10. Firewall - DMC Cisco Networking Academyacademy.delmar.edu/Courses/ITSC1358/eBooks/Linux(SecurityTutorial).… · 10. Firewall 10.1 What is a Firewall 10.2 NAT Network Address

© Michael Hamm, Service Informatique, CRP Henri Tudor page 1 of 52

Linu

xdas

ys20

03: L

inux

Sec

urity

Tut

oria

l10. Firewall

10.1 What is a Firewall10.2 NAT Network Address Translation10.3 Packet Filter10.4 Statefull Packet Filter10.6 Firewall Architectures10.7 how iptables work10.8 using iptable10.9 Exercise iptables


Linu

xdas

ys20

03: L

inux

Sec

urity

Tut

oria

l10.1 What is a Firewall

What is a Firewall?- a network device for access control;- to deny unauthorized access to an internal network,- work as a single point of access control;

What to protect?- private Data: - confidentiality,

- integrity;- availability;

- resources;- reputation;

What to protect against?- break ins;- Denial of Service;- lost (steal) of information;


Linu

xdas

ys20

03: L

inux

Sec

urity

Tut

oria

l10.1 What is a Firewall

What a Firewall can do?- very important security measure to roll out the security policy;- log important internet activities,- minimize to point of access for an attacker;

What a Firewall CAN NOT do?- protect against bad-willing internal users,- can not protect other ways into you network;- can not protect against absolutely new dangerous;- can not be setup and be managed on its own;

Problems with Firewalls:- disturb the common way, users access the internet, making usersangry;- internal problem almost are more important than external problems;


Linu

xdas

ys20

03: L

inux

Sec

urity

Tut

oria

l10.2 NAT Network Address Translation

- static NAT 1:1;- Hidden NAT / Masquerading (*:1);

Internet

10.1.11.210.1.11.3

10.1.11.4

10.1.12.0/24

172.23.20.2

172.23.20.3

172.23.20.4

172.23.20.5


Linu

xdas

ys20

03: L

inux

Sec

urity

Tut

oria

l10.3 Packet Filter

PhysicalLayer

PhysicalLayer

Router BobAlice

PhysicalLayer

Data LinkLayer

Data LinkLayer

Data LinkLayer

NetworkLayer (IP)

NetworkLayer (IP)

NetworkLayer (IP)

Transport Layer (TCP/UDP)


Application LayerWebBrowser, eMail Client…


TCP/

IP



Linu

xdas

ys20

03: L

inux

Sec

urity

Tut

oria

l10.4 Statefull Packet Filter

Example:FTP File Transfer Protocoll

FTP Server2021

FTP Client10002 10001

Control

Port 10002OK

TCP ACK

Data Channel

active mode172.23.20.2

10.1.11.100

AHA, I dynamically have to generate a rule:

allow incoming from172.23.20.2:20 to 10.1.11.100:10002


Linu

xdas

ys20

03: L

inux

Sec

urity

Tut

oria

l10.5 Application Layer Gateway

PhysicalLayer

PhysicalLayer

Router BobAlice

PhysicalLayer

Data LinkLayer

Data LinkLayer

Data LinkLayer

NetworkLayer (IP)

NetworkLayer (IP)

NetworkLayer (IP)





TCP/

IP


Application Layer


Linu

xdas

ys20

03: L

inux

Sec

urity

Tut

oria

l10.5 Application Layer Gateway

2

3

45

172.23.20.1

10.1.11.101

Internet

10.1.11.1

1. Client like to visit 172.23.20.2:80, Proxy is 10.1.11.1:31282. Client open a connection to 10.1.11.1:31283. Proxy open a connection to 172.23.20.2:804. 172.23.20.2 send the answer to 172.23.20.15. Proxy send the answer to 10.1.11.101

1


Linu

xdas

ys20

03: L

inux

Sec

urity

Tut

oria

l10.6 Firewall Architectures

Unsafe Network

To safe Network

Packet Filter


Linu

xdas

ys20

03: L

inux

Sec

urity

Tut

oria


Unsafe Network

To safe Network

Applicaton

Gateway

Unsafe Network

To safe Network

Applicaton

Gateway

Dua

l -ho

med

App

licat

ion

Gat

eway

Sing

le -

hom

ed A

pplic

atio

n G

atew

ay


Linu

xdas

ys20

03: L

inux

Sec

urity

Tut

oria


Unsafe Network

To safe Network

Applicaton

Gateway

Packet Filter

Unsafe Network

To safe Network

Applicaton

Gateway

Packet Filter


Linu

xdas

ys20

03: L

inux

Sec

urity

Tut

oria


Unsafe Network

To safe Network

Applicaton

Gateway

Packet Filter

Unsafe Network

To safe Network

Applicaton

Gateway

Packet Filter


Linu

xdas

ys20

03: L

inux

Sec

urity

Tut

oria


Screened Subnet (DMZ)De-Militarised Zone: Unsafe

Network

To safe Network

Packet Filter

Packet Filter

LAN

DMZ


Linu

xdas

ys20

03: L

inux

Sec

urity

Tut

oria


DMZ with Singel - Homed or Dual - Homed Application Gateway:

Unsafe Network

To safe Network

Packet Filter

Packet Filter

DMZ

Applicaton

Gateway

Unsafe Network

To safe Network

Packet Filter

Packet Filter

DMZ

Applicaton

Gateway


Linu

xdas

ys20

03: L

inux

Sec

urity

Tut

oria


DMZ with Internet Server:

Unsafe Network

To safe Network

Packet Filter

Packet Filter

DMZ

Applicaton

Gateway


Linu

xdas

ys20

03: L

inux

Sec

urity

Tut

oria


DMZ with Intranet Server:

Unsafe Network

To safe Network

Packet Filter

Packet Filter

DMZ

Applicaton

Gateway


Linu

xdas

ys20

03: L

inux

Sec

urity

Tut

oria


DMZ with a complex Mail and DNS concept:

Unsafe Network

To safe Network

Packet Filter

Packet Filter

DMZ

Applicaton

Gateway

MAIL DNSInternal Server

MAIL DNSExternal Server


Linu

xdas

ys20

03: L

inux

Sec

urity

Tut

oria

l10.7 how iptables work

1. One packet enters the network interface;2. Interface unpack the Data Link Layer information3. Interface forward the packet to the kernel4. The kernel investigate the packet and choose to reject, drop or accept


Linu

xdas

ys20

03: L

inux

Sec

urity

Tut

oria

l10.7 how iptables work


Linu

xdas

ys20

03: L

inux

Sec

urity

Tut

oria

l10.8 using iptables

To view all rules presently loaded into netfilter, we use this command: iptables –list

We can also specify a single chain to view, rather than viewing all chains at once: iptables --list INPUT

To see numbered rules (by default, they're listed without numbers), use the --line-numbers option: iptables --line-numbers --list INPUT

To remove all rules from all chains, we use:iptables –flush

The basic syntax for writing iptables rules is:iptables -I [nsert] chain_name rule_# rule_specific

-D [elete]-R [eplace]-A [ppend]


Linu

xdas

ys20

03: L

inux

Sec

urity

Tut

oria

l10.8 using iptables

Examples:to delete the third rule in the OUTPUT chain, we'd use the command: iptables -D OUTPUT 3

To append a rule to the bottom of the INPUT chain:iptables -A INPUT -p tcp --dport 80 -j ACCEPT -m state --state NEW

Options:-s sourceIP-d destinationIP-p tcp ¦ udp ¦ icmp ¦ all-- dport destinationPort--sport sourcePort--tcp-flags mask mask #SYN,ACK,PSH,URG,FIN,RST,ALL,NONE--icmp-type type-m state –state statespec-j accept ¦ drop ¦ log ¦ reject ¦ [chain_name]# Load state module, and match packet if packet's state # matches statespec. statespec is a comma-delimited list# containing some combination of NEW, ESTABLISHED, INVALID, # or RELATED.


Linu

xdas

ys20

03: L

inux

Sec

urity

Tut

oria

l10.9 Exercise iptables

touch my_iptables.shchmod 700 my_iptables.shvi my_iptables.sh

#!/bin/bash

# Flush old rulesiptables –-flushiptables –-delete-chain

# set default deny policyiptables –P INPUT DROPiptables –P FORWARD DROPiptables –P OUTPUT DROP

# loopback deviceiptables –A INPUT –i lo –j ACCEPTiptables –A OUTPUT –o lo –j ACCEPT


Linu

xdas

ys20

03: L

inux

Sec

urity

Tut

oria


# Do some rudimentary anti-IP-spoofing dropsiptables -A INPUT -s 255.0.0.0/8 -j LOG --log-prefix "Spoofed source IP! »iptables -A INPUT -s 255.0.0.0/8 -j DROP

iptables -A INPUT -s 0.0.0.0/8 -j LOG --log-prefix "Spoofed source IP!«iptables -A INPUT -s 0.0.0.0/8 -j DROP



iptables -A INPUT -s 172.16.0.0/12 -j LOG --log-prefix " Spoofed source IP!«iptables -A INPUT -s 172.16.0.0/12 -j DROP

iptables -A INPUT -s 10.0.0.0/8 -j LOG --log-prefix " Spoofed source IP!«iptables -A INPUT -s 10.0.0.0/8 -j DROP

iptables -A INPUT -s 192.168.0.??? -j LOG --log-prefix "Spoofed localhost!«iptables -A INPUT -s 192.168.0.??? -j DROP


Linu

xdas

ys20

03: L

inux

Sec

urity

Tut

oria


# the INPUT chain# Anti-stealth-scanning ruleiptables -A INPUT –p tcp ! Syn –m state –-state NEW

–j LOG –-log-refix « Stealth Scann Attemp? »iptables -A INPUT –p tcp ! Syn –m state –-state NEW –j DROP

# Accept inbound packets that are part of previously-OK'ed sessionsiptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED

# Accept inbound packets which initiate SSH sessionsiptables -A INPUT -p tcp -j ACCEPT –s 192.168.0.0/8 --dport 22 -m

state --state NEW

# Accept inbound packets which initiate FTP sessionsiptables -A INPUT -p tcp -j ACCEPT --dport 21 -m state --state NEW

# Accept inbound packets which initiate HTTP sessionsiptables -A INPUT -p tcp -j ACCEPT --dport 80 -m state --state NEW

# Log anything not accepted aboveiptables -A INPUT -j LOG --log-prefix "Dropped by default:"


Linu

xdas

ys20

03: L

inux

Sec

urity

Tut

oria


# the OUTPUT chain:

# If it's part of an approved connection, let it outiptables -I OUTPUT 1 -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow outbound ping (comment-out when not needed!)iptables -A OUTPUT -p icmp -j ACCEPT --icmp-type echo-request

# Allow outbound DNS queries, e.g. to resolve IPs in logs

iptables -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT

# Log anything not accepted above - if nothing else, for t-shooting

iptables -A OUTPUT -j LOG --log-prefix "Dropped by default:"


Linu

xdas

ys20

03: L

inux

Sec

urity

Tut

oria

l11. IDS – Intrusion Detection System

11.1 What is ID11.2 Host Based IDS11.3 Tripwire11.4 Network Based IDS11.5 Snort


Linu

xdas

ys20

03: L

inux

Sec

urity

Tut

oria

l11.1 What is ID

“the art of detecting inappropriate, incorrect, or anomalous activity”

- IDS provides:-- Monitoring and analysis of user and system activity;-- Auditing of system configurations and vulnerabilities;-- Assessing the integrity of critical system and data files; -- Operating system audit ;

