In previous parts of the course we have looked at network packet capture and packet analysis, rule writing in Snort, and the functions of the IDS detection engine, all while consistently tracing back to the security requirements and objectives that we're trying to achieve in the first place.
Over the last two weeks we focused in our readings on specific ways in which network and hostbased IDS tools could be used to identify different threats, look for interesting events, or monitor types of behavior.
Your second lab assignment asks that you apply both your technical knowledge and your practical knowledge of IDS in order to come up with a way to monitor for a specific type of behavior. This assignment is also intended in part to highlight the potential for effective use of NIDS tools for detecting internal threats, despite the fact that some of your reading has suggested NIDS is poorly suited for this type of task.
The Scenario:
Assume that you are a security analyst working for a medium-sized company where many employees use computers connected to the Internet (as well as to the internal company LAN of course) as part of their daily job functions.
Your company has implemented an acceptable-use policy for all employees that includes a general prohibition on using company computing resources to conduct inappropriate activities, such as downloading copyrighted music and videos, participating in online gambling, visiting "adult-oriented" web sites, and posting sensitive company information to blogs, message boards, or similar sites.
Your company is considering deploying content-filtering software to help enforce this policy, but is not sure whether the cost and potentially over-broad restrictions imposed by the software would be justified.
As a knowledgeable security analyst, you voice an educated opinion that you can use Snort, the company's chosen NIDS tool, to help monitor network activity and provide information that might support a decision about whether content filtering software is warranted.
The Assignment:
Pick a web site that fits one or more of the prohibited categories above (or something similarly likely to fall on the wrong side of "acceptable use"), and create the necessary ruleset to use within Snort to fire an alert whenever an attempt is made to connect to, access, browse, or otherwise visit the site you have chosen.
Stated simply, you want to be alerted if any internal network user tries to access the site you have chosen.
Set up your ruleset and your Snort configuration to load the rule in Snort. Then, with Snort running and including your ruleset, open a browser and visit the prohibited site you have chosen. Verify that your rule fires when this happens. Your completed lab assignment should contain the following:
1. The "unacceptable" site you selected.
2. The ruleset created to detect attempts to visit the site.
3. The Snort output produced when the rule fired and the alert was generated (a screenshot of the terminal window showing Snort running with console output or a copy of the ASCII log file is sufficient).