SNHU - Identifying & Analyzing Network

Host Intrusion Detection System Alerts

Introduction

Objective

Overview

In this lab, you will be conducting network and host monitoring using various administrative

tools. You will be performing the following tasks:

Network Security Monitoring With Snorby

Network Scanning

Network monitoring with Snorby

Network security monitoring with Sguil

Network security monitoring with Squert

Click on the Security Onion icon on the topology diagram.

On the login screen, type

soadmin

. Press Enter.

When prompted for the password, type

mypassword

Note: The password of mypassword will not be displayed when you type it for

security purposes.

Open a new terminal by double-clicking on the Terminal icon located on the

Desktop.

soadmin@Security-Onion:~$

sudo service nsm start

Type the command below and press Enter to start the service.

If prompted for a password, type

mypassword

. Press Enter. If not, continue to the

next step.

soadmin@Security-Onion:~$

ifconfig

After the service completes running, type the ifconﬁg command followed by

pressing Enter.

Conﬁrm that all three interfaces (eth0

eth1

eth2) are up and running in promiscuous

mode. Also, conﬁrm that the loopback interface is up.

Click the Vulnerable Linux icon on the topology diagram.

root

and Password

toor

Click on the Kali icon on the topology diagram.

On the login screen, select Other.

When presented with the username, type

root

. Press Enter.

When prompted for the password, type

toor

. Press Enter.

Note: The password of toor will not be displayed when you type it for security

purposes.

While on the Kali system, click on the Applications Menu option located on the top

menu pane and navigate to Kali Linux > Information Gathering > Network Scanners >

zenmap.

A new Zenmap window will appear. In the Command text box, type the following

command,

nmap –T5 –A –v

and in the Target text box type,

203.0.113.1

192.168.1.0/24 10.1.1.0/28

Click the Scan button.

Analyzing Network Events Using Snorby

Wait until the following machines show in the Hosts pane on the left: 192.168.1.1,

192.168.1.6, 10.1.1.1, 10.1.1.10, and 203.0.113.1. After about 4-5 minutes the scan will

ﬁnish, examine the output.

Note: more than 5 Hosts may appear in the Hosts pane, that's OK.

soadmin@Security-Onion:~$

sudo service apache2 start

Navigate back to the Security Onion machine, go to the terminal shell, type the

command below, and press Enter to start the apache web service.

If prompted for a password, type

mypassword

. Press Enter.

Note: the password will not appear as you type for security reasons.

Move the Terminal Shell window out of the way and Double-click the Snorby

desktop icon to launch the Snorby management interface.

When asked about the Untrusted Connection, click I Understand the Risks and then

click Add Exception.

When asked to add a Security Exception, click Conﬁrm Security Exception.

In about a minute the page will most likely redirect to the Snorby login screen. Type

soadmin@xyz.corp

for the Email. If not, move to the next step after sign in.

Type

mypassword

as the password.

Note: The password of mypassword will not be displayed when you type it for

security purposes.

Click on the Welcome, Sign In button.

Upon login, you will be directed to the Dashboard page by default.

Note: The number of risks may vary from what you see in the screen shot below.

ONLY if you don't see any security risks and all the risk meters read 0, click on More

Options in the right hand pane and select “Force Cache Update” This can take up to

10 minutes.

Note: Snorby is a ﬁckle tool and even if you do not see risks, move to the next step.

Click on the Severities tab to view a graph showing High, Medium, and Low

severities.

Notice when viewing the past 24 hours, the recent spikein severiries within the hour

showing.

Click on the Protocols tab to view a graph presenting which well-known protocols

(TCP, UDP, and ICMP) have been affected by the severities.

Click on the Signatures tab to view a pie graph presenting which similar group

percentage of signatures have been marked.

Click on the Sources tab to view a pie graph showing which source hosts have been

producing the most amount of alerts compared to others.

Click on the Destinations tab to view a pie graph showing which hosts have been

chosen as the destination/target comparing the percentage amount of alerts from

each other.

Click on the Events menu option located at the top menu pane of the Snorby

dashboard.

Note: Here is a compiled event list that is presented in the order of newest alerts to

oldest by default.

Notice the most recent medium severities are suspicious about incoming connections

to speciﬁc ports, mostly SQL and VNC. Remember these ports have been scanned

by the Zenmap application from the Kali system. Take note of the Source IP and

Destination IP for these severities.

Click on the most recent SQL port affected event alert from the list.

The alert will expand itself showing more information. Notice when analyzing the

alert, the signature information and TCP header information is presented here.

Click on the Sensors menu option.

Notice each sensor listed here with their respective percentage of events.

