This exercise demonstrates how Snort (version 2) and similar inline intrusion detection / prevention systems can be used to help secure legacy software by walking them through an environment that includes an extremely insecure application.
Depending on their skill level students will be asked to analyze network the network traffic produced by this program, to write Snort rules to protect against known attacks against this program and to create a sample attack against this program which they will be asked to guard against.
The following information may be useful in completing this exercise.
When working in the field of network security it is not always possible to ensure the security of legacy applications. Many businesses and organizations use systems that are known to be highly insecure and will continue to do so for the foreseeable future as it would not be cost effective to replace or modify these programs. As such the best we can do to improve the security of these systems is to place them behind filters that can be controlled.
In this exercise you will be using Snort (version 2) to help secure a highly insecure application without modifying the application itself. This application functions as a simple password protected file server for plain text documents, and it is up to you to use Snort to help protect this information.
This network is broken into three chunks. The first chunk contains the work environment which houses the legacy server along with a single client machine. This network is protected by the Snort router, which is set not to permit any traffic through at at the start of this exercise. The second network contains a single outsider machine. Finally, the third contains two client computers. All of these networks are connected to each other using a single router.
Note: In this exercise you will use Snort version 2. There is now Snort version 3, with very different architecture and rule format.
sudo snort --daq nfq -Q -v
ftp server ...enter "anonymous" as username ...enter any string as password get ducky.xmlYou should see a large number of packets being reported by Snort. On router node run:
tcpdump -i ethX -nn -s 0 -Xreplacing ethX with the interface with the IP address 10.1.1.3.
Questions:
reject tcp 100.1.0.0/16 ANY -> 100.1.10.10 [Port from Question 3] (msg: "XML Read Attempt Detected"; sid:1; content:".xml";)
sudo snort --daq nfq -Q -c /etc/snort/snort.conf -A console
Questions:
apt update -y apt install nmap -y
nmap 100.1.10.0/24to scan the server network, and check your Snort output.
ping -f serverto generate a flood of ICMP traffic to server node. Create a new Snnort rule that detects any ICMP packets sent from the outside into the network.
Questions: