Posted: December 7th, 2022

Snort rule, cyber security

Snort rule, cyber security

Scenario: You are responsible for security in a company and you need to protect the systems reviews. These are in a well-defined subnet and only specific systems can connect to it (jump points). Jump points allow two network maps. One is connected to the network (unprotected) and the second allows access to protected systems. You must introduce a honeypot into this network in order to detect lateral movements.

What you need to do:

Install a honeypot (OpenCanary). Refer to https://opencanary.readthedocs.io/en/latest/starti…. On another system located in the same network, use a port other than 22 for connections via the SSH protocol (one of your choice).

Via your Security Onion system, write a Snort rule that will generate an alert when it detects a connection to a honeypot coming from another network than that of jump points to the ports administration (ssh) or port knowcking. Implement the rule and ensure that it is hit.

Instructions

a. Create the honeypot (5p)

b. Configure port knocking for honeypot (5p)

c. Inside the snort.conf file activates a new variable that contains the IPs of the honeypots (ex HON_NET) (2.5p)

d. Inside the snort.conf file activates a new variable that contains the ports administration of honeypots (ex HON_PORTS) (5p)

e. Inside the snort.conf file activates a new variable which contains the list of IP addresses of jump points authorized to communicate with honeypots (ex JUMP_NET) (2.5p)

f. Create a single Snort rule that will detect:

– a. Communications (traffic) to a honeypot system (IP and Port via variables) (5p)

– b. Communications (traffic) originating from a system other than the jump points (via

variable) (5p)

– c. The alert generated by your SNORT rule, must contain your last name / first name (5p)

g. Generate traffic that will trigger/hit the rule (5p)

h. Document all the steps via explanations and screenshots (5p

OpenCanary Lab and Port Knocking

For this lab we will use an Ubuntu Server 20.04 virtual machine.

Server Setup

Install and configure an Ubuntu server 20.04.
If you need help we can provide a document with all the steps

Change SSH port

Edit the /etc/ssh/sshd_config file

sudo nano /etc/ssh/sshd_config

Make the line active (delete the leading #) and modify the port. In my example I put it 22222

Save the file and restart the ssh service and restart the machine

service ssh restart
sudo reboot

Installing OpenCanary

Use the following commands to install OpenCanary

sudo apt-get update

sudo apt-get install python3-dev python3-pip python3-virtualenv python3-venv python3-scapy libssl-dev libpcap-dev

pip install markupsafe==2.0.1

virtualenv env/

. env/bin/activate

pip install opencanary

Once the installation is done, it’s time to configure the honeypot. We will create the configuration file and we will make a copy of the original file

opencanaryd –copyconfig

sudo cp /etc/opencanaryd/opencanary.conf /etc/opencanaryd/opencanary.conf.orig

Then we will modify the configuration parameters

sudo nano /etc/opencanaryd/opencanary.conf

Enable http, ssh and mysql services by changing the “false” to “true”

Save the configuration file and start opencanary

opencanaryd –start

Now your Honeypot is functional. You can do an nmap scan to identify open ports

└─$ nmap -p- IP_Honeypot
Starting Nmap 7.91 ( https://nmap.org ) at 2022-11-14 20:06 EST
Nmap scan report for 192.168.126.151
Host is up (0.00020s latency).
Not shown: 65530 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
22222/tcp open easyengine

Nmap done: 1 IP address (1 host up) scanned in 1.97 seconds

Port 22222 is the real ssh. You can hide it using port knocking technique
https://www.tecmint.com/port-knocking-to-secure-ssh/

Order | Check Discount

Tags: Cyber Security, Snort rule