Professional Documents
Culture Documents
Tools needed: LAMP server Snort ACID/BASE VM Environment: INSTALLATION CONFIGURATION: IDS VM (interface 0 NAT) TESTING CONFIGURATION: IDS VM (interface0 - Host-only, interface1 - intnet) WinXP SP2 VM (interface0 - intnet)
Do not setup Db with snort install. We'll configure snort.conf file to connect to the database we created in step 2.
The following error may be displayed: /etc/snort/db-pending-config file found Snort will not start as its database is not yet configured. Please configure the database as described in /usr/share/doc/snort-mysql/README-database.Debian and then remove /etc/snort/db-pending-config * Stopping Network Intrusion Detection System snort * No running snort instance found Any errors will be corrected once we configure snort to use the database setup in step 2.
Configure acid to use mysql db: Select YES to configure database. Select MYSQL as database type.
Type in the mysql root password (should be: secure?), you will be prompted to confirm.
Will be asked to create a mysql password for acid base to connect to db. In this lab we are using secure? password for simplicity. At this point, the Acid/BASE setup done.
Next we configure the Acid/BASE installation to use our snort database and setup the Acid/BASE tables in the snort database that will allow Snort and Acid/BASE to communicate.
To configure Acid/BASE: Open a web browser, and navigate to the following URL: http://localhost/acidbase Navigate to the Setup Page: Click on setup page to configure Acid/BASE Create Acid/BASE tables in snort database: Click on Create BASE AG button
Successfully created 'acid_ag' Successfully created 'acid_ag_alert' Successfully created 'acid_ip_cache' Successfully created 'acid_event' Successfully created 'base_roles' Successfully INSERTED Admin role Successfully INSERTED Authenticated User role Successfully INSERTED Anonymous User role Successfully INSERTED Alert Group Editor role Successfully created 'base_users' The above message should be displayed. click on HOME button to return to main page.
Verify the XP VM is routing through the IDS VM (set as its default gateway). Verify HOST machine can route packets to the 10.0.0.0/24 network through the IDS VM. From HOST: sudo nmap -sV -sS -O <XP-VM's-IP> Snort should alert on scan.
Turn In
Export the alert log from snort, or a screen-shot of the attempted attack logged by snort.
Extended Learning
Attempt the ftp exploit we did in lab2. Start XP VM in internal network, add the route for the GW VM as its default gateway. Uncomment the rule bellow from the snort.conf file. include /etc/snort/rules/ftp.rules Run the exploit. Snort should display an attack alert.