Lab#5

Download Report

Transcript Lab#5 

Network Security: Lab#5
Port Scanners and Intrusion
Detection System
J. H. Wang
Jun. 16, 2011
Objectives
• To learn to use port scanners
– Nmap
• To introduce the ideas of intrusion
detection system
– Snort
Packages Used in this Lab
• Packages
– Nmap
– Snort
Experiment Scenario
• Port scanners
– Use port scanners to check the potential
weakness in a system
• Vulnerable ports
• System types
Nmap
• Homepage: http://nmap.org/
• Version:
– 5.51
• Platforms:
Linux/FreeBSD/Windows/MacOS X
• Installation steps
– Simply follow the instructions on screen
Example Usage for Nmap
• Enter an IP address (or hostname) in [Target],
and press [Scan]
– Open ports will be listed
– Type of OS will be detected
• Many types of Scans
–
–
–
–
–
–
–
TCP scan
SYN scan
UDP scan
ACK scan
Window scan
FIN scan
Others: proxy scan, ICMP scan, …
Web-based Port Scanners
• Examples
– http://viewdns.info/portscan/
Nessus
• Homepage:
http://www.tenable.com/products/nessus
• Latest version: 4.4.1
• Originally open source, but now
proprietary by Tenable Network Security
– Free to use in homes
• Installation skipped
Intrusion Detection Systems
• Host-based IDS (HIDS)
– To monitor the status of files in a system
• File integrity checking, log analysis
• E.g. Tripwire, OSSEC
• Network-based IDS (NIDS)
– To detect the malicious network traffic such as
DoS attacks
• E.g. Snort
Tripwire
• Originally open source, but now
commercial
• Open source Tripwire available, which is
based on previous open-source versions
– http://sf.net/projects/tripwire/
OSSEC
• Originally open source, but acquired by
Trend Micro
– Will remain to be open source (as claimed by
Trend Micro)
– http://www.ossec.net/
Snort
• Homepage: http://www.snort.org/
• Latest version: 2.9.0.5
• Platforms:
– Linux/Windows
• An open-source NIDS, which also requires
WinPcap
• Installation steps
– Simply follow the instructions on screen
– Note: In [Installation Options], please check [Enable
IPv6 support] for demo of IDS functions
Example Usage for Snort
• cd \snort
• Sniffer mode: (default)
– To show headers only: bin\snort -v
– To show headers and data: bin\snort -vd
– A more descriptive display: bin\snort -vde
• Packet logger mode
– To records packets in logging directory:
• bin\snort -dev -l log
– To log in binary mode
• bin\snort -l log -b
– To playback the packets in log
• bin\snort -r packet.log
• Network intrusion detection system mode
– bin\snort -l log -c etc\snort.conf
– (Some problems with the configuration file to
work in Windows…)
– You need to understand how to write the rules
for intrusion detection…
Summary
• Port scanners
– Nmap
• Intrusion detection system
– Snort