-org.s3-website-us-east-1.amazonaws.com/' target=_blank> manual</a>.</li>
<ol>
</div>
<br><div class="title_bg"><h3>Part 1: Setting up the topology</h3></div><hr>
<div class="subcontent">
<ol class="instructions">
<li>Create a new slice under the corresponding project.</li>
<li>Click the "Add Resources" button located on the page of your newly created slice.</li>
<li>Click the URL option.<br><center><img class="u-max-full-width" src="img/screenshots/Screenshot_1.png"></center></li>
<li>Paste the following link into the input box: <b style="color:red;">http://mountrouidoux.people.cofc.edu/CyberPaths/files/IDSLabEasyRSpec.txt <!-- CHANGE THE LINK FOR THE RSPEC HERE --></b>. Alternatively you may access our <a href='https://github.com/mundruid/CyberPaths/tree/master/RSpecs' target=_blank> github repository</a> with RSpecs and other scripts.</li>
<li>Then, click on the "Select" button.<br><center><img class="u-max-full-width" src="img/screenshots/Screenshot_25.png"></center></li>
<li>Your topology should now be loaded and look similar to the picture below.<br><center><img class="u-max-full-width" src="img/screenshots/Screenshot_97.png"></center></li>
<li>Now, click on "Site 1", select one of the available aggregates from the dropdown menu on the left, and reserve the resources.<br><center><img class="u-max-full-width" src="img/screenshots/Screenshot_27.png"></center></li>
<li>Then, wait some time until all your resources are ready. You can check the status of these by going to the page of your slice. If the background color of a given node is gray, then that node is not yet available; if it is green, then it is ready.</li>
</ol></div>
<br><div class="title_bg"><h3>Part 2: Setting up your nodes; Node: Monitor</h3></div><hr>
<div class="subcontent">
<ol class="instructions">
<li>Now that your topology resources are reserved and available for you to log into (for help on how to log into the nodes, please refer to one of the previous guides: <a href='http://mountrouidoux.people.cofc.edu/CyberPaths/GettingStartedWindowsHelloGENI.html' target=_blank>Windows users</a> or <a href='http://mountrouidoux.people.cofc.edu/CyberPaths/gettingstartedmac.html' target=_blank>Mac users</a>), we need to set up different things on each node. Let's get started with the Monitor.</li>
<li>We must set up the intrusion detection software (<a href="https://www.snort.org/" target="_blank">Snort</a>, in our case) so the Monitor node can act like an Intrusion Detection System (IDS) and monitor our topology.</li>
<li>On the Monitor, execute the following command to install snort:
<pre><code>sudo apt-get install snort -y</code></pre>
<li>At some point during the installation of snort, you will be asked for a home network range. Enter: <b style="color:red;">10.10.0.0/16</b>. This is the subnet mask applied to the machines in the network of the topology. For more information about subnets, please watch this <a href='https://youtu.be/EkNq4TrHP_U' target=_blank> video</a>.</li>
</li>
</ul>
</li>
<!--li>The final change to be applied to the Contrller to finish the IDS setup is commenting out lines 19 and 20 of the community-virus rules of the IDS. We do this by adding pound signs (#) in front of the lines. In order to do so, execute the following command:<br><br>
<ul>
<li><span style="font-family:Code;">sudo nano -c /etc/snort/rules/community-virus.rules</span></li>
<li>On the editor, go down until you reach line 19. Comment it out along with line 20. It should look like this:<br><img src="img/screenshots/Screenshot_29.png"></li>
<li>Press "Ctrl + X" to finish editing.</li>
<li>Enter "Y" when prompted.</li>
<li>Press "Enter;" to leave the same name for the file.</li>
<li>Now, we are done setting up the Monitor!</li>
</ul></li !-->
<li><b>Think about what you just did, and answer the following question:</b>
<ol>
<li>What is the purpose of the Snort IDS?
</li>
</ol>
</li>
</ol>
</div>
<br><div class="title_bg"><h3>Part 3: Setting up your nodes; Node: Openflow Virtual Switch (OVS)</h3></div><hr>
<div class="subcontent">
<ol class="instructions">
<li>Now, we need to set up the last node, the OVS. This switch relays packets like a regular switch, but it is also highly programmable since it uses the OpenFlow framework! Log in to your OVS node.</li>
<li>Only one command needs to be executed in order to set up the traffic mirroring for the Monitor. However, we need to look at the interfaces first.<br><br>
<li>After you run <code>ifconfig</code>, you should see several interfaces listed, like eth0, eth1, eth2...</li>
<li>Now, run <code>ifconfig</code> on the Monitor, and find which interface on the OVS has an IP that matches up with the Monitor's eth1 IP (for example: if the Monitor's eth1 IP is 10.10.3.1, find which interface on the OVS has the IP 10.10.3.2).</li>
<li>Now, go back to the OVS node. There, execute the following command. Here, ethC represents the interface that matches with the Monitor's IP, and ethX, ethY, and ethZ are the three remaining interfaces besides eth0 and lo:
<pre><code>sudo ovs-vsctl -- set Bridge br0 mirrors=@m -- --id=@ethX get Port ethX -- --id=@ethY get Port ethY
-- --id=@ethZ get Port ethZ -- --id=@ethC get Port ethC -- --id=@m create Mirror name=mymirror
select-dst-port=@ethX,@ethY,@ethZ select-src-port=@ethX,@ethY,@ethZ output-port=@ethC</code></pre></li>
<li>This command creates a mirror port for the switch, i.e., all the traffic that goes through the switch is copied to this port and as a consequence it is sent to the monitor. Thus, if the user is sending traffic to the victim, this traffic will be seen both by the victim and the monitor.</li>
<li><b>Verify that everything works:</b><br>
<ol>
<li> Run ping between the attacker and the victim. Does it go through?</li>
<li> While running ping between the attacker and the victim, run tcpdump on the proper monitor interface (how will you find this?). Verify that the ping is mirrored to the monitor machine.</li>
</ol>
</li>
<li><b>Think about what you just did, and answer the following questions:</b><br>
<ol>
<li>What is the OVS (Openflow Virtual Switch)? What does a switch do?
