Question

1. Let’s consider the network shown in Figure 1 where Snort is deployed.

1.1: In Figure 1, why is Snort deployed in the DMZ instead of the Internal Network? (9 points)

1.2: In Figure 1, say True or False to the following statement: “Snort can see both incoming packets from the left firewall and outgoing packets from the right firewall”. (5 points)

1.3: In Figure 1, assume a packet P matches the following Snort rule when the packet is analyzed by Snort.

alert tcp any any -> 195.4.12. 0/24 111 (content: "| 00 01 B6 a5| "; msg: "external mountd access" ; )

1.3.1: Is packet P a TCP packet or a UDP packet? (7 points)

1.3.2: Is packet P an incoming packet or an outgoing packet? (7 points)

1.3.3: What is the source IP address contained in the header of packet P? (7 points)

1.3.4: What is the destination IP address contained in the header of packet P? (7 points)

1.3.5: Who is the receiver program of this packet? (7 points)

1.3.6: The payload of packet P must contain four specific bytes. What are the four specific types? (7 points)

1.3.7: Since packet P matches the rule, an alert will be raised and the Security Administrator will receive a notice (message) from Snort. What will the notice say to the administrator? (7 points)

1.4: A Phf attack is a remote to local (R2L) attack against the Web Server running the “Phf” CGI script. Phf script has vulnerability that, when exploited, allows remote users to execute arbitrary commands on the Web Server and such commands will be written as: “cgi-bin/phf<command code>”. Attackers can launch this attack from any PC connected to the Internet, and the target system can be any apache web servers that permit access to the Phf script. Let’s assume that the Web Server shown in Figure 1 (inside DMZ) is an apache web server that permits Phf scripts and let’s assume the IP address of the Web Server is 195.4.12.5. Please give a concrete Snort rule that can detect Phf attacks against the Web Server. (15 points)

1.5: To be able to detect attack packets, Snort firstly needs to log the corresponding traffic. For this purpose, the Snort administrator will need to set up several log rules. Please give a log rule to let Snort log UDP traffic from any IP address with any port going to computers on the Internal Network specified with a Class C IP range 195.4.13.0/24. (10 points)

1.6: Explain the meaning of the following Snort rule. (12 points)

alert tcp any any -> any 21 (msg: "FTP ROOT" ; content; "USER root"; nocase: )

Attacker Interne Firewall router Firewall switch Hub switch Internal network DMZ Figure 1

Answer 1

1.1: Snort is used to prevent intruder and malicious attacks. As access to internal network is completely forbidden using firewall so it's not needed for internal network. But the DMZ zone contains web server and mail servers which can be access from internet. That's snort is installed in DMZ zone to prevent attacks from internet.

1.2: True. Snort can see all traffics goes through it. Though it can be also cofigured to ignore internal traffics.

1.3.1: It's TCP packet

1.3.2: It's an incomming packet.

• "any any" means from any source address and any port
• Tthen -> means the direction
• 195.4.12. 0/24 111 means all nodes which falls under address space 195.4.12.0/24 with port 111

1.3.3: Source address can be anything. As the rule define source "any any" which matches from any address/port

1.3.4: Destination address contains 195.4.12.0/24 111 means all nodes which falls under address space 195.4.12.0/24 with port 111

1.3.5: Recievers are all nodes which falls under address space 195.4.12.0/24 with port 111

1.3.6: 4 specific bytes are

• Source address
• Source port
• Destination address
• Destination port