CST 620 Project 2
CST Lab Experience Report Template
Use this lab experience report template to document your findings from the lab and make sure to complete all
required tasks in each part of the lab and respond to all questions. The template is designed to be used as a guide for
your lab and not necessarily a project requirement.
ADDITIONAL LAB GUIDANCE
Below is a list of additional guidance and/or recommendations for your lab experience report:
Completing the labs: All sections or parts of the labs should be completed as required.
Answering the lab questions: You are required to answer all the lab questions (if any).
Taking screenshots: While taking screenshots is recommended in your lab, try to limit them, and only focus
on the applicable ones to support your lab report.
Writing your lab experience report: You are required to write a summary of the lab experience report based
on your findings and incorporate them into your final deliverables.
Using a file name convention: Please change the generic file name of this template to reflect part of your
name, the course ID, or the project/lab title.
o e.g. 1: CST620 Project 2 Lab-Exploring Intrusion Detection and Prevention Systems
o e.g. 2: CST620 Project 2 Lab-Exploring Intrusion Detection and Prevention Systems—John Doe
o e.g. 3: CST620-Project 2 Lab_Exploring Intrusion Detection and Prevention Systems(7/15/22)
In compiling your findings, think of how your experience performing the labs is related to the overall project goals.
You are required to collect information from the lab to understand potential security challenges, analyze, develop
your lab experience report, and incorporate key components in the final project report.
Please do well to pay attention to each item above and use it as a supplemental guide in addition to the project
requirements. Finally, note that successfully completing the lab is important for achieving the overall project goals.
THE REQUIRED LAB QUESTIONS
Acting as a cybersecurity technology analyst, you were delegated by your supervisor to lead a team charged with reviewing, evaluating, and making recommendations pertaining to the security of the organization’s internal network systems. Additionally, you were required to recommend the basic concepts and design objectives required to develop and implement IDS/IPS solutions that seek to mitigate different kinds of security attacks/breaches in the internal network systems. Furthermore, you were asked to prepare a preliminary report documenting identified security vulnerabilities and threats including the likelihood of an exploit being injected into the network. Based on the knowledge and experience gained from the lab about, answer the following questions.
PART 2: STARTING THE LAB— Modifying and Testing Snort Configuration Files, Modifying and Testing Snort Rules,
Running Snort Rules Against the Captured PCAP Files Using TCPdump, etc.
1. Examine the alert and make sure to understand the content such as source and destination IP addresses, the
Alert (ICMP PING NMAP), Classification (Attempted Information Leak), SNMP request tcp, and SNMP
AgentX/tcp request messages. Afterward, interpret the triggered alert in the context of network security.
The triggered alert in the context of network security is relevant because it may indicate that there is a
possible security vulnerability. The sensitive information that may be accessible to a hacker might be sensitive
network or user information. The hacker was utilizing ICMP to possibly fingerprint the network’s IPs. Utilizing
2
CST Lab Experience Report Template
Snort, it detected traffic that may be an indication of that possible attack and ultimately a potential security
flaw.
2. After using the ping command instead of nmap command to ping the Kali VM, describe the changes you
observed. Did any results produce with the ping utility? If not, why and how do you fix it? If yes, how
different is this output from the nmap command in the context of security vulnerability?
Pinging the Kali VM was much quicker and simply output the successful ICMP success rate. NMAP takes
slightly longer but provides a substantially larger amount of information such as open/closed ports, services
running, OS and Service pack information, among other valuable information to a hacker. The NMAP
command, when viewed with snort, shows that there is ICMP PING NMAP requests to the various ports and
displays a “Attempted Information Leak [Priority: 2]” which is Snort behaving as an Intrusion Detection
System.
3. Examine the alert and understand the content such as source and destination IP addresses, the Alert (ICMP
packet found messages). Then interpret and analyze the triggered alert in the context of network security
with respect to inbound and outbound ICMP traffic to and from the Kali.
Looking at the Source and Destination IP addresses, you can see that they are both coming from a 10.x.x.x
Class A local address, which means they are on the same network. The Source IP address (Windows) is
sending Internet Control Messaging Protocol (ICMP) is typically used to troubleshoot or verifying connectivity
of a device on the network. When it comes to network security, this could indicate that a hacker is attempting
to verify a device is available on the network.
4. Considering the run time for ICMP packet processing (200.767911 seconds), packets processed by Snort
(2426), Snort ran time of 3 minutes 20 seconds, and Pkts/min (808), and Pkts/sec (12), how can that that
support your interpretations and analysis above?
