110 likes | 223 Views
Want to build a career in security? This project will help you improve your security skills. The ideas are relatively simple, not too expensive and will create an impact to your skill set.
E N D
PROJECT: INTRUSION DETECTION Improving Your Security Skills www.jayschulman.com info@jayschulman.com
Unix/Linux: We’re installing our system on Linux so if you’re not familiar with the operating system, you’ll get some exposure. Open Source: Our toolset today is completely open source so you’ll get experience using an open source IDS platform. Cloud: I’m recommending you install this in the cloud. It will give you a relatively basic example of cloud computing. Threat Intelligence: You’ll be monitoring the internet. I actually don’t recommend you run anything on your host so everything you see will be drive-by attacks. No specific reason, these are just the mass scanning types of attacks. Intrusion Detection: It’s a foundational component to information security. In the grand scheme of things, most organizations have it under control. ● ● Why This Project Is Important Learning The Basics ● ● ●
Install The Cloud If you install it on your home internet, you’re viewing a specific traffic pattern that I don’t think is necessarily representative of the Internet. Most attackers know the IP blocks of cable and DSL modems. So the attacks they’re trying are geared toward home computing. For our exercise, I think seeing more commercial, service based attacks is a better view of the internet. For these types of experiments, I recommend DigitalOcean. It’s the $5 cloud. Their lowest cost server is $5 a month and you get root access to the server. If you sign up here, you’ll actually get a $10 credit. So you can play around for two months. (Or run another experiment next month.)
Set Up DigitalOcean Each server is called a droplet. So we’ll need to setup a droplet to get started. Click on Droplets and Create One. Give your droplet a name and select the $10 size. You can try to get it to run for $5 but you need more memory. You’re also welcome to use a bigger server. You’ll see that the server will get pretty slow the more data you collect. But my goal here is not to give you a lightening fast experience but to give you an educational experience for a few bucks.
Select Image & Location Choose any location. For our experiment, it would be interesting to compare what New York attacks look like compared to Frankfurt or Toronto. It’s great to pick something close as it will be a bit faster, but really pick something that interests you from a threat intelligence perspective. I picked Singapore for my experiment and FYI it is slow from Chicago. Next select our image. If you’re a Linux guru, pick anything you’d like. If not, the examples below will assume you’re running Ubuntu. There are a few checkboxes at the end. I checked IPv6 for kicks as I am curious what attacks are coming on IPv6 versus IPv4. Again, education! Finally complete your setup. You’ll be provided with your IP address and password in an e-mail and you’ll need to change it when you login. Your first setup is to login using a terminal program. The most used and most boring program is PuTTY.
Update & Upgrade All of the commands will assume you’re logged in as root. Which is a really bad idea. But this is an experiment and not the real world so such is life. In most trusted environments, you’d want to login as a user and sudo to root. You won’t see that here. > apt-get update > apt-get upgrade I trust Ubuntu’s repositories but I don’t always trust that the version I got is updated. So the following commands will update our server to the latest versions of all of the software running on it.
Install SNORT Our Intrusion Detection System will be Snort. It’s the most documented and supported open source system out there and is relatively easy to install on Ubuntu. > apt-get install snort During the install, it will ask you for the protected subnet. You’ll put your IP address of the DigitalOcean server.
Configure Rules A lot of interesting rules are turned off by default. Go to your favorite command line editor in Linux (vi, pico, etc) and edit /etc/snort/snort.conf. include $RULE_PATH/web-misc.rules include $RULE_PATH/web-php.rules include $RULE_PATH/x11.rules # include $PREPROC_RULE_PATH/preprocessor.rules # include $PREPROC_RULE_PATH/decoder.rules # include $PREPROC_RULE_PATH/sensitive-data.rules In this file, you’ll want to go WAY down to the end where there are tons of include lines that has a line for each ruleset. If you see a # in front of the ruleset, it’s been disabled. Remove the # to enable it. To start, turn as much as you want on. When it gets boring, turn it off and focus on what is interesting. See image on your right.
Test SNORT You have the most basic version of snort installed. At this point, I want to make sure you’re seeing Snort find attacks. So let’s run a command (see image on right) >snort -d -A console -u snort -g snort -c /etc/snort/snort.conf -i eth0 If all goes well, you should start seeing alerts on your screen for attacks. So side note: I did pick Singapore because, well, I thought I’d see a ton of attacks. I don’ t really. So if you don’t see any alerts pop up… oops! Move on to the next step and move to your next level of learning. Just the fact that you got it looking for attacks is a success!
PIVOT This is the point in time where you need to figure out what you want to learn next. Here are a couple of resources: Build a web front end for Snort using Snorby: http://blog.muhammadattique. com/installing-snorby-on-ubuntu-for-snort-with-barnyard2/ Send all Snort alerts to a Database and use BASE as a front end: http: //computer-outlines.over-blog.com/article-nids-snort-barnyard2-apache2- base-with-ubuntu-14-04-lts-123532107.html ● ●
Are You Ready to Grow Your Security Career? Whether you're a seasoned security professional or trying to get into the field, I'll help you grow your career in security. SIGN UP NOW! SIGN UP NOW!