- Classify by operation mode:- Host Intrusion Detection Systems - HIDS;- Network Intrusion Detection Systems - NIDS;- Network Node intrusion Detection Systems - NNIDS;

- Classify by how they work:- Knowledge Based Intrusion Detection Systems;- Behavior ( Anomalous ) Based Intrusion Detection Systems:


Linu

xdas

ys20

03: L

inux

Sec

urity

Tut

oria

l11.1 What is ID

An IDS CAN provide the following:- add an additional layer of security to your infrastructure;- trace user activity from point of entry to point of impact;- recognize and report alterations of data;- detect when your system is under attack;- detect errors in your system configuration;

The IDS CAN NOT provide:- be the answer to all security problems;- compensate for a weak identification and authentication mechanisms;- compensate a weak security policy;- conduct investigations of attacks without human intervention;- compensate for weaknesses in network protocols;- compensate for problems in the quality or integrity of

information the system provides;


Linu

xdas

ys20

03: L

inux

Sec

urity

Tut

oria

l11.2 Host Based IDS

- protocoll analyzer-- Logsurfer-- Fwlogwatch-- Logwatch-- Logsentry (ex. Logcheck)

- file integrity -- Tripwire

- right management / Kernel + Process Level-- LIDS – Linux Intrusion Detection-System-- SNARE


Linu

xdas

ys20

03: L

inux

Sec

urity

Tut

oria

l11.3 Tripwire

Tripwire File Hierarchy

/user/sbin/tripwire Binaries/etc/tripwire/ Configuration Files/var/lib/tripwire/$(HOSTNAME) DF File/var/lib/tripwire/report/$(HOSTNAME) Report Files

Installing- RH9.0 CDROM 3- use rpm- cd /etc/tripwire- ./twinstall.sh


Linu

xdas

ys20

03: L

inux

Sec

urity

Tut

oria

l11.3 Tripwire

Tripwire Configuration twcfg.txt --> tw.cfg

ROOT =/usr/sbinPOLFILE =/etc/tripwire/tw.polDBFILE =/var/lib/tripwire/$(HOSTNAME).twdREPORTFILE =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twrSITEKEYFILE =/etc/tripwire/site.keyLOCALKEYFILE =/etc/tripwire/$(HOSTNAME)-local.keyEDITOR =/bin/viLATEPROMPTING =falseLOOSEDIRECTORYCHECKING =falseMAILNOVIOLATIONS =trueEMAILREPORTLEVEL =1REPORTLEVEL =3MAILMETHOD =SENDMAILSYSLOGREPORTING =trueMAILPROGRAM =/usr/lib/sendmail -oi -t


Linu

xdas

ys20

03: L

inux

Sec

urity

Tut

oria

l11.3 Tripwire

Tripwire Configuration twpol.txt --> tw.pol############################################

# ############################################## ## # ## Global Variable Definitions # ## ##############################################

@@section GLOBALTWDOCS="/usr/doc/tripwire";TWBIN="/usr/sbin";TWPOL="/etc/tripwire";TWDB="/var/lib/tripwire";TWSKEY="/etc/tripwire";TWLKEY="/etc/tripwire";TWREPORT="/var/lib/tripwire/report";# HOSTNAME=dumpstar;# HOSTNAME=arthur;

ADMIN1=“root@localhost";


Linu

xdas

ys20

03: L

inux

Sec

urity

Tut

oria

l11.3 Tripwire

Tripwire Configuration twpol.txt --> tw.pol

@@section FS

SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change

SEC_SUID = $(IgnoreNone)-SHa ; # Binaries with the SUID or SGID flags

SEC_BIN = $(ReadOnly) ; # Binaries that should not change

SEC_CONFIG = $(Dynamic) ; # Config files that changed infrequenty# but accessed often

SEC_LOG = $(Growing) ; # Files that grow, but that should never# change ownership

SEC_INVARIANT = +tpug ; # Directories that should never change# permission or ownership