Based off the processing potential of both ICMP and Snort, it would be valid to say that Snort has a much
simpler and quicker processing potential than ICMP does. Snort accurately depicts it’s processing potential
which indicates that it would be a valuable asset if there was an attempt to DDoS the network.
3
CST Lab Experience Report Template
5. Examine the FTP alert and understand the content such as source and destination IP addresses, the Alert
(ICMP packet found messages). Then interpret the triggered alert in the context of network security with
respect to ftp login attempt to the Kali.
File Transfer Protocol is a very dangerous protocol to use since it will transfer data in plaintext, or not
encrypted and can be captured and viewed by anyone. Snort provides alerts that show that there was an
attempt to access the network with FTP, source IP, and destination IP information. FTP is extremely dangerous
and are often used by hackers to steal information or upload malicious content. A properly configured
Intrusion Detection System should notify if there is an attempt to FTP into a network. Ideally, FTP should be
turned off.
6. Examine the SSH alert and understand the content such as source and destination IP addresses, the Alert
(ICMP packet found messages), as well as the SSH command in the PowerShell command prompt.
Snort is alerting to a Secure Shell (SSH) remote connection attempt to the Kali VM, providing notification,
source IP, and Destination IP information. Luckily, SSH requires a password to establish a connection unlike
FTP.
7. After using the ping command instead of nmap command in the previous task to ping the Kali VM, determine
why do you think no an alert was triggered with the ping utility in the context of intrusion detections?
A IDS (Snort) will typically not trigger an alert of a ping request due to the nature of Ping and the use of ICMP.
Ping is simply used to verify the status of an IP on the network.
8. Using the TCPdump command to read the PCAP file has a different output than using the Snort counterpart.
Run tcpdump -r cst620combo.pcap command and analyze both command outputs and then describe the
differences. In particular, what security benefits does either command bring to the table?
TCPdump provides a more detained snapshot of the incident that occurred. It provides source and
destination Ips, ports, times, and packet information. With all this information, you can establish a timeline
and type of attack that may have incurred. Snort simply provides the packet information and the protocols
that were used. Snort will be better utilized to get an idea of the amount of packets that came in and where
they were going.
9. Based on your analysis and interpretations of outputs from the TCPdump and Snort commands such as the
direction of traffic in terms of source and destination IP addresses and ports information, what do you think
is happening in your local network (10.38.0.0/16)? Determine if there are any external traffic into your
network.
Based on my analysis from both TCPDump and Snort, it appears there is general communication back and
forth over the network. The IP address indicates that the source and destination are internal IP address, and
there is no external traffic over the network.
10. What can you determine from the source and destination IP addresses, source, and destination ports, TCP
sequence numbers, flags, and options? What security threat do they indicate if any?
Based off the sequence numbers, the source and destination are communicating with each other. That is a
good sign and indicates that it is probably nothing malicious since it is on the same network. The major cause
of concern is the open ports on the network which can be utilized by a hacker. Any open ports not being
utilized should be closed.
PART 3: THE ROLE OF WIRESHARK IN RUNNING SNORT RULES— Locating PCAP files, Starting Wireshark, Filtering,
Inspecting, and Analyzing Network Packets, Analyzing Firewall Rules, etc.
1. If malicious actors got into your network to access your network security logs, how could they use the
packet details to their advantage? Specifically, what utilities within Wireshark can they count on?
If a malicious actor got into my network, they could utilize Wireshark to view security logs and packet
information to gather IP information over the network, view anything that is being sent in plainview,
monitor network traffic, and review firewall policies. With all this complied information they could identify
security weakness to focus their attacks on the network.
2. Provide examples of IP addresses, hostnames, and mac addresses based on your analysis of the PCAP
4
CST Lab Experience Report Template
files in Wireshark. What do you think is happening so far in your view?
Windows IP – 10.138.1.36
Kali IP – 10.138.25.205
Kali MAC - fe80::45:57ff:fecd:89e8
Kali Hostname – Kali
3. Do you think using any filter in the Apply a display filter box such as tcp, http, or icmp before retrieving
the firewall rules has any impact? Why or why not?
No, it does not have an impact to the firewall rule, but simply applies a filter to the firewall rule. For
example, you could take all of the traffic from the firewall that is displayed and only display TCP traffic
which would filter out any traffic that had a UDP, http, or an ICMP protocol.
4. Assuming you have determined that specific network packets from a source IP address to interface
etho need to be blocked by inbound firewall/ACL rules, what changes can you make to the internal
firewall configurations to accomplish this? What are the deciding factors in your opinion?