</li>
<li>Why did we add a Monitor to the topology and have all the network traffic mirrored to this machine?
</li>
</ol>
</li>
</ol>
</div>
<br><div class="title_bg"><h3>Part 4: Experimenting - Running an Internal Attack</h3></div><hr>
<div class="subcontent">
<ol class="instructions">
This means that a local node in the network has been compromised, either because it was vulnerable, i.e., without latest patches, with weak passwords, etc., or because a social engineering attack took place. We will be running such an attack and then write a custom rule to detect it with Snort IDS.<br><br>
<li>To start Snort, you need to open another terminal for the Monitor and enter the following command:
<pre><code>sudo snort -c /etc/snort/snort.conf -A fast -i eth1</code></pre></li>
<li>Now, we need to simulate normal traffic on our network to have something to which we can compare the DDoS attack. In a real network, regular traffic such as email exchange, web browsing, etc. take place at the same time as an attack. This makes it more difficult to distinguish the attack traffic from network traffic, and thus good monitoring with accurate, robust, signature or behavior based rules is important.
To simulate traffic on the network we will use <a href="https://www.iperf.fr/">iPerf</a>. iPerf requires a Sever and a Client to generate traffic, so we will use the Victim as the Server and the User as the Client to simulate traffic.
To start the server on the <b style="color:red;">Victim</b>, execute the following command:
<pre><code>iperf -s</code></pre></li>
To start the traffic simulation, we need to make the iperf client start communicating with the Server. We will start a communication that will last two minutes (120 seconds) with the following command on the <b style="color:red;">User</b>:<br><br>
<pre><code>iperf -c victim -t 120</code></pre>
</li>
<li>
Finally, it is time to run the attack! To run the attack, go to the terminal of the Attacker, and execute the following command:<br><br>
<pre><code>sudo timeout -sHUP 20s hping3 -i ul -S --flood --rand-source -p 80 victim</code></pre>
</li>
<li><b>Trust but verify!</b><br>
<ul>
<li>You will need to verify that the traffic is duplicated to the monitor. How can you do this? Hint: a tool that records network traffic may be useful. Describe your methodology and commands that you have used. Include screenshots. </li>
</ul>
</li>
<li><b>If your nodes cannot ping each other, verify that you have done the following:</b>
<ol>
<li>Do all the nodes belong to the same subnet? To verify this, log in to all the nodes (attacker, victim, user, monitor). Run ifconfig. Do all your nodes belong to the same subnet? If you do not understand subnets, watch the following <a href='https://youtu.be/EkNq4TrHP_U' target=_blank> video</a>.
</li>
<li>If the hosts do not belong to the same subnet, you will need to use the ifconfig command to fix the problem. The command "sudo ifconfig eth(num) (node_IP) netmask (node_netmask)" will change a specific port's IP address and netmask to node_IP and node_netmask, respectively.
</li>
</ol>
</li>
</ol>
</div>
<br><div class="title_bg"><h3>Part 5: Create your own rule!</h3></div><hr>
<div class="subcontent">
<ol class="instructions">
<li>Now that you understand what an IDS is and what Snort is used for, it is your turn to create a Snort alert and test it.</li>
<li>The rule you create should be based on what you did in Part 5 of the tutorial.</li>
<li>Add your rule at the end of the following file: <code>/etc/snort/rules/dos.rules</code>.</li>
<li>Your alert should have a characteristic message, such as "Dr. X snort alert", and a sequence number that is higher than 10,000 (Numbers lower than 10,000 are reserved and used by Snort).</li>
<li>Test your alert by running the same DDoS attack you ran earlier. Check the snort alert file to see if your rule worked!</li>
<li>Things to consider: did you configure the HOME_NET properly? Go to <code>/etc/snort/snort.conf</code>, and look for the word "HOME". Then, modify this address to apply to your home network.</li>
<li>Things to consider: Where are the snort log files? Usually log files in the linux operating system are in the folder: <code>/var/log</code>.</li>
</ol>
</div>
<!--div class='title_bg'><h3>Survey</h3></div>
<div class='subcontent'>
<ol class='instructions'>
</ol>
</div-->
</div>
</div>
</div>
</body></html>