Professional Documents
Culture Documents
Securing Cisco
Networks with
FireSIGHT Intrusion
Prevention System
Lab Guide
Version 2.0
Americas Headquarters
Cisco Systems, Inc.
San Jose, CA
Europe Headquarters
Cisco Systems International BV
Amsterdam,
The Netherlands
Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at
www.cisco.com/go/offices.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To
view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third party trademarks mentioned are the
property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any
other company. (1110R)
DISCLAIMER WARRANTY: THIS CONTENT IS BEING PROVIDED AS IS. CISCO MAKES AND YOU RECEIVE NO
WARRANTIES IN CONNECTION WITH THE CONTENT PROVIDED HEREUNDER, EXPRESS, IMPLIED, STATUTORY OR IN
ANY OTHER PROVISION OF THIS CONTENT OR COMMUNICATION BETWEEN CISCO AND YOU. CISCO SPECIFICALLY
DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND
FITNESS FOR A PARTICULAR PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE.
This learning product may contain early release content, and while Cisco believes it to be accurate, it falls subject to the disclaimer
above.
Welcome, Students!
Students, this letter describes important course evaluation access information!
Welcome to Cisco Systems Learning. Through the Cisco Learning Partner Program, Cisco is
committed to bringing you the highest-quality training in the industry. Cisco learning products are
designed to advance your professional goals and give you the expertise that you need to build
and maintain strategic networks.
Cisco relies on customer feedback to guide business decisions. Therefore, your valuable input will
help shape future Cisco course curricula, products, and training offerings. Please complete a brief
Cisco online course evaluation of your instructor and the course materials in this student kit. On
the final day of class, your instructor will provide you with a URL, directing you to a short postcourse evaluation. If there is no Internet access in the classroom, please complete the evaluation
within the next 48 hours or as soon as you can access the web.
On behalf of Cisco, thank you for choosing Cisco Learning Partners for your Internet technology
training.
Sincerely,
Cisco Systems Learning
2015 Cisco Systems, Inc.
Table of Contents
Introduction ................................................................................................................................. 3
Introduction .............................................................................................................................. 3
Lesson 1 Lab Exercises ........................................................................................................... 7
Lesson 3 Lab Exercises ........................................................................................................... 9
Lesson 4 Lab Exercises ......................................................................................................... 10
Lesson 5 Lab Exercises ......................................................................................................... 14
Lesson 6 Lab Exercises ......................................................................................................... 15
Lesson 7 Lab Exercises ......................................................................................................... 19
Lesson 8 Lab Exercises ......................................................................................................... 23
Lesson 10 Lab Exercises ....................................................................................................... 25
Lesson 11 Lab Exercises ....................................................................................................... 28
Lesson 12 Lab Exercises ....................................................................................................... 31
Lesson 13: Lab Exercises ...................................................................................................... 34
Lesson 14 Lab Exercises ....................................................................................................... 35
Lesson 15 Lab Exercises ....................................................................................................... 39
ii
Introduction
Introduction
The lab infrastructure that is provided for this training consists of a remotely accessible virtual learning
environment. Because some of the FireSIGHT Systems features are implemented in hardware, it is not
possible to demonstrate all of the products functionality in this lab environment.
The instructor will assist students with access procedures to enter the environment. Once you are in, you
will have full access to all the virtual machines depicted in the figure to perform the structured labs or to
experiment with if you wish.
Classroom Environment
This section describes the setup and configuration of the virtual infrastructure. The following figure
illustrates the topology of each student virtual network.
12
Each virtual machine will appear as a tab at the top of the VMware application window. To navigate
from one virtual machine to another, simply double-click the corresponding tab.
The main panel of the VMware application window displays either a command-line console for the
selected virtual machine or the graphical interface of the selected virtual machine.
If you click inside the command-line console of a virtual machine, the mouse pointer is captured by
the virtual machine and becomes unavailable for use on the desktop until you press Ctrl-Alt.
If you click inside a virtual machine with a graphical interface, the mouse will be available to both
the desktop and the virtual machine.
Username: root
Password: password
Username: admin
Password: password
The desktop is part of the lab environment. You should be able to access any of the virtual machines
with the tools that are provided on the desktop.
Use the PuTTY terminal application to access the CLIs of the virtual machines rather than the VMware
console window.
You can expand the terminal window to see more command-line information.
You will see an icon for the PuTTY application on the desktop, or you can type putty.exe from the search
field of the Windows start menu.
The hostnames of the virtual machines should resolve if you prefer to use them rather than accessing
everything by IP address.
Log out as NOC and log back in with the administrator credentials.
In 3 minutes, the administrator browser session will time out. The administrator user role cannot
be exempt. Administrators have access to all menu options, and their sessions present a higher
security risk if compromised.
Once you are logged out, log back in with the administrator credentials.
