- Part 1: Preparing the Virtual Environment
- Part 2: Firewall and IDS Logs Monitoring
- Part 3: Terminate and Clear Mininet Process
In a secure production network, various devices like security appliances, firewalls, IPS devices, routers, switches, and servers generate network alerts. However, not all alerts are the same. For instance, alerts generated by servers and firewalls differ in content and format.
- CyberOps Workstation virtual machine
- VMware/VirtualBox
- Bash and Python scripts
- Internet connection Note: In this lab, the CyberOps Workstation VM is a container for holding the Mininet environment shown in the Topology.
Part 1: Preparing the Virtual Environment
a. Launch Oracle VirtualBox and change the CyberOps Workstation for Bridged mode, if necessary.
b. Launch the CyberOps Workstation VM, open a terminal, and configure its network by executing the sh script.
sudo ./lab.support.files/scripts/configure_as_dhcp.sh
c. Use the ifconfig command to verify CyberOps Workstation VM now has an IP address on your local network.
Part 2: Firewall and IDS Logs
Step 1: Real-Time IDS Log Monitoring
a. From the CyberOps Workstation VM, run the script to start mininet.
sudo ./lab.support.files/scripts/cyberops_extended_topo_no_fw.py
The mininet prompt should be displayed, indicating mininet is ready for commands.
b. From the mininet prompt, open a shell on R1 using the command below:
xterm R1
c. From R1’s shell, start the Linux-based IDS, Snort.
./lab.support.files/scripts/start_snort.sh
d. From the CyberOps Workstation VM mininet prompt, open shells for hosts H5 and H10.
xterm H5
e. H10 will simulate a server on the Internet that is hosting malware. On H10, run the mal_server_start.sh script to start the server.
./lab.support.files/scripts/mal_server_start.sh
f. On H10, use netstat with the -tunpa options to verify that the web server is running.
netstat -tunpa
g. In the R1 terminal window, an instance of Snort is running. To enter more commands on R1, open another R1 terminal by entering the xterm R1 again in the CyberOps Workstation VM terminal window.
h. In the new R1 terminal tab, run the tail command with the -f option to monitor the /var/log/snort/alert file in real time. This file is where snort is configured to record alerts.
i. From H5, use the wget command to download a file named Nimda.Amm.exe. Designed to download content via HTTP, wget is a great tool for downloading files from web servers directly from the command line.
wget 209.165.202.133:6666/W32.Nimda.Amm.exe
j. As the malicious file was transiting R1, the IDS, Snort, was able to inspect its payload. The payload matched at least one of the signatures configured in Snort and triggered an alert on the second R1 terminal window (the tab where tail -f is running).
On H5, use the tcpdump command to capture the event and download the malware file again so you can capture the transaction. Issue the following command below to start the packet capture:
tcpdump –i H5-eth0 –w nimda.download.pcap &
Note: The command above instructs tcpdump to capture packets on interface H5-eth0 and save the capture to a file named nimda.download.pcap.
k. Press ENTER a few times to regain control of the shell while tcpdump runs in the background.
l. Now that tcpdump is capturing packets, download the malware again. On H5, re-run the command or use the up arrow to recall it from the command history facility.
wget 209.165.202.133:6666/W32.Nimda.Amm.exe
m. Stop the capture by bringing tcpdump to the foreground with the fg. Stop the tcpdump process with Ctrl+C. The tcpdump process stops and displays a summary of the capture. The number of packets may be different for your capture.
fg
n. On H5, Use the ls command to verify the pcap file was in fact saved to disk and has a size greater than zero:
ls -l
Step 2: Tuning Firewall Rules Based on IDS Alerts
In Step 1, an internet-based malicious server was started. To keep other users from reaching that server, it is recommended to be blocked in the edge firewall.
In this lab’s topology, R1 is not only running an IDS but also a very popular Linux-based firewall called iptables. In this step, traffic to the malicious server identified in Step 1 will be blocked by editing the firewall rules currently present in R1.
a. In the CyberOps Workstation VM, start a third R1 terminal window.
xterm R1
b. In the new R1 terminal window, use the iptables command to list the chains and their rules currently in use:
iptables -L -v
c. Connections to the malicious server generate packets that must transverse the iptables firewall on R1. Packets traversing the firewall are handled by the FORWARD rule and therefore, that is the chain that will receive the blocking rule. To keep user computers from connecting to the malicious server identified in Step 1, add the following rule to the FORWARD chain on R1:
iptables -I FORWARD -p tcp -d 209.165.202.133 --dport 6666 -j DROP
d. Use the iptables command again to ensure the rule was added to the FORWARD chain.
iptables -L -v
e. On H5, try to download the file again:
wget 209.165.202.133:6666/W32.Nimda.Amm.exe
Part 3: Terminate and Clear Mininet Process
a. Navigate to the terminal used to start Mininet. Terminate the Mininet by entering quit in the main CyberOps VM terminal window.
quit
b. After quitting Mininet, clean up the processes started by Mininet. Enter the password cyberops when prompted.
sudo mn -c
- The malware download was no longer successful after the FORWARD rule on the iptables was updated.
- Instead of specifying IP, protocol, and port, a rule could simply block the server’s IP address. This would completely cut access to that server from the internal network.