Network Security: Lab#5Port Scanners and Intrusion

Detection SystemJ. H. Wang

Jun. 16, 2011

Objectives

• To learn to use port scanners– Nmap

• To introduce the ideas of intrusion detection system– Snort

Packages Used in this Lab

• Packages– Nmap– Snort

Experiment Scenario

• Port scanners– Use port scanners to check the potential

weakness in a system• Vulnerable ports• System types

Nmap

• Homepage: http://nmap.org/

• Version: – 5.51

• Platforms: Linux/FreeBSD/Windows/MacOS X

• Installation steps– Simply follow the instructions on screen

Example Usage for Nmap

• Enter an IP address (or hostname) in [Target], and press [Scan]– Open ports will be listed– Type of OS will be detected

• Many types of Scans– TCP scan– SYN scan– UDP scan– ACK scan– Window scan– FIN scan– Others: proxy scan, ICMP scan, …

Web-based Port Scanners

• Examples– http://viewdns.info/portscan/

Nessus

• Homepage: http://www.tenable.com/products/nessus

• Latest version: 4.4.1

• Originally open source, but now proprietary by Tenable Network Security– Free to use in homes

• Installation skipped

Intrusion Detection Systems

• Host-based IDS (HIDS)– To monitor the status of files in a system

• File integrity checking, log analysis• E.g. Tripwire, OSSEC

• Network-based IDS (NIDS)– To detect the malicious network traffic such as

DoS attacks• E.g. Snort

Tripwire

• Originally open source, but now commercial

• Open source Tripwire available, which is based on previous open-source versions– http://sf.net/projects/tripwire/

OSSEC

• Originally open source, but acquired by Trend Micro– Will remain to be open source (as claimed by

Trend Micro)– http://www.ossec.net/

Snort

• Homepage: http://www.snort.org/ • Latest version: 2.9.0.5• Platforms:

– Linux/Windows

• An open-source NIDS, which also requires WinPcap

• Installation steps– Simply follow the instructions on screen– Note: In [Installation Options], please check [Enable I

Pv6 support] for demo of IDS functions

Example Usage for Snort

• cd \snort• Sniffer mode: (default)

– To show headers only: bin\snort -v– To show headers and data: bin\snort -vd– A more descriptive display: bin\snort -vde

• Packet logger mode– To records packets in logging directory:

• bin\snort -dev -l log– To log in binary mode

• bin\snort -l log -b– To playback the packets in log

• bin\snort -r packet.log

• Network intrusion detection system mode– bin\snort -l log -c etc\snort.conf– (Some problems with the configuration file to

work in Windows…)– You need to understand how to write the rules

for intrusion detection…

Summary

• Port scanners– Nmap

• Intrusion detection system– Snort