This assignment is worth 125 points. Partial credit will be given for all questions — it is in your best interest to not leave any blank. Some of these questions may require you to conduct research beyond what we learned in class. You are free to leverage any public resources you'd like to complete this assignment, but make sure to cite your sources in your answers. Refer to this course's honor code policy for more information on what is appropriate reuse.
For this assignment, record your responses to the following activities in the
README.md file in the
homework07 folder of your assignments GitLab
repository and push your work by 11:59 PM Tuesday, April 28.
First, follow these instructions to setup your git environment.
To create a
homework07 branch in your local repository, follow the
$ cd path/to/cse-40567-sp20-assignments # Go to assignments repository $ git checkout master # Make sure we are in master branch $ git pull --rebase # Make sure we are up-to-date with GitLab $ git checkout -b homework07 # Create homework07 branch and check it out $ cd homework07 # Go into homework07 folder
The following network intrusion detection assignment will guide you through the setup and testing of the open source snort package in the Linux environment. You will learn about the strengths and weaknesses of signature-based intrusion detection, and have a chance to craft a rule for a new type of suspicious traffic. The assignment will require root privilege to sniff a network interface and replay traffic on it, as well as an isolated environment for testing. Thus, the assignment must be completed on your own machine in an Ubuntu VirtualBox VM.
Installing the snort package is a straightforward process. What follows below has been tested on Ubuntu 18.04. The process and paths for other versions of Ubuntu should be similar, if not exactly the same.
sudo apt-get install snort. You will be prompted for some configuration info related to your network setup.
ls /etc/snort/rules. If that directory doesn't exist or is empty, try running this command:
sudo apt-get install snort-rules-default
sudo apt-get install tcpreplay
Tip 1: Start early in case you run into trouble installing and configuring snort. Don't hesitate to reach out to the TA or Prof. Scheirer for assistance. snort is one of the most popular open source packages of all time — there is plenty of good material online for troubleshooting as well.
First, create a local directory to store the snort logs in:
Next, if snort has been installed correctly in your VM, you should be able to invoke the IDS via the following command:
sudo snort -dv -k none -l logs -c /etc/snort/snort.conf -A fast
Download the packet trace file for this question. These packets were recorded during the execution of a known attack behavior on a network. Your challenge in this problem is to use snort to determine what that attack is. You can replay these packets on your own network interface by issuing the following command:
sudo tcpreplay -i eth0 q1.cap
If you receive an error message related to the network interface, use the
ifconfig -a command to verify your network setup — depending on how your local networking is configured, you may need to change eth0 to a different interface.
If the tcpreplay command executes properly, you should also see a bit of snort activity in the terminal you launched the IDS from. Now examine the contents of the logfile "alert" in logs/. What type of attack is present in the packet trace file? Copy the exact alert as your answer to this question.
Here is another example of a known attack behavior on a network. Replay these packets using tcpreplay and again examine the logfile "alert". What type of attack is present in the packet trace file? Copy the exact alert as your answer to this question.
Signature-based IDS can work well under many circumstances, but it is far from perfect. In this question, we will look at one particular failure mode. To begin, add the following rule to your /etc/snort/rules/local.rules file:
alert tcp $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC";
classtype:shellcode-detect; sid:1390; rev:5;)
This rule is designed to detect a NOP sled composed of repeated inc ebx instuctions (inc ebx is equivalent to 0x43 in hex, which maps to ASCII character 'C') in a buffer overflow exploit. Note that by default, this rule is commented out of many existing rulesets.
If snort is already running, you will have to restart it to pick up the new rule. Replay the following trace and note that it generates an alert warning of detected shellcode. Is this correct? Take a look at the raw packet data, either by examining the output from snort, which may have printed the packets to the terminal, or via the tcpdump tool, which will also let you inspect the packets stored in the trace file. Identify the type of mistake snort made with this trace, and explain why this happened based on the evidence in the packets as part of your answer to this question. Also: why was this rule commented out by default?
Imagine the following scenario: a new (and very cheap) IoT device has hit the market and it has a publically accessible web server. After performing a security audit that involved fuzzing, you have discovered that the following HTTP GET request causes the device to crash:
GET /%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s HTTP/1.1
Design a new snort rule that is able to detect this denial of service attack. Add it to your /etc/snort/rules/local.rules file and once again restart snort. To test out your new rule, use this packet trace, which contains the above attack.
For your answer to this question, provide a copy of your rule, as well as verification that snort was able to detect the example attack in this question's packet trace (include a plaintext version of the offending packet, which snort can provide to you, as well as the alert that snort generated for it).
If you have any questions, comments, or concerns regarding the course, please
provide your feedback at the end of your
Remember to put your name in the
README.md file. To submit your assignment, please commit your work to the
homework07 branch in your assignment's GitLab repository:
$ cd path/to/cse-40567-sp20-assignments # Go to assignments repository $ git checkout master # Make sure we are in master branch $ git pull --rebase # Make sure we are up-to-date with GitLab $ git checkout -b homework07 # Create homework07 branch and check it out $ cd homework07 # Go to homework07 directory ... $ $EDITOR README.md # Edit appropriate README.md $ git add README.md # Mark changes for commit $ git commit -m "homework07: complete" # Record changes ... $ git push -u origin homework07 # Push branch to GitLab
Procedure for submitting your work: create a merge request by the process that is described here, but make sure to change the target branch from wscheirer/cse-40567-sp20-assignments to your personal fork's master branch so that your code is not visible to other students. Additionally, assign this merge request to our TA (sabraha2) and add wscheirer as an approver (so all class staff can track your submission).