Navigate back to the System Policy titled My System Policy and change the browser session
timeout back to the default value (60 minutes).
11
Name: Bleda_LDAP
Port: 389
Password: password
Administrator:
Intrusion Admin:
Security Analyst:
Click Cancel.
12
Provide the username student01 and the password password in the Additional Test Parameters
section. Click the Test button. Make sure that you receive a Success Test Complete message at
the top of the page.
Navigate to the bottom of the page and view the Test Output (expand the arrow in the Show
Details field). What other accounts did your test discover?
Verify that your system policy is enabled for external authentication referencing the object that
you reviewed previously. Edit the system policy titled Initial_System_Policy and navigate to
the Authentication Profiles section of the policy.
Status: Enabled
Default User Role: None selected (You can deselect an item by holding down the Ctrl key
and clicking the item, if you have accidentally selected one.)
Enable the authentication object by clicking the check box where Bleda is listed on the page.
Remember to save and apply the policy before moving to the next step.
Now log out of your Sourcefire System GUI and log back in with the student01 account and the
password password.
Test other user accounts to see which role or roles they are granted. You can use the following
accounts (they all have the password set to password): student02, student03, extdb, and maint.
Do all of the accounts work? If not, which one does not and why? (The test output might yield
important clues.)
13
Bleda: 192.168.10.90
Rugila: 192.168.133.60
dmz_net: 192.168.10.0/24
general_net: 192.168.133.0/24
14
15
Keep in mind that you are logging connections at the end. The SSH session is not displayed in Connection
Events until the session is complete.
16
Click Save and Apply. Click Apply All to confirm the apply operation. You can click the task
status option to view the progress of the policy apply process. Once it is complete, you can close
the task status window and click the OK button to return to the policy edit page.
To verify your results, do the following:
Test this configuration by opening the Pidgin Internet Messenger application on Bleda. You can
access it by starting the GUI with the startx command. Note that the startx command must be
run from the VM console of Bleda. You may receive a warning box, because you are running the
user interface as root. Simply click Continue to load the GUI.
When the GUI opens, navigate to Applications > Internet > Pidgin Internet Messenger.
A preconfigured account is already set up. You can enter any password.
The rule will not allow the authentication to take place.
Inspect the Connection Events and verify that the connection was blocked.
On the host Bledas desktop, open the Firefox browser and try to navigate to www.aim.com to
use the web aim chat client.
This action should generate the default system-provided block response page and prevent access
to the site.
Click the Rules tab in the policy edit page to return to the rule list.
Click the Add Rule button.
In the Name field, enter Restrict Dating. Set the Action to Block.
Click the URLs tab.
Type dating in the search field of the Categories and URLs column. Choose Dating from this
list.
In the Reputations column, choose a reputation value of Any so that all dating sites are included.
Click the Logging tab and set the rule to log at the beginning of the connection.
Click Add.
Click Save and Apply. Click Apply All to confirm the apply operation. You can click the task
status option to view the progress of the policy apply process. Once it is complete, you can close
the task status window and click the OK button to return to the policy edit page.
2015 Cisco Systems, Inc.
17
Test this configuration by using the web browser on Bledas desktop to try to access the site
match.com. This attempt to navigate to match.com should trigger the block response page.
Inspect the Connection Events and verify that the connections were blocked.
18
10.0.0.0/8
172.0.0.0/8
192.0.0.0/8
Click Save.
Click the Advanced tab of the Network Discovery policy.
Click the Edit icon that is associated with General Settings. Enable Capture Banners and
change the Update Interval value to 1800 seconds.
Click Apply.
19
Name: Bleda_LDAP
Port: 389
Password: password
Click the Test button at the bottom of the page to initiate a test connection to the LDAP server.
If it returns a message of success, your LDAP connection is configured correctly.
Click Cancel to exit the LDAP connection configuration page.
Test the user discovery configuration as follows:
Create an SSH connection to Bleda and enter the following command to create a Telnet
connection to the POP3 port:
telnet 192.168.133.60 110
When you receive the OK prompt, type the following to test with POP3:
user student01
Navigate to Analysis and then Users, and choose User Activity. Note the user events that have
been recorded.
Navigate to Analysis and then Users, and choose Users to see the list of users. Note the LDAP
data that has been added (first name, last name, department, email, and phone).
21
Go to the Attributes section of the profile for each host in this network, and confirm that the
Networks attribute is set to DMZ.
Run a search for hosts with a specific attribute by navigating to Analysis > Hosts > Host
Attributes.
Click the Edit Search option in the upper-left portion of the page.
Look for the attribute that you created called Networks and enter DMZ in that field.
Click the Search button.
The Attributes list page shows you all the hosts with the attribute value that you searched on.