SIG_LOW = 33 ; # Non-critical files that are of minimal # security impact

SIG_MED = 66 ; # Non-critical files that are of# significant security impact

SIG_HI = 100 ; # Critical files that are significant# points of vulnerability


Linu

xdas

ys20

03: L

inux

Sec

urity

Tut

oria

l11.3 Tripwire


########################### Tripwire Binaries(rulename = "Tripwire Binaries",emailto = $(ADMIN1),severity = $(SIG_HI)

){$(TWBIN)/siggen -> $(SEC_BIN) ;$(TWBIN)/tripwire -> $(SEC_BIN) ;$(TWBIN)/twadmin -> $(SEC_BIN) ;$(TWBIN)/twprint -> $(SEC_BIN) ;

}


Linu

xdas

ys20

03: L

inux

Sec

urity

Tut

oria

l11.3 Tripwire


########################### Tripwire Data Files (rulename = "Tripwire Data Files",emailto = $(ADMIN1),severity = $(SIG_HI)

){

$(TWDB) -> $(SEC_CONFIG) -i ;$(TWPOL)/tw.pol -> $(SEC_BIN) -i ;$(TWPOL)/tw.cfg -> $(SEC_BIN) -i ;# $(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_BIN) ;$(TWSKEY)/site.key -> $(SEC_BIN) ;

#don't scan the individual reports$(TWREPORT) -> $(SEC_CONFIG)

(recurse=0) ;}


Linu

xdas

ys20

03: L

inux

Sec

urity

Tut

oria

l11.3 Tripwire


########################### Commonly accessed directories that should remain static # with regards to owner and group(rulename = "Invariant Directories",emailto = $(ADMIN1),severity = $(SIG_MED)

){/ -> $(SEC_INVARIANT) (recurse = 0) ;/home -> $(SEC_INVARIANT) (recurse = 0) ;/usr -> $(SEC_INVARIANT) (recurse = 0) ;/usr/local -> $(SEC_INVARIANT) (recurse = 0) ;/etc -> $(SEC_CONFIG) ;/etc/mtab -> $(SEC_CONFIG) -i ; # Inode number

# changes on any mount/unmount/etc/issue.net -> $(SEC_CONFIG) -i ; # Inode number

# changes}


Linu

xdas

ys20

03: L

inux

Sec

urity

Tut

oria

l11.3 Tripwire


########################### File System and Disk Administration Programs# OS Utilities# User Binaries(rulename = "File System and OS Utilities",emailto = $(ADMIN1),severity = $(SIG_HI)

){/sbin -> $(SEC_CRIT) ;/bin -> $(SEC_CRIT) ;/usr/sbin -> $(SEC_CRIT) ;/usr/bin -> $(SEC_CRIT) ;/usr/local/sbin -> $(SEC_BIN) (recurse = 1) ;/usr/local/bin -> $(SEC_BIN) (recurse = 1) ;

}


Linu

xdas

ys20

03: L

inux

Sec

urity

Tut

oria

l11.3 Tripwire


########################### Temporary directories(rulename = "Temporary directories",emailto = $(ADMIN1),recurse = false,severity = $(SIG_LOW)

){/var/tmp -> $(SEC_INVARIANT) ;/tmp -> $(SEC_INVARIANT) ;

}


Linu

xdas

ys20

03: L

inux

Sec

urity

Tut

oria

l11.3 Tripwire


########################### ReadOnly(rulename = "ReadOnly",emailto = $(ADMIN1),severity = $(SIG_MED)

){/lib -> $(SEC_BIN) ;/var -> $(SEC_LOG) ;/var/log -> $(SEC_LOG) -il ;/var/spool -> $(SEC_INVARIANT) ;

}


Linu

xdas

ys20

03: L

inux

Sec

urity

Tut

oria

l11.3 Tripwire


########################### Libraries(rulename = "Libraries",emailto = $(ADMIN1),severity = $(SIG_MED)

){/var/lib -> $(SEC_BIN) ;/usr/lib -> $(SEC_BIN) ;/usr/local/lib -> $(SEC_BIN) ;

