Tag Archives: Linux

Vulnerability analysis part 1: Setup

I set up a Kali VM and a Metasploitable VM.

I will set up an IDS in the Kali machine to monitor traffic across the network. I will then perform different stages of an attack and monitor which attacks alert the IDS. We will look at both stealthy attacks and loud smash-and-grab attacks.

Since Snort doesn’t exist in the Kali 2.0 repos, I will use Suricata.

# apt-get install suricata

Make some changes to the Suricata configuration file like so.

# gedit /etc/default/suricata

Untitled

We will use Oinkmaster to fetch the Snort rules.

# gedit /etc/oinkmaster.conf

Add this URL:

url = http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz

Now let’s run Oinkmaster to fetch the Emerging Threats rules.

# oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules

We can see the Snort rules here:

# ls /etc/suricata/rules
botcc.portgrouped.rules         emerging-icmp_info.rules       emerging-user_agents.rules
botcc.rules                     emerging-icmp.rules            emerging-voip.rules
BSD-License.txt                 emerging-imap.rules            emerging-web_client.rules
ciarmy.rules                    emerging-inappropriate.rules   emerging-web_server.rules
classification.config           emerging-info.rules            emerging-web_specific_apps.rules
compromised-ips.txt             emerging-malware.rules         emerging-worm.rules
compromised.rules               emerging-misc.rules            files.rules
decoder-events.rules            emerging-mobile_malware.rules  gen-msg.map
dns-events.rules                emerging-netbios.rules         gpl-2.0.txt
drop.rules                      emerging-p2p.rules             http-events.rules
dshield.rules                   emerging-policy.rules          rbn-malvertisers.rules
emerging-activex.rules          emerging-pop3.rules            rbn.rules
emerging-attack_response.rules  emerging-rpc.rules             reference.config
emerging-chat.rules             emerging-scada.rules           sid-msg.map
emerging.conf                   emerging-scan.rules            smtp-events.rules
emerging-current_events.rules   emerging-shellcode.rules       stream-events.rules
emerging-deleted.rules          emerging-smtp.rules            suricata-open.txt
emerging-dns.rules              emerging-snmp.rules            tls-events.rules
emerging-dos.rules              emerging-sql.rules             tor.rules
emerging-exploit.rules          emerging-telnet.rules          unicode.map
emerging-ftp.rules              emerging-tftp.rules
emerging-games.rules            emerging-trojan.rules

Start Suricata to sniff on the eth0 network interface.

# suricata -c /etc/suricata/suricata-debian.yaml -i eth0

Monitor the log file

# tail -f /var/log/suricata/fast.log

Now we have the IDS configured with the Emerging Threats ruleset.

Next up we will look at network reconnaissance.