Click the drill-down button (the blue arrow at the beginning of the line) for the host
192.168.10.90 (bleda). This will open the host profile page for the host that you selected.
22
You are concerned about the possibility of introducing malware into your network environment, but you
do not want to hinder end-user productivity.
Your organization is concerned about lawsuits that could result from users downloading music files.
Because EXE and PDF files are common file types that could be infected with malware, your policy will
include a rule to do malware cloud lookups on these file types for all protocols. This way, you do not
prevent legitimate files from being transferred among your users, but you will be notified if malware is
detected.
Second, your policy will include a rule to block MP3 files on all protocols.
Choose the Executables, PDF files, and Archive options in the File Types Categories
column.
Click Add to add the file types to the Selected File Categories and Types column.
Click Save to create the rule.
Click Add File Rule to create the next rule, and set the following parameters:
Set the Action to Block Files. Choose the Multimedia option in the File Types Categories
column.
Click Add to add the file type to the Selected File Categories and Types column.
Click Save to create the rule.
Click the Advanced tab and select Inspect Archives.
23
Click Save in the upper-right portion of the screen to save the policy and return to the file policy
list page.
With the file policy created, you must now add it to an access control policy rule to implement it, as
follows:
Navigate to the Access Control Policy page by choosing Policies from the main menu, followed
by Access Control.
Click the Edit button for the Training Policy.
Edit the rule titled DMZ Web Access.
Click the Inspection tab.
From the File Policy drop-down menu, choose the MyFilePolicy policy that you created earlier.
Click the Logging tab and choose Log at End of Connection. Also, make sure that the Log
Files option is selected.
Click Save to save the edited rule.
Click the Save and Apply buttons in the upper-right portion of the page to apply the policy to
your managed device.
When the policy application is complete, log in to Attila. You can access the Attila virtual
machine by opening the PuTTY application on your desktop and selecting Attila from the list of
saved sessions. The username is root and the password is password.
Run the following commands from Attila:
wget
wget
wget
wget
wget
bleda/scanner.exe
bleda/SuperScan4.exe
bleda/report.pdf
bleda/harmless.zip
bleda/guitar_jam.mp3
24
25
Confirm that the FireSIGHT Recommendations column displays icons for the rules that are set to
generate events.
Click the Rule Configuration option in the Rules column. When the section opens, expand the
Recommendation selection and choose Drop and Generate Events to see the recommendations
for dropping and generating events. Select Disabled to see the recommendations for disabling
rules. Using this technique, you can easily review the rule recommendations.
Click the FireSIGHT Recommendations option in the left panel to return to the
recommendations page.
Click Use Recommendations.
Expand the Policy Layers and examine the newly created FireSIGHT Recommendations
layer.
Click Policy Information and commit the changes.
Lab 10-4: Applying Your Policy and Variable Set and Test
In this exercise, you will implement the IPS policy that you created in an access control policy rule.
Use SSH to connect to Attila, and run the ./ips_test.pl script. Make note of the time you
ran the script, because at the end of the lab you will compare the number of events generated
when you run the script now and when you run it again later.
Return to the FireSIGHT interface and navigate to Policies, followed by Access Control.
Edit the Training Policy access control policy.
In the access control policy, edit the DMZ Web Access rule.
Click the Inspection tab and change the intrusion policy to Training Policy. Also, change the
variable set to SFSnort_Set.
Click the Save button to save the changes you made to the rule.
Change the Default Action to Block All Traffic and set the default action logging to Log at
Beginning of Connection.
Click the Save and Apply button to apply the changes you made to the access control policy.
When the policy apply process has finished, go back to the SSH session with Attila and run the
./ips_test.pl script again. Make note of the time you ran the script.
Navigate to Analysis > Intrusions > Events.
Click the time range link in the upper-right portion of the page and adjust the time so that you
see only the results from the first run of the attack script in this lab. You can explicitly state the
start and end times for viewing events in the window that opens.
Click the Apply button after adjusting the time range, and note the number of events that are
displayed in the event table.
26
Click the time range link again and adjust the time range to the time range when you ran the
attack script the second time.
Do you see more events, or fewer events?
What is the reason for the results that you see?
27
28
Check the check box next to GID in the heading of the rule list. This option will select all HTTP
Configuration rules. Click Rule State and choose Generate Events to enable all of the rules that
are associated with HTTP Configuration.
Click the Advanced Settings option in the left side panel and disable Global Rule
Thresholding.
Click Policy Information in the left side panel and commit your changes to the IPS policy.
When you return to the IPS policy list page, close the browser tab that the list page is in. This
should return you to the browser tab in which you were editing the access control policy.
In the access control policy page, the Network Analysis and Intrusion Policies configuration box
is still open. Click the Default Network Analysis Policy drop-down list and select Training
Analysis Policy.
Click OK to accept the changes.
