$30
CS6262 Project 4 Solved
Network Monitoring
Spring, 2021
Introduction
Goals:
The goal of this project is to introduce students to the techniques that help to differentiate malicious and legitimate network traffic. This is a task that network operators perform frequently. In this project, the students are provided with samples of malicious and legitimate traffic. They can observe how each type of traffic looks like. In the project folder, there is a pcap file that contains network traffic that originates from multiple hosts in the same network. This pcap file is a mixture of legitimate and malicious traffic. The students are asked to investigate the pcap file in network tools such as WireShark. Finally, the students are asked to use Snort and write their own Snort rules, which will differentiate malicious and legitimate traffic.
In summary, the students are introduced to:
● Observing pcap samples of legitimate and malicious network traffic
● Using Snort and writing Snort rules to differentiate legitimate traffic from malicious traffic
Figure 1: Network setup for traffic collection.
Definitions and Traffic Collection Set-up:
In this assignment, there are four attack scenarios. For each attack, a scenario is defined based on the implemented network topology, and the attack is executed from one or more machines outside the target network. Figure 1 shows the implemented network, which is a common LAN network topology on the AWS computing platform. The hosts are behind a NAT, and their IP addresses belong to a single /16:
172.31:0:0:/16. It also shows a visual representation of the network and our traffic collection set-up.
Types of attacks:
(i) Denial of Service (DoS):
In DoS, attackers usually keep making full TCP connections to the remote server. They keep the connection open by sending valid HTTP requests to the server at regular intervals but also keep the sockets from closing. Since any Web server has a finite ability to serve connections, it will only be a matter of time before all sockets are used up and no other connection can be made.
It is your task to find out how the DoS attack is present in the evaluation pcap given to you.
(ii) Bruteforce:
FTP/SSH is attacked via a Kali Linux machine( the attacker machine), and Ubuntu 14.0 system is the victim machine. There is a large dictionary that contains 90 million words that were used for the list of passwords to brute force.
It is your task to identify which one of them is present in the evaluation pcap given to you.
(iii) Web Attacks:
There are 3 possible web attacks, one of which would be present in your pcap.
(a) DVWA-based: Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is vulnerable. An attacker might try to hijack it.
(b) XSS-based: An attacker might try to launch an XSS attack.
(c) SQL Injection: An attacker might try an SQL injection attack.
It is your task to identify which ones of them are present in your evaluation pcap.
(iv) Botnet:
Zeus is a trojan horse malware that runs on Microsoft Windows. It might be presented in the pcap. It can be used to carry out many malicious and criminal tasks and it is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing. It is used to install the Crypto-Locker ransomware as well. Zeus spreads mainly through drive-by downloads and phishing schemes. The Ares botnet might also be presented in the pcap. It is an open-source botnet and has the following capabilities:
(a) remote cmd.exe shell
(b) persistence
(c) file upload/download
(d) screenshot (e) keylogging
Either Zeus and Ares could be present in your evaluation pcap, it is your task to identify which one.
Notes: the traffic doesn’t have to cover all the attacks, and they can also cover multiple attacks for one category. For example, for web attacks, we can have both SQL injection and XSS. You need to find those in the evaluation pcap.
Sample traffic: For each type of traffic mentioned above, we provide a sample of that category/type of traffic. These samples are only for illustration purposes. These samples are only examples, and they are not the same as the actual traffic that is included in the evaluation pcap, which the students will need to label.
● Legitimate background traffic:
For this exercise, we assume normal traffic to include HTTP, DNS. An example of normal (attack free) traffic can be found in:
○ sample_background.pcap ● BruteForce:
○ sample_bruteforce_ssh.pcap
○ sample_bruteforce_ftp.pcap ● Botnet:
The host generates this traffic explicitly to communicate with a C&C server. The host communicates with the C&C server to receive commands, updates, etc.
○ sample_bot.pcap ● Web Attack:
○ sample_web.pcap ○ sample_xss.pcap
○ sample_sqlinjection.pcap.
You should use multiple rules to cover all these attacks.
● dos:
○ We do not provide a sample. Please look at the example Snort rules on dos in the resources section.
Introduction Video (optional):
We made a short video about wireshark and the project(about 15 mins): https://bluejeans.com/s/EiWzm3BxScx/
You will need to log in with your GaTech login information. When viewing the video, please slide right at the bottom of the screen to see the second screen in full screen mode.
