Vulnerability analysis part 1: Setup
I set up a Kali VM and a Metasploitable VM.
I will set up an IDS in the Kali machine to monitor traffic across the network. I will then perform different stages of an attack and monitor which attacks alert the IDS. We will look at both stealthy attacks and loud smash-and-grab attacks.
Since Snort doesn’t exist in the Kali 2.0 repos, I will use Suricata.
# apt-get install suricata
Make some changes to the Suricata configuration file like so.
# gedit /etc/default/suricata
We will use Oinkmaster to fetch the Snort rules.
# gedit /etc/oinkmaster.conf
Add this URL:
url = http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz
Now let’s run Oinkmaster to fetch the Emerging Threats rules.
# oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules
We can see the Snort rules here:
# ls /etc/suricata/rules botcc.portgrouped.rules emerging-icmp_info.rules emerging-user_agents.rules botcc.rules emerging-icmp.rules emerging-voip.rules BSD-License.txt emerging-imap.rules emerging-web_client.rules ciarmy.rules emerging-inappropriate.rules emerging-web_server.rules classification.config emerging-info.rules emerging-web_specific_apps.rules compromised-ips.txt emerging-malware.rules emerging-worm.rules compromised.rules emerging-misc.rules files.rules decoder-events.rules emerging-mobile_malware.rules gen-msg.map dns-events.rules emerging-netbios.rules gpl-2.0.txt drop.rules emerging-p2p.rules http-events.rules dshield.rules emerging-policy.rules rbn-malvertisers.rules emerging-activex.rules emerging-pop3.rules rbn.rules emerging-attack_response.rules emerging-rpc.rules reference.config emerging-chat.rules emerging-scada.rules sid-msg.map emerging.conf emerging-scan.rules smtp-events.rules emerging-current_events.rules emerging-shellcode.rules stream-events.rules emerging-deleted.rules emerging-smtp.rules suricata-open.txt emerging-dns.rules emerging-snmp.rules tls-events.rules emerging-dos.rules emerging-sql.rules tor.rules emerging-exploit.rules emerging-telnet.rules unicode.map emerging-ftp.rules emerging-tftp.rules emerging-games.rules emerging-trojan.rules
Start Suricata to sniff on the eth0 network interface.
# suricata -c /etc/suricata/suricata-debian.yaml -i eth0
Monitor the log file
# tail -f /var/log/suricata/fast.log
Now we have the IDS configured with the Emerging Threats ruleset.
Next up we will look at network reconnaissance.