Click the Rules tab to return to the access control policy rule list.
Change the default action to Training Policy and change the default action logging selection to
Log at End of Connection only.
Save and apply the access control policy.
Your access control policy preprocessor settings are now configured and are being used as the default
network analysis policy.
29
In the FireSIGHT console, refresh the page to show the most recent events. You should see an
event with a GID of 135 and a SID of 2. These events were generated by the rate-based
preprocessor that you enabled in the network analysis policy.
30
31
Return to the analysis workflow. Click the down arrow to the left of the first event. Examine the
packet information in your console. Click the link at the bottom of the Download All Packets
page. Using Wireshark, review the packets to see the data from the event.
Was this threat real?
33
34
Host: 192.168.111.99
Facility: SYSLOG
Severity: INFO
Tag: CorrelationAlert
Click Save.
Next, you will configure a correlation rule that triggers on the following conditions:
Responder bytes are greater than or equal to 10,000,000. (When you enter this value, do not enter the
commas.)
35
In the drop-down list of your new condition, choose Application Protocol Is HTTP.
Add a third condition. Choose Responder Bytes Are Greater Than or Equal to and enter
10000000.
Click Save.
Now that you have a correlation rule, you will create a correlation policy and apply the rule to this policy.
Click the Policy Management tab.
Click Create Policy.
In the Policy Name field, enter HTTP high server-side data.
Click the Add Rules button and choose HTTP high server-side data. Click Add.
Click the Responses icon and move the Correlation Alert response alert to the Assigned
Responses section. You can do this by selecting it in the Unassigned Responses section and
clicking the upward-pointing arrow to move it to the Assigned Responses section. Click Update.
Save the policy and click the activate slider that is associated with the new correlation policy to
an enabled state.
You will now test the correlation policy and rule, and verify that the correct alert is being triggered.
Create an SSH connection to the host Attila. From Attila, issue the following command:
wget bleda/snortrules-snapshot-CURRENT.tar.gz
Once the file has transferred, check to see if you received a correlation event. To view this event,
navigate to Analysis, then Correlation, and click Correlation Events. Notice the rule that
triggered the correlation event.
Verify that the syslog alert was triggered with the following command on the host LAMP:
tail -f /var/log/messages
Verify that the correlation policy triggered a correlation event by navigating to Analysis >
Correlation > Correlation Events.
Click OK.
In the Name field, enter Correlation White List.
For the Linux 2.6 Operating System, ensure that SSH is not in the Allowed Application
Protocols list. If it is, use the Delete button to remove it.
If the SSH service was already detected on Attila prior to this lab, you may not see the whitelist event. You
can navigate to the Attila host profile page and delete its SSH service entry and try the lab again if you did
not see the alert the first time.
View the whitelist events that are produced. Navigate to Analysis and then Correlation, and
click White List Events.
37
Now you will build a correlation policy rule based on connections that trigger if the profile exceeds one
standard deviation.
Click the Rule Management tab. You will be creating a correlation policy rule that alerts if the
total bytes for the network exceed one standard deviation of the profile.
Click Create Rule.
In the Rule Name field, enter Traffic Profile Total Bytes Exceeded.
In the Select the Type of Event for This Rule section, choose A Traffic Profile Changes and the
profile DMZ Traffic Profile from the drop-down menu.
In the drop-down menu that is associated with the condition, choose Total Bytes Are Greater
Than and enter 1 standard deviation.
Click Save.
Click the Policy Management tab and select Create Policy.
In the Name field, enter DMZ Traffic Profile. Add the traffic profile rule to the correlation
policy.
Save the policy and then click the slider to activate it.
Because you had not previously constructed a baseline, there will be nothing to trigger this rule. To observe
the baseline being recorded, you can generate network traffic by following the next steps.
Use Attila to simulate network activity for the traffic profile. From Attila, you can issue the
following command to keep running an NMap scan of the DMZ:
while true; do nmap -sT -p 1-1024 192.168.10.0/24;
sleep 30; done
You can press Ctrl-C to break out when you have completed the lab.
These steps require the system to run for one hour before you receive results. You will need to revisit this
lab at a later point in the class to make sure that the profile was created.
38
Write a rule that constrains the content match to a specific offset and depth. Your first name might be a
good candidate for the text string to match in the rule. Move around the contents of the payload. See if
you continue to receive alerts on your rule. Once the rule is created, enable it in the Training Policy and
then reapply the policy prior to testing.
Write a rule with a second content match. Your last name might be a good string to use. Constrain this
match to be a distance of 2 from the previous match. Also, use the Within parameter to keep the search
from going beyond the length of the second string. Move around the contents of the payload. See if you
continue to receive alerts on your rule. Once the rule is created, enable it in the Training Policy and then
reapply the policy prior to testing.
39
40