digital-forensics-labs/SecGen
1
0
Fork 0
mirror of https://github.com/cliffe/SecGen.git synced 2026-02-21 11:18:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

lab updates

Browse Source
This commit is contained in:
Z. Cliffe Schreuders
2018-11-09 15:16:45 +00:00
parent 4edb750441
commit 7a6498a7cc
2 changed files with 13 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
modules/generators/structured_content/hackerbot_config/ids_rules/templates/intro.md.erb
View File

@@ -6,15 +6,15 @@
==Start these VMs== (if you haven't already):
- hackerbot_server (leave it running, you don't log into this)
- ids_server (IP address: <%= $ids_server_ip %>)
- ids_snoop (IP address: <%= $ids_server_ip %>)
- web_server (IP address: <%= $web_server_ip %>, leave it running, you don't log into this)
- desktop
All of these VMs need to be running to complete the lab.
**Ensure the ids_server VM is allowed promiscuous mode.** If you are completing this lab on Leeds Beckett oVirt infrastructure, this should be sorted. Otherwise, if you have used SecGen to spin up VMs, you need to ensure your VMs have permission to monitor networks using promiscuous mode. On the Leeds Beckett oVirt infrastructure we have snoop networks, which mirror all the traffic between systems. On Virtualbox, you would need to go to Advanced network settings for the host-only network on the ids_server and enable promiscious mode.
**Ensure the ids_snoop VM is allowed promiscuous mode.** If you are completing this lab on Leeds Beckett oVirt infrastructure, this should be sorted. Otherwise, if you have used SecGen to spin up VMs, you need to ensure your VMs have permission to monitor networks using promiscuous mode. On the Leeds Beckett oVirt infrastructure we have snoop networks, which mirror all the traffic between systems. On Virtualbox, you would need to go to Advanced network settings for the host-only network on the ids_snoop and enable promiscious mode.
### Your login details for the "desktop" and "ids_server" VMs
### Your login details for the "desktop" and "ids_snoop" VMs
User: <%= $main_user %>
Password: tiaspbiqe2r (**t**his **i**s **a** **s**ecure **p**assword **b**ut **i**s **q**uite **e**asy **2** **r**emember)
@@ -34,7 +34,7 @@ Work through the below exercises, completing the Hackerbot challenges as noted.
---
## Getting Snort up and running
**On the ids_server VM:**
**On the ids_snoop VM:**
==Change Snort's output== to something more readable:
@@ -48,12 +48,6 @@ sudo vi /etc/snort/snort.conf
==Add the following line:==
`output alert_fast`
==Let us edit the local rules file without sudo:==
```bash
sudo chown <%= $main_user %> /etc/snort/rules/local.rules
```
==Change Snort's interface== to the interface with IP address <%= $ids_server_ip %> (likely changing eth0 to ens3), and set the local network to your IP address range (or "any"):
```bash

14
modules/generators/structured_content/hackerbot_config/ids_rules/templates/write_snort_rules.md.erb
View File

@@ -118,15 +118,19 @@ And bringing all this together a Snort rule could read:
**On the ids_snoop VM:**
Add the rule, and reload Snort:
==Add this rule== to /etc/snort/rules/local.rules:
```bash
echo 'alert tcp any any -> <%= $web_server_ip %> 80 (msg: "Website access <%= $random_string %>"; content: "GET /"; sid:1000001; rev:1;)' >> /etc/snort/rules/local.rules
sudo service snort restart
alert tcp any any -> <%= $web_server_ip %> 80 (msg: "Website access <%= $random_string %>"; content: "GET /"; sid:1000001; rev:1;)
```
> The above echo command simply puts the new rule line at the end of the file. You can then edit it using `vi /etc/snort/rules/local.rules`.
> Run `vi /etc/snort/rules/local.rules` Remember press 'i' to enter insert mode, make your changes, press Esc, then type ':wq' to write your changes and quit vi.
==Restart snort==:
```bash
sudo service snort restart
```
==Test the new rule...==