We recommend that you read over the project description before viewing the video.
There are probably more filters(such as the filtering on the http method etc) that you can apply. We encourage you to read over the wire shark related links at the end of the project description to learn more about it.
Project Tasks (100 points):
The goal is to:
(i) Explore the given pcaps in Wireshark and identify the attack traffic patterns.
(ii) Write Snort rules to raise alerts to identify the attacks.
Towards this goal, please follow the tasks below:
● Install Wireshark in your local machine (we provide a VM but we recommend inspecting the pcaps via Wireshark on your local machine – instead of the VM as it is very CPU and RAM intensive).
● Download: The vm from this link.
In case you are doing the project on your local machine. We also provide the evaluation pcap in the link so you don’t need to scp it.
MD5 hash of 2021SP4.ova: ee14a57afceb03046a4e7f524b3aac12
● Import the VM from this link. Login to the VM using: login: student, password: project4
● Locate the pcap files on your desktop. In this directory, you will find the sample pcaps and the evaluation pcap evaluation.pcap.
● Make observations on the pcaps:
Observe the sample pcaps to get an idea about how each type of malicious traffic looks like. You can use
Wireshark or tshark to isolate some traffic. For example, in Wireshark, you can apply display filters
e.g. tcp (to display only TCP traffic), ip.addr == 10.0.0.1 (to display traffic that originates from or is destined to this IP address). Also, you can combine filters using or/and.
You should use the attack descriptions above – to understand how these attacks should look like in network traffic.
● Write Snort rules – keep in mind, we are using Snort3, and not Snort2 – please make sure you use the Snort version installed in the VM.
You can write your Snort rules in any file. As an example, we’ll write them in ~/Desktop/eval.rules ● You can now run these snort rules on the evaluation pcap using:
sudo snort -c /usr/local/etc/snort/snort.lua -r ~/Desktop/evaluation.pcap -R ~/Desktop/eval.rules -s 65535 -k none -l . (The result will be in `alert_json.txt`. The dot at the end means the result will be generated in the current directory)
Example Snort alert rule based on IP: alert tcp 10.0.0.1 any - any any (msg:"TCP traffic detected from IP 10.0.0.1"; GID:1; sid:10000001; rev:001;) It creates an alert message: TCP traffic detected from IP 10.0.0.1 when there is a TCP connection from the source IP 10.0.0.1 and any port to any destination IP and any destination port.
● You can then view the Snort alert log using sudo vim alert_json.txt.
● Use EXACTLY ONE of the following strings as the alert message in the Snort rule:
1. DoS,
2. Bruteforce,3. WebAttack,
4. Botnet.
For example, if you are writing a rule to detect ssh brute force, then the alert message should be “Bruteforce”. This will be used to grade your result – getting this part wrong can lead to a point loss.
Deliverable/Rubric:
For this project, you should submit two files
● eval.rules - your Snort rules file. You are not allowed to hardcode a single IP in their rules.
Instead, you should specify subnets and use the features of the attacks to capture them.
● connections.txt - the result file generated by running `python3 cal_unique_connection_2021.py alert_json.txt`. The script can be downloaded here
Notes: Don’t zip the file. Just upload them as separate files. Make sure the filename is correct.
How to validate your answer:
1. We consider a connection to be “src_ip:src_port:dest_ip:dest_port”. You can utilize the
`cal_unique_connection.py` to check the unique connections of your alert_json.txt. You can compare the number of Dos/BruteForce/WebAttack/Botnet you got with the statistics above. If the number is close, you are likely on the right track.
2. You can view the pcap file in Wireshark to confirm you are finding the right connections.
3. Last, you can verify your result by submitting your answer to the gradescope (See steps 4&5). As the number of trials is limited, perform step 2 first!
4. We have provided you a way to verify your results on the Gradescope. You need to upload your connections.txt and you will see your current score. Please note that this is only for you to verify the results and you still need to upload your result on canvas. And you can verify your results for at most
10 times! Uploading more than 5 times in gradescope will tell you that you cannot verify your result anymore.
5. Running a single snort rule against the evaluation pcap can get a different result when you run it along with other snort rules. This is related to the limitation of Snort. So please run all your rules together to get the result we want.
