“Good work on the IDS design!”
There seems to be a trend in your boss’ tone of voice versus the amount of work he is about to assign to you…
“To further develop your IDS, our clients want you to implement a Network-based IDS to monitor malicious network traffic”
“They want you to set up Snort and analyze any executable files flowing to a client using your new sandbox. ”
Your boss also seems pretty fixated on this two-week cycle, you think as you open up Google and another tutorial once again
.
Assignment
The purpose of this assignment is to apply your knowledge of IDS’s learned in class to implement your own network-based IDS to detect malicious executable files in network traffic. Before you get started, please install VagrantLinks to an external site. and make sure you have VirtualBoxLinks to an external site. installed.
Note: Please download the vagrant file from Files > Lab Files > Lab 05 > Vagrantfile and the hooks.c file from Files > Lab Files > Lab 05 > hooks.c instead of the links in the writeup. And here is the same link to the test_binaries Download test_binariesas in the tutorial.
There are 5-6 steps to this project:
- Implement Snort rulesLinks to an external site. so that you will log any packets that are involved in the sending of an executable file
- Upon the creation of a log, send the packets to the sandbox (this should be done over FTP, as an FTP client has been installed on the sandbox). This should probably be done using a daemonLinks to an external site. (Please use this link as the link to the blog in the writeup is broken).
- Upon receiving the Snort log in the sandbox, reconstruct the executable by extracting it from the log (which is essentially a PCAP file). This should also probably be a daemon.
- (You may have to update your LKM rules a little bit so that you are hooking the necessary syscalls)
- Run the executable with your Linux Kernel Module and report any issues to the kernel log (this is done already if you used printk())
- Generate an IDS alert by tweaking the rsyslog configurationLinks to an external site. so that any of your Linux Kernel Module messages are printed out into another log in /var/log called ids_alerts.log
Points Breakdown:
– Proof of successful file transfer over FTP: 10 pts
– Snort rule correctly written: 20 pts
– Daemon to send file from Vicky to Sandy correctly written: 20 pts
– LKM updated for new malicious program: 10 pts
– Daemon written to analyze program on sandy: 20 pts
– Rsyslogd config correctly written: 10 pts
– Report: 10 pts
Bonus:
– Analyzed benign file in Sandy transfer back to client Vicky and malicious file get dropped: 5 pts
– Using Zeek/Bro to detect executable files sent over network and log the binary drop: 5 pts
Supplementary Material:
Lab 5_Supplementary_Material.pptx
Deliverables
- Zip the following files in a .tar.gz file called [GT username]_cs6264_lab5.tar.gz
- Snort configuration
- Various daemons that you wrote for both the sandbox and the client
- Your LKM C file and Makefile
- The new rsyslog configuration
- A report of your NIDS that includes:
- Screenshots of each step of the process from when you send the file to the client to when an alert is logged. These should probably include: sending the executable, receiving the executable, alerting the executable, sending the PCAP to the sandbox, the sandbox alerting/not alerting on the executable
- Implementation details
Reviews
There are no reviews yet.