}


Linu

xdas

ys20

03: L

inux

Sec

urity

Tut

oria

l11.3 Tripwire


########################### Critical System Boot Files(rulename = "Critical system boot files",emailto = $(ADMIN1),severity = $(SIG_HI)

){

/boot -> $(SEC_CRIT) ;# /sbin/lilo -> $(SEC_CRIT) ;!/boot/System.map ;!/boot/module-info ;

}


Linu

xdas

ys20

03: L

inux

Sec

urity

Tut

oria

l11.3 Tripwire

Tripwire Configuration twpol.txt --> tw.pol########################### These files change every time the system boots(

rulename = "System boot changes",emailto = $(ADMIN1),severity = $(SIG_HI)

){

!/var/run/ftp.pids-all ; # Comes and goes on reboot.!/root/.enlightenment ;/dev/log -> $(SEC_CONFIG) ;/dev/console -> $(SEC_CONFIG) -u ; /dev/tty0 -> $(SEC_CONFIG) ; # tty devices/dev/tty1 -> $(SEC_CONFIG) ; # tty devices/dev/tty2 -> $(SEC_CONFIG) ; # tty devices/dev/tty3 -> $(SEC_CONFIG) ; # are extremely/dev/tty4 -> $(SEC_CONFIG) ; # variable/dev/tty5 -> $(SEC_CONFIG) ;/dev/tty6 -> $(SEC_CONFIG) ;/dev/urandom -> $(SEC_CONFIG) ;/dev/initctl -> $(SEC_CONFIG) ;/var/run -> $(SEC_CONFIG) ; # daemon PIDs/var/lock -> $(SEC_CONFIG) ;/lib/modules -> $(SEC_CONFIG) ;

}


Linu

xdas

ys20

03: L

inux

Sec

urity

Tut

oria

l11.3 Tripwire


########################### These files change the behavior of the root account(rulename = "Root config files",emailto = $(ADMIN1),severity = 100

){

/root -> $(SEC_CRIT) -amc ; # Catch all# additions to /root

/root/.bashrc -> $(SEC_CONFIG) ;/root/.profile -> $(SEC_CONFIG) ;/root/.bash_history -> $(SEC_CONFIG) ;

}


Linu

xdas

ys20

03: L

inux

Sec

urity

Tut

oria

l11.3 Tripwire

Tripwire Configuration twpol.txt --> tw.pol########################### Critical devices (

rulename = "Critical devices",emailto = $(ADMIN1),severity = $(SIG_HI),recurse = false

){

/dev/kmem -> $(Device) ;/dev/mem -> $(Device) ;/dev/null -> $(Device) ;/dev/zero -> $(Device) ;/proc/devices -> $(Device) ;

/proc/ksyms -> $(Device) ;/proc/loadavg -> $(Device) ;/proc/uptime -> $(Device) ;/proc/locks -> $(Device) ;/proc/version -> $(Device) ;/proc/meminfo -> $(Device) ;/proc/cmdline -> $(Device) ;/proc/misc -> $(Device) ;

}


Linu

xdas

ys20

03: L

inux

Sec

urity

Tut

oria

l11.3 Tripwire

running tripwire for the first time:

Create tw.cfg databasetwadmin –m F –S site.key twcfg.txt

Create tw.pol databasetwadmin –m P –S site.key twpol.txt

Initializing Tripwire Databasetripwire –init

running tripwire manually on a frequently basetripwire –m c –I

running tripwire by crontab and receive the email-reporttripwire –m c –M > /dev/null


Linu

xdas

ys20

03: L

inux

Sec

urity

Tut

oria

l11.4 Network Based IDS

- A network-based ID system monitors the traffic on its network segment as a data source;

- placing the network interface card in promiscuous mode to capture all network traffic;

- looking at the packets on the network as they pass by some sensor;

- sensor can only see the packets that happen to be carried on the network segment it’s attached to;

- Packets are considered to be of interest if they match a signature;

- Three primary types of signatures are string signatures, port signatures, and header condition signatures;


Linu

xdas

ys20

03: L

inux

Sec

urity

Tut

oria


String signatures look for a text string that indicates a possible attack.- "cat "+ +" > /.rhosts“cause a UNIX system to become extremely vulnerable ;

Port signatures simply watch for connection attempts to well-known, frequently attacked ports.