To apply a security policy for the organization, you could configure the firewall/ACL rule to block
incoming traffic from the designated source IP address to the eth0 interface.
5. What is the command for running snort in NIDS mode?
5
CST Lab Experience Report Template
“snort -A console -c /etc/snort/snortcst620.conf” is the command that was used in the lab in order to run
SNORT in NIDS mode, display it in the console, and using the snortcst620.conf.
6. What is a zero-day attack? Can Snort catch zero-day network attacks? If not, why not? If yes, how?
A zero-day attack is an attack that has not previously been identified before. Snort can catch zero-day attacks
if the attack has a similar characteristic to a previously identified attack that is already configured into the
rule set, but it is highly unlikely that it would be successful.
7. Given a network that has 1 million connections daily were 0.1% (not 10%) attacks. If the IDS has a true
positive rate of 95%, what false alarm rate do you need to achieve to ensure the probability of an attack,
given an alarm is 95%?
You would need to have a 5% False Alarm Rate in order to achieve the 95% probability of an attack.
8. What are the advantages of using rule sets from the Snort website?
A few examples of the advantage of using rule sets from the Snort website are they are constantly being
updated with new rules generated from newly identified attacks, since it is constantly being updated it will
provide an increased detection rate which will make your intrusion detection and prevention more efficient,
and it will reduce the amount of false positives that your system flags as the rules are being updated.
9. Describe at least one type of ruleset you would want to add to a high-level security network and why.
One type of ruleset that I would want to add to a high-level security network is denying any traffic from IPs
that have not been identified on my whitelist. This will drastically reduce network traffic that is unwanted or
malicious.
10. An intrusion prevention system can either wait until it has all the information it needs or can allow packets
through based on statistics (guessed or previously known facts). What are the advantages and disadvantages
of each approach?
An intrusion Prevention System can be more configured like an Intrusion Detection System which will allow
the traffic through but flag it in the log. This allows your network traffic to run quicker, but less secure. Often,
your Cybersecurity personnel will have to go back after the fact and review the logs to identify what
happened for their reports. It can also be configured to allow the traffic through as long as it does not display
previously configured identifiers that may be malicious. This will cause the network to run slightly slower
because each packet will still need to be reviewed prior to entering the network. With the implementation of
the IPS, your network will be much more secure as long is it is properly configured, but something that you
will need to be concerned about is false positives and false negatives. False positives are extremely
dangerous since it is not flagging actual malicious attacks. False negatives are not as dangerous, but more
frustrating since it is flagging things as malicious when it is not. Both can be reduced with a semi-aggressive
configuration of your IPS.
NOTE: Proceed to the next page and use the space provided to compile a summary of your lab experience report. Use additional space as necessary to complete the report.
SUMMARY OF THE LAB EXPERIENCE REPORT
Use the space below to summarize your lab experience report based on your findings from the lab, making sure to complete all required actions in each step of the lab and respond to all questions. Be sure to incorporate a key part of your findings in your final project report for submission to your professor. You may use additional space as necessary to complete the lab.
The lab was extremely informative when it came to SNORT and TCPdump, as well as providing more practice with Wireshark. You begin the lab with navigating and reviewing the SNORT application in Kali. The rules that have already been created by default can be reviewed and edited, if need be, to meet your desired IPS
6
CST Lab Experience Report Template
requirements. Then I was able to go into the SNORT configuration file to review it and modify it with VIM. The configuration file was modified and tested to ensure that it would function properly when the SNORT application was run. New configuration where then generated for use within the lab.
Once all of that was completed, the fun really began. We ran SNORT in IDS mode and began to ping, ftp, ssh, and Nmap the Kali VM from the Windows VM to demonstrate what SNORT would display in the console as traffic was coming into the network. Additional rules were then added to the local.rules of SNORT, and the above steps were conducted again in order to see the difference with the rules changes.
Next, we utilized both SNORT and TCPdump to review PCAP files and compare the differences of the information that is displayed within the PCAP file in both applications. New PCAP files were generated and captured with TCPdump. We also ran these newly generated PCAP files to have them filtered against the SNORT rule sets and reviewed the log files that were created.
Finally, we took the generated PCAP files and loaded them into Wireshark for review. This produced similar information as both TCPdump and SNORT but allowed for further filtering on the fly and configuring additional ACL rules. It was much easier to navigate through the GUI of Wireshark versus reviewing all the information on the CLI.
7
CST Lab Experience Report Template
8
CST Lab Experience Report Template
9
CST Lab Experience Report Template
10
CST Lab Experience Report Template
11
CST Lab Experience Report Template
References
[List your references in APA 7/IEEE format here.]
12