Embed Size (px)
Citation preview
7/25/2019 14_Lab5
http://slidepdf.com/reader/full/14lab5 1/2
L5-1
Lab 5
Scenario: complex attack mitigation
Overview
DescriptionThis lab introduces you to packet capture feature of Pravail APS and
complex attack mitigation techniques using regular expressions.
Objectives
After completing this lab, you will be able to do the following:
• Use Pravail APS to analyze packets;
• Configure custom regular expressions to stop complex attack.
Equipment/Tools
The following equipment is required to complete this lab:
• web browser
Ask you instructor for lab access instructions.
Estimated Completion Time
• The estimated completion time for this lab is 30 minutes.
Packet analysis
1. Ask your instructor to start the attack
2. Verify that victim is no longer available at
3. Navigate to Explore->Packet capture in Pravail APS GUI
http://10.2.25.44/
7/25/2019 14_Lab5
http://slidepdf.com/reader/full/14lab5 2/2
Packet analysis
Lab 5
L5-2 Pravail APS 3.1
4. Configure following filters for effective packet capture:
• your web server Protection Group
• ext0 interface
• User-Agent as a Regular Expression
5. Start the packet capture
6. Note that there are some unusually small HTTP requests of just 178
bytes. Click on one of them
7. Look at User-Agent string of the request in Data section of packet
analyzer. Note “EvilBot” signature.
8. Export the packet in .pcap format by clicking on “PCAP Export” icon
9. Look at the packet structure in your local wireshark or at
http://www.cloudshark.org
Regular expression configuration
Let’s use bot signature to mitigate the attack.
1. Navigate to Protection Groups -> Configuration
2. Select Web Server type
3. Add following HTTP Header regular expression for all protection levels:
^User-Agent:.*EvilBot.*
4. Save configuration
5. Navigate back to Explore->Packet capture, use the same filters as in
previous section for the capture
6. Note that attack packets are now dropped
7. Check that the victim is available once again
This completes the lab exercise.
