Docstoc

IDS_Assign1

Document Sample
IDS_Assign1 Powered By Docstoc
					    BAI611 – IDS Lab Assignment 1
   Configure Snort – Basic IDS Rules




Prepared by: Thomas Rayner, Derek Rolheiser
             For: John Zabiuk
              March 15, 2011
Configuring Cisco ASA Security Appliance      Prepared By: Thomas Rayner, Derek Rolheiser



Table of Contents
Snort Rules (/etc/snort/rules/local.rules)
        Detect Anonymous Login/Password                                         Page 2
        Detect Root Login/Password                                              Page 2


Switch Configuration
        No Changes To Default Configuration                                     Page 3


Physical Network Diagram
        Visio Diagram                                                           Page 4


General Comments
        Syslog Server                                                           Page 5


Instructor Sign Off
        Copy of Original Document                                               Page 6




                                                                                 Page | 1
Configuring Cisco ASA Security Appliance                    Prepared By: Thomas Rayner, Derek Rolheiser



Snort Rules (/etc/snort/rules/local.rules)
Detect Anonymous Login/Password

log tcp any any -> 192.197.128.148 20:21 (flowbits: set,anon.ftp;
msg:"FTP USER Anonymous Login"; content:"USER anonymous"; nocase;
sid:88881; rev:1;)

This rule will not generate an alert but will generate a log entry when TCP traffic from any
source destined to the IP for ftp.cst.nait.ca (192.197.128.148) which contains the content
“USER anonymous” regardless of case. This rule will also set the flowbit variable (a Boolean
variable valid within a TCP flow) anon.ftp, has a SID of 88881 and is in its first revision. The
message that this rule will insert into the log is “FTP USER Anonymous Login”.

alert tcp any any -> 192.197.128.148 20:21 (flowbits: isset,anon.ftp;
msg:"FTP USER Anonymous and PASS shorty@nait.ca"; content:"PASS
shorty@nait.ca"; nocase; sid:88882; rev:1;)

This rule will generate an alert when TCP traffic from any source destined to the IP for
ftp.cst.nait.ca (192.197.128.148) while the anon.ftp flowbit is set which contains “PASS
shorty@nait.ca” regardless of case. This rule has a SID of 88882 and is in its first revision. The
message that this rule will insert into the log is “FTP USER Anonymous and PASS
shorty@nait.ca”.

Detect Root Login/Password
log tcp any any -> 192.197.128.148 20:21 (flowbits: set,root.ftp;
msg:"FTP USER Root Login"; content:"USER root"; nocase; sid:88883;
rev:1;)

This rule will not generate an alert but will generate a log entry when TCP traffic from any
source destined to the IP for ftp.cst.nait.ca (192.197.128.148) which contains the content
“USER root” regardless of case. This rule will also set the flowbit variable root.ftp, has a SID of
88883 and is in its first revision. The message that this rule will insert into the log is “FTP USER
Root Login”.

alert tcp any any -> 192.197.128.148 20:21 (flowbits: isset,root.ftp;
msg:"FTP USER Root and PASS spanning tree"; content:"PASS spanning
tree"; sid:88884; rev:1;)

This rule will generate an alert when TCP traffic from any source destined to the IP for
ftp.cst.nait.ca (192.197.128.148) while the root.ftp flowbit is set which contains “PASS spanning
tree” regardless of case. This rule has a SID of 88884 and is in its first revision. The message that
this rule will insert into the log is “FTP USER Root and PASS spanning tree”.



                                                                                               Page | 2
Configuring Cisco ASA Security Appliance       Prepared By: Thomas Rayner, Derek Rolheiser



Switch Configuration

No changes to the default configuration were made.




                                                                                  Page | 3
Configuring Cisco ASA Security Appliance   Prepared By: Thomas Rayner, Derek Rolheiser



Physical Diagram

Visio Diagram




                                                                              Page | 4
Configuring Cisco ASA Security Appliance                  Prepared By: Thomas Rayner, Derek Rolheiser




General Comments

Syslog Server

The students, in completing this assignment felt that a means of actually alerting a concerned
third party to the alerts generated by Snort could be a valuable addition to this assignment. The
students feel that the addition of a Syslog Server could create a more realistic atmosphere and
thusly make for a more valuable learning experience.

The students do, however, understand that this topic may be upcoming still in this section of
the course and continue to look forward to it.




                                                                                             Page | 5
Configuring Cisco ASA Security Appliance   Prepared By: Thomas Rayner, Derek Rolheiser



Instructor Sign Off

Copy of Original Document




                                                                              Page | 6
Configuring Cisco ASA Security Appliance   Prepared By: Thomas Rayner, Derek Rolheiser




                                                                              Page | 7
Configuring Cisco ASA Security Appliance   Prepared By: Thomas Rayner, Derek Rolheiser




                                                                              Page | 8
Configuring Cisco ASA Security Appliance   Prepared By: Thomas Rayner, Derek Rolheiser




                                                                              Page | 9

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:86
posted:9/20/2012
language:Latin
pages:10