- telnet (TCP port 23), FTP (TCP port 21/20), SUNRPC (TCP/UDP port 111), and IMAP (TCP port 143)If any of these ports aren’t used by the site, then incoming packets to these ports are suspicious;


Linu

xdas

ys20

03: L

inux

Sec

urity

Tut

oria



Linu

xdas

ys20

03: L

inux

Sec

urity

Tut

oria

l11.5 Snort

Snort File Hierarchy/usr/sbin/ Binary Files/etc/snort Config Files/var/log/snort Log Files

Installationpre install libpcap from CD-ROM 2use the tar.gz

cat /etc/passwdcat /etc/shadowcat /etc/groupls –ld /var/log/snortgrep snort /etc/init.d/snortd


Linu

xdas

ys20

03: L

inux

Sec

urity

Tut

oria

l11.5 Snort

Invoking snort as a sniffer

bash-# snort -dvi eth0

03/22-22:25:26.041707 192.168.100.20:1052 -> 10.10.117.13:80TCP TTL:63 TOS:0x10 ID:10528 IpLen:20DgmLen:60 DF******S* Seq: 0x8651A4AB Ack: 0x0 Win:0x16D0 TcpLen: 40TCP Options (5) => MSS: 1460 SackOK TS:1805707 0 NOP WS:0

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+03/22-22:25:26.046576 10.10.117.13:80 -> 192.168.100.20:1052TCP TTL:64 TOS:0x0 ID:33016 IpLen:20 DgmLen:60 DF***A**S* Seq: 0x6D4A1B04 Ack: 0x8651A4AC Win: 0x7D78 TcpLen: 40TCP Options (5) => MSS: 1460 SackOK TS: 63072524 1805707 NOPTCP Options => WS: 0

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


Linu

xdas

ys20

03: L

inux

Sec

urity

Tut

oria

l11.5 Snort

Using Snort as a Packet Loggerbash-# snort -d -l ./snort/ -h 10.10.20.0/24

-d decode packets-h soecify the homenetwork

To "replay" the file (convert it to ASCII and display it) with Snort, use the -r flagbash-# snort -dv -r /var/log/snort/snort-0324\@2146.log


Linu

xdas

ys20

03: L

inux

Sec

urity

Tut

oria

l11.5 Snort

Configuring and Using Snort as an IDS

snort.conf usually takes this form- Variable definitions- Preprocessor plug-in statements- Output (postprocessor) statements- Rules (in practice, usually include statementsreferring to rule files)

Variable definitionsvar HOME_NET 33.22.11.0/24,10.9.0.0/16,etc. var DNS_SERVERS 33.22.11.1 33.22.11.32 etc

Preprocessor plug-in statementsoutput database: log, mysql, user=root dbname=snort

host=localhost

Rulesinclude bad-traffic.rules


Linu

xdas

ys20

03: L

inux

Sec

urity

Tut

oria

l11.5 Snort

Starting snort in IDS mode

invoke snort with the -T flag to test your configurationbash-# snort -T -c /etc/snort/snort.conf

When you and Snort are both happy bash-# snort -Dd -z est -c /etc/snort/snort.conf

Review your log files:

- Port-scan entries in /var/log/snort/alert- Some packet headers logged to /var/log/snort/portscan.log

Documents

10. Firewall - DMC Cisco Networking Academyacademy.delmar.edu/Courses/ITSC1358/eBooks/Linux(SecurityTutorial).… · 10. Firewall 10.1 What is a Firewall 10.2 NAT Network Address