CST 620 Project 2

profileManny4747
CST620_Project_2_Lab_Experience_Report.docx.pdf

CST Lab Experience Report Template

Use this lab experience report template to document your findings from the lab and make sure to complete all

required tasks in each part of the lab and respond to all questions. The template is designed to be used as a guide for

your lab and not necessarily a project requirement.

ADDITIONAL LAB GUIDANCE

Below is a list of additional guidance and/or recommendations for your lab experience report:

 Completing the labs: All sections or parts of the labs should be completed as required.

 Answering the lab questions: You are required to answer all the lab questions (if any).

 Taking screenshots: While taking screenshots is recommended in your lab, try to limit them, and only focus

on the applicable ones to support your lab report.

 Writing your lab experience report: You are required to write a summary of the lab experience report based

on your findings and incorporate them into your final deliverables.

 Using a file name convention: Please change the generic file name of this template to reflect part of your

name, the course ID, or the project/lab title.

o e.g. 1: CST620 Project 2 Lab-Exploring Intrusion Detection and Prevention Systems

o e.g. 2: CST620 Project 2 Lab-Exploring Intrusion Detection and Prevention Systems—John Doe

o e.g. 3: CST620-Project 2 Lab_Exploring Intrusion Detection and Prevention Systems(7/15/22)

In compiling your findings, think of how your experience performing the labs is related to the overall project goals.

You are required to collect information from the lab to understand potential security challenges, analyze, develop

your lab experience report, and incorporate key components in the final project report.

Please do well to pay attention to each item above and use it as a supplemental guide in addition to the project

requirements. Finally, note that successfully completing the lab is important for achieving the overall project goals.

THE REQUIRED LAB QUESTIONS

Acting as a cybersecurity technology analyst, you were delegated by your supervisor to lead a team charged with reviewing, evaluating, and making recommendations pertaining to the security of the organization’s internal network systems. Additionally, you were required to recommend the basic concepts and design objectives required to develop and implement IDS/IPS solutions that seek to mitigate different kinds of security attacks/breaches in the internal network systems. Furthermore, you were asked to prepare a preliminary report documenting identified security vulnerabilities and threats including the likelihood of an exploit being injected into the network. Based on the knowledge and experience gained from the lab about, answer the following questions.

PART 2: STARTING THE LAB— Modifying and Testing Snort Configuration Files, Modifying and Testing Snort Rules,

Running Snort Rules Against the Captured PCAP Files Using TCPdump, etc.

1. Examine the alert and make sure to understand the content such as source and destination IP addresses, the

Alert (ICMP PING NMAP), Classification (Attempted Information Leak), SNMP request tcp, and SNMP

AgentX/tcp request messages. Afterward, interpret the triggered alert in the context of network security.

The triggered alert in the context of network security is relevant because it may indicate that there is a

possible security vulnerability. The sensitive information that may be accessible to a hacker might be sensitive

network or user information. The hacker was utilizing ICMP to possibly fingerprint the network’s IPs. Utilizing

2

CST Lab Experience Report Template

Snort, it detected traffic that may be an indication of that possible attack and ultimately a potential security

flaw.

2. After using the ping command instead of nmap command to ping the Kali VM, describe the changes you

observed. Did any results produce with the ping utility? If not, why and how do you fix it? If yes, how

different is this output from the nmap command in the context of security vulnerability?

Pinging the Kali VM was much quicker and simply output the successful ICMP success rate. NMAP takes

slightly longer but provides a substantially larger amount of information such as open/closed ports, services

running, OS and Service pack information, among other valuable information to a hacker. The NMAP

command, when viewed with snort, shows that there is ICMP PING NMAP requests to the various ports and

displays a “Attempted Information Leak [Priority: 2]” which is Snort behaving as an Intrusion Detection

System.

3. Examine the alert and understand the content such as source and destination IP addresses, the Alert (ICMP

packet found messages). Then interpret and analyze the triggered alert in the context of network security

with respect to inbound and outbound ICMP traffic to and from the Kali.

Looking at the Source and Destination IP addresses, you can see that they are both coming from a 10.x.x.x

Class A local address, which means they are on the same network. The Source IP address (Windows) is

sending Internet Control Messaging Protocol (ICMP) is typically used to troubleshoot or verifying connectivity

of a device on the network. When it comes to network security, this could indicate that a hacker is attempting

to verify a device is available on the network.

4. Considering the run time for ICMP packet processing (200.767911 seconds), packets processed by Snort

(2426), Snort ran time of 3 minutes 20 seconds, and Pkts/min (808), and Pkts/sec (12), how can that that

support your interpretations and analysis above?

Based off the processing potential of both ICMP and Snort, it would be valid to say that Snort has a much

simpler and quicker processing potential than ICMP does. Snort accurately depicts it’s processing potential

which indicates that it would be a valuable asset if there was an attempt to DDoS the network.

3

CST Lab Experience Report Template

5. Examine the FTP alert and understand the content such as source and destination IP addresses, the Alert

(ICMP packet found messages). Then interpret the triggered alert in the context of network security with

respect to ftp login attempt to the Kali.

File Transfer Protocol is a very dangerous protocol to use since it will transfer data in plaintext, or not

encrypted and can be captured and viewed by anyone. Snort provides alerts that show that there was an

attempt to access the network with FTP, source IP, and destination IP information. FTP is extremely dangerous

and are often used by hackers to steal information or upload malicious content. A properly configured

Intrusion Detection System should notify if there is an attempt to FTP into a network. Ideally, FTP should be

turned off.

6. Examine the SSH alert and understand the content such as source and destination IP addresses, the Alert

(ICMP packet found messages), as well as the SSH command in the PowerShell command prompt.

Snort is alerting to a Secure Shell (SSH) remote connection attempt to the Kali VM, providing notification,

source IP, and Destination IP information. Luckily, SSH requires a password to establish a connection unlike

FTP.

7. After using the ping command instead of nmap command in the previous task to ping the Kali VM, determine

why do you think no an alert was triggered with the ping utility in the context of intrusion detections?

A IDS (Snort) will typically not trigger an alert of a ping request due to the nature of Ping and the use of ICMP.

Ping is simply used to verify the status of an IP on the network.

8. Using the TCPdump command to read the PCAP file has a different output than using the Snort counterpart.

Run tcpdump -r cst620combo.pcap command and analyze both command outputs and then describe the

differences. In particular, what security benefits does either command bring to the table?

TCPdump provides a more detained snapshot of the incident that occurred. It provides source and

destination Ips, ports, times, and packet information. With all this information, you can establish a timeline

and type of attack that may have incurred. Snort simply provides the packet information and the protocols

that were used. Snort will be better utilized to get an idea of the amount of packets that came in and where

they were going.

9. Based on your analysis and interpretations of outputs from the TCPdump and Snort commands such as the

direction of traffic in terms of source and destination IP addresses and ports information, what do you think

is happening in your local network (10.38.0.0/16)? Determine if there are any external traffic into your

network.

Based on my analysis from both TCPDump and Snort, it appears there is general communication back and

forth over the network. The IP address indicates that the source and destination are internal IP address, and

there is no external traffic over the network.

10. What can you determine from the source and destination IP addresses, source, and destination ports, TCP

sequence numbers, flags, and options? What security threat do they indicate if any?

Based off the sequence numbers, the source and destination are communicating with each other. That is a

good sign and indicates that it is probably nothing malicious since it is on the same network. The major cause

of concern is the open ports on the network which can be utilized by a hacker. Any open ports not being

utilized should be closed.

PART 3: THE ROLE OF WIRESHARK IN RUNNING SNORT RULES— Locating PCAP files, Starting Wireshark, Filtering,

Inspecting, and Analyzing Network Packets, Analyzing Firewall Rules, etc.

1. If malicious actors got into your network to access your network security logs, how could they use the

packet details to their advantage? Specifically, what utilities within Wireshark can they count on?

If a malicious actor got into my network, they could utilize Wireshark to view security logs and packet

information to gather IP information over the network, view anything that is being sent in plainview,

monitor network traffic, and review firewall policies. With all this complied information they could identify

security weakness to focus their attacks on the network.

2. Provide examples of IP addresses, hostnames, and mac addresses based on your analysis of the PCAP

4

CST Lab Experience Report Template

files in Wireshark. What do you think is happening so far in your view?

Windows IP – 10.138.1.36

Kali IP – 10.138.25.205

Kali MAC - fe80::45:57ff:fecd:89e8

Kali Hostname – Kali

3. Do you think using any filter in the Apply a display filter box such as tcp, http, or icmp before retrieving

the firewall rules has any impact? Why or why not?

No, it does not have an impact to the firewall rule, but simply applies a filter to the firewall rule. For

example, you could take all of the traffic from the firewall that is displayed and only display TCP traffic

which would filter out any traffic that had a UDP, http, or an ICMP protocol.

4. Assuming you have determined that specific network packets from a source IP address to interface

etho need to be blocked by inbound firewall/ACL rules, what changes can you make to the internal

firewall configurations to accomplish this? What are the deciding factors in your opinion?