Network Security Monitoring With Sguil

Running Sguil

Click Log out in the top-right corner.

Close the Web browser.

Open a new terminal by double-clicking on the Terminal icon located on the

Desktop.

While on the Security Onion system, double-click the Sguil desktop icon to run the

application.

A new window will appear. Type

soadmin

for the username and

mypassword

as the

password. Leave rest defaults. Click Ok to login.

Note: The password of mypassword will not be displayed when you type it for

security purposes.

Click select all.

Click the Start SGUIL button.

Analyzing Network Events Using Sguil

While viewing the Sguil monitoring application, organize the events by date. Click on

the Date/Time column header making sure that the latest events show up in a

descending order.

Scan the messages under Event Message until you ﬁnd that the ET Scan Nmap

Scripting Engine User-Agent has been detected. Select the event.

Notice on the bottom right IP, TCP, and DATA. Check the box for Show Packet Data.

Analyze the packet data and locate the User-Agent string.

Note: Any packet with a user-agent string can be used. If you cannot locate a

packet that contains a user-agent string, you may select a packet with other data

and continue with the next steps.

Export a detailed report for this speciﬁc event to present to management. While

having the event selected (highlighted), click on the Reports menu option located on

the top menu pane and select Export Events to a Text File (Detail) > Normal.

When the Select a Text Report Type window appears, click OK to continue.

soadmin@Security-Onion:~$

cat /home/soadmin/report1

In the Save As window, verify the directory is set to /home/soadmin. Type

report1

as the File name and click Save.

Click OK to conﬁrm the ﬁle saved.

While on the Security Onion system, go back to the new terminal window you

opened earlier, type the command below, and press Enter to view the contents of

the report.

After viewing the report, close the terminal window.

Network Security Monitoring With Squert

Analyzing Security Monitoring Using Squert

Close the Sguil application.

While on the Security Onion system, double-click on the Squert desktop icon.

When asked about the Untrusted Connection, click I Understand the Risks and then

click Add Exception

When asked to add a Security Exception, click Conﬁrm Security Exception.

A Firefox web browser should appear. Verify the address ﬁeld is populated with the

following: https://localhost/squert.

For the Squert login page, type

soadmin

as the Username and

mypassword

as the

Password. Click Submit.

Notice the top bar presenting the percentage of events based on their severity. On

the left side, click the up arrow to collapse both Event Summary and Event Count by

Priority.

Notice underneath Event Count by Classiﬁcation, each event group is color

coordinated.

Click on the orange percentage bar.

Notice any ET SCAN NMAP events populating the Signature column.

Click on the ﬁlters button at the top of the page.

Note: A new pop-up window will appear showing the different alias options that

can be used for ﬁltering events.

Close the pop-up window.

To ﬁlter the events by IP Address, in the text box next to ﬁlters, type

203.0.113.2

followed by pressing Enter.

Notice that all recent events are populating the event list related to the Kali machine.

We can also ﬁlter events by which sensor is picking up the trafﬁc. Click on the

sensors button next to the ﬁlters button.

A new pop-up window should appear. Notice the different sensors listed along with

the agent operating on each sensor. From the Network options, click the Security-

Onion-eth0 option to only show events picked up by this particular sensor.

Conﬁrm that four checks have been marked for Security-Onion-eth0.



Close the pop-up window.

Type

ip 10.1.1.10

into the text box next to ﬁlters and press Enter to initialize the

search with the new sensor ﬁlter.

Note: Press the STOP button to complete the lab.

This work by the National Information Security and Geospatial Technologies Consortium

(NISGTC), and except where otherwise noted, is licensed under the Creative Commons

Attribution 3.0 Unported License.

Development was funded by the Department of Labor (DOL) Trade Adjustment Assistance

Community College and Career Training (TAACCCT) Grant No. TC-22525-11-60-A-48; The

National Information Security, Geospatial Technologies Consortium (NISGTC) is an entity of

Collin College of Texas, Bellevue College of Washington, Bunker Hill Community College of

Massachusetts, Del Mar College of Texas, Moraine Valley Community College of Illinois, Rio

Salado College of Arizona, and Salt Lake Community College of Utah.

This workforce solution was funded by a grant awarded by the U.S. Department of Labor's

Employment and Training Administration. The solution was created by the grantee and does

not necessarily reﬂect the ofﬁcial position of the U.S. Department of Labor. The Department

of Labor makes no guarantees, warranties or assurances of any kind, express or implied, with

respect to such information, including any information on linked sites, and including, but not

limited to accuracy of the information or its completeness, timeliness, usefulness, adequacy,

continued availability or ownership.