Handed out: October 31, 2005
Due back: November 10, 11:59pm, 2005(by submission timestamp).
Submission: Electronic upload submission (see instruction online at the course webpage)
Notes: 1. To be done individually.
2. Please do not give a simple yes/no as results to some of the questions. Briefly explain why and how you obtain that result.
u
Introduction
Snort is an open source network intrusion detection
system, capable of performing real-time traffic analysis and packet logging on
IP networks. It is a classical signature
based IDS, which can perform protocol analysis, content searching/matching and
can be used to detect a variety of attacks and probes, such as buffer
overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting
attempts, and much more.
In many small
businesses and medium size enterprises, Snort is many system administrators’
favorite. So, in the first part of this project, you will be asked to learn how
to use Snort.
u
Specification
1.
Detection
We will supply you 3
test datasets in tcpdump format. The 3 test datasets
contain ICMP, TCP, and UDP traffic respectively. Please use Snort to detect the attacks in them, and name the three
alerts file as alert.tcp, alert.udp,
alert.icmp respetively. You
can find the tarball of this part at /home/yga751/cs395-hw3.tar.gz
Note:
please use
the snort full log format, and only
hand in the alert files
of these three.
You can find Snort
documents in the reference section.
2.
Answer the following questions about your detection results
1)
In the three datasets, how many
alerts snort found in total, how many is TCP, and how many is UDP, and how many
is ICMP?
2) Which one is the most common alert in the TCP traffic
3) How many kinds of DOS attack does snort find? What are they?
Put
the answer of these questions into a question_answer.txt, and include in your
hand-in tarball
3.
Add rules for snort to detect a new worm
Now suppose a new worm break out. The feature of the
worm is:
1) It targets the TCP 8008 or UDP port 4004
2) It contains the signature “03 0E FE CC A0” follow by “PASS : RECV” within the 20 bytes of the first one.
The worm is coming from outside of our network
(129.105.100.0/24). Do not alert if some machines inside our network to send
the worm like traffic out. Write rules for this worm, to alert the network
administrator with message “Worm Ditty!”
Put
the new rules into a Ditty_rules.txt and include in your hand-in tarball
4.
Add a firewall rule to block the new worm
Now you will be ask to
add a firewall rule to block that worm. Suppose the firewall use this kind of
rule format:
action |
src |
port |
dest |
port |
flags |
comment |
allow/block |
IPsubnet, |
port number or * (refer any) |
IPsubnet, |
port number or * (refer any) |
flag can be TCP, UDP |
the description of this rule |
Write firewall rules
based on the above format to the Ditty worm traffic towards our computer
science department (129.105.100.0/24).
Hint:
assume that we do not have benign traffic on those services which the ditty
worm rely on to propagate.
Put
the rules you add to the firewall into a Ditty_firewall_rules.txt in your
hand-in tarball
u
Deliverables and
hand-in Instructions
The deliverables for
this part are:
1) An ID.txt file which contain your names and your NU student ID.
2) The three alert files for the three datasets
respectively
3) A question_answer.txt
4) A Ditty_rules.txt
5) A Ditty_firewall_rules.txt
To hand-in this part,
please run the handin1.sh provide by us. Submission will be done through the
dedicated webpage (which you can reach from the course site). You can re-submit
the project as many times as you want before the deadline; simply follow the
same procedure.
u
Reference
[1]
Snort
Users Manual
http://www.snort.org/docs/snort_manual/
[2]
SNORT
FAQ http://www.snort.org/docs/FAQ.txt
[3]
Jay
Beale, Caswell, Snort 2.1 Intrusion Detection, 2nd edition. O’reilly
Press. 2004. (no online version on the Internet, you may find it in
the NU Library)