To apply a security policy for the organization, you could configure the firewall/ACL rule to block

incoming traffic from the designated source IP address to the eth0 interface.

5. What is the command for running snort in NIDS mode?

5

CST Lab Experience Report Template

“snort -A console -c /etc/snort/snortcst620.conf” is the command that was used in the lab in order to run

SNORT in NIDS mode, display it in the console, and using the snortcst620.conf.

6. What is a zero-day attack? Can Snort catch zero-day network attacks? If not, why not? If yes, how?

A zero-day attack is an attack that has not previously been identified before. Snort can catch zero-day attacks

if the attack has a similar characteristic to a previously identified attack that is already configured into the

rule set, but it is highly unlikely that it would be successful.

7. Given a network that has 1 million connections daily were 0.1% (not 10%) attacks. If the IDS has a true

positive rate of 95%, what false alarm rate do you need to achieve to ensure the probability of an attack,

given an alarm is 95%?

You would need to have a 5% False Alarm Rate in order to achieve the 95% probability of an attack.

8. What are the advantages of using rule sets from the Snort website?

A few examples of the advantage of using rule sets from the Snort website are they are constantly being

updated with new rules generated from newly identified attacks, since it is constantly being updated it will

provide an increased detection rate which will make your intrusion detection and prevention more efficient,

and it will reduce the amount of false positives that your system flags as the rules are being updated.

9. Describe at least one type of ruleset you would want to add to a high-level security network and why.

One type of ruleset that I would want to add to a high-level security network is denying any traffic from IPs

that have not been identified on my whitelist. This will drastically reduce network traffic that is unwanted or

malicious.

10. An intrusion prevention system can either wait until it has all the information it needs or can allow packets

through based on statistics (guessed or previously known facts). What are the advantages and disadvantages

of each approach?

An intrusion Prevention System can be more configured like an Intrusion Detection System which will allow

the traffic through but flag it in the log. This allows your network traffic to run quicker, but less secure. Often,

your Cybersecurity personnel will have to go back after the fact and review the logs to identify what

happened for their reports. It can also be configured to allow the traffic through as long as it does not display

previously configured identifiers that may be malicious. This will cause the network to run slightly slower

because each packet will still need to be reviewed prior to entering the network. With the implementation of

the IPS, your network will be much more secure as long is it is properly configured, but something that you

will need to be concerned about is false positives and false negatives. False positives are extremely

dangerous since it is not flagging actual malicious attacks. False negatives are not as dangerous, but more

frustrating since it is flagging things as malicious when it is not. Both can be reduced with a semi-aggressive

configuration of your IPS.

NOTE: Proceed to the next page and use the space provided to compile a summary of your lab experience report. Use additional space as necessary to complete the report.

SUMMARY OF THE LAB EXPERIENCE REPORT

Use the space below to summarize your lab experience report based on your findings from the lab, making sure to complete all required actions in each step of the lab and respond to all questions. Be sure to incorporate a key part of your findings in your final project report for submission to your professor. You may use additional space as necessary to complete the lab.

The lab was extremely informative when it came to SNORT and TCPdump, as well as providing more practice with Wireshark. You begin the lab with navigating and reviewing the SNORT application in Kali. The rules that have already been created by default can be reviewed and edited, if need be, to meet your desired IPS

6

CST Lab Experience Report Template

requirements. Then I was able to go into the SNORT configuration file to review it and modify it with VIM. The configuration file was modified and tested to ensure that it would function properly when the SNORT application was run. New configuration where then generated for use within the lab.

Once all of that was completed, the fun really began. We ran SNORT in IDS mode and began to ping, ftp, ssh, and Nmap the Kali VM from the Windows VM to demonstrate what SNORT would display in the console as traffic was coming into the network. Additional rules were then added to the local.rules of SNORT, and the above steps were conducted again in order to see the difference with the rules changes.

Next, we utilized both SNORT and TCPdump to review PCAP files and compare the differences of the information that is displayed within the PCAP file in both applications. New PCAP files were generated and captured with TCPdump. We also ran these newly generated PCAP files to have them filtered against the SNORT rule sets and reviewed the log files that were created.

Finally, we took the generated PCAP files and loaded them into Wireshark for review. This produced similar information as both TCPdump and SNORT but allowed for further filtering on the fly and configuring additional ACL rules. It was much easier to navigate through the GUI of Wireshark versus reviewing all the information on the CLI.

7

CST Lab Experience Report Template

8

CST Lab Experience Report Template

9

CST Lab Experience Report Template

10

CST Lab Experience Report Template

11

CST Lab Experience Report Template

References

[List your references in APA 7/IEEE format here.]

12