[SOLVED] CS6262-Project 4:Network Monitoring

Description

SPRING 2025 SOLUTION LINK click here!!

 

Introduction

Goals:

The goal of this project is to introduce students to the techniques that help to differentiate malicious and legitimate network traffic. This is a task that network operators perform frequently. In this project, the students are provided with samples of malicious and legitimate traffic. They can observe how each type of traffic looks like. In the project folder, there is a pcap file that contains network traffic that originates from multiple hosts in the same network. This pcap file is a mixture of legitimate and malicious traffic. The students are asked to investigate the pcap file in network tools such as WireShark. Finally, the students are asked to use Snort and write their own Snort rules, which will differentiate malicious and legitimate traffic.

In summary, the students are introduced to:

• Observing pcap samples of legitimate and malicious network traffic
• Using Snort and writing Snort rules to differentiate legitimate traffic from malicious traffic

Figure 1: Network setup for traffic collection.

Definitions and Traffic Collection Set-up:

In this assignment, there are four attack scenarios. For each attack, a scenario is defined based on the implemented network topology, and the attack is executed from one or more machines outside the target network. Figure 1 shows the implemented network, which is a common LAN network topology on the AWS computing platform. The hosts are behind a NAT, and their IP addresses belong to a single /16:

172.31:0:0:/16.  It also shows a visual representation of the network and our traffic collection set-up.

Types of attacks:

• Denial of Service (DoS):

In DoS, attackers usually keep making full TCP connections to the remote server. They keep the connection open by sending valid HTTP requests to the server at regular intervals but also keep the sockets from closing. Since any Web server has a finite ability to serve connections, it will only be a matter of time before all sockets are used up and no other connection can be made.

It is your task to find out how the DoS attack is present in the evaluation pcap given to you.

• Bruteforce:

FTP/SSH is attacked via a Kali Linux machine( the attacker machine), and Ubuntu 14.0 system is the victim machine. There is a large dictionary that contains 90 million words that were used for the list of passwords to brute force.

It is your task to identify which one of them is present in the evaluation pcap given to you.

• Web Attacks:

There are 3 possible web attacks, one of which would be present in your pcap.

• DVWA-based: Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is vulnerable. An attacker might try to hijack it.
• XSS-based: An attacker might try to launch an XSS attack.
• SQL Injection: An attacker might try an SQL injection attack.

It is your task to identify which ones of them are present in your evaluation pcap.

• Botnet:

Zeus is a trojan horse malware that runs on Microsoft Windows. It might be presented in the pcap. It can be used to carry out many malicious and criminal tasks and it is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing. It is used to install the Crypto-Locker ransomware as well. Zeus spreads mainly through drive-by downloads and phishing schemes. The Ares botnet might also be presented in the pcap. It is an open-source botnet and has the following capabilities:

• remote cmd.exe shell
• persistence
• file upload/download
• screenshot (e) keylogging

Either Zeus and Ares could be present in your evaluation pcap, it is your task to identify which one.

Notes: the traffic doesn’t have to cover all the attacks, and they can also cover multiple attacks for one category. For example, for web attacks, we can have both SQL injection and XSS. You need to find those in the evaluation pcap.

Sample traffic: For each type of traffic mentioned above, we provide a sample of that category/type of traffic. These samples are only for illustration purposes. These samples are only examples, and they are not the same as the actual traffic that is included in the evaluation pcap, which the students will need to label.

• Legitimate background traffic:

For this exercise, we assume normal traffic to include HTTP, DNS. An example of normal (attack free) traffic can be found in:

• pcap ● BruteForce:

○    sample_bruteforce_ssh.pcap

○    sample_bruteforce_ftp.pcap ● Botnet:

The host generates this traffic explicitly to communicate with a C&C server. The host communicates with the C&C server to receive commands, updates, etc.

○    sample_bot.pcap ● Web Attack:

○    sample_web.pcap ○      sample_xss.pcap

○    sample_sqlinjection.pcap.

You should use multiple rules to cover all these attacks.

• dos:
  • We do not provide a sample. Please look at the example Snort rules on dos in the resources section.

Introduction Video (optional):

We made a short video about wireshark and the project(about 15 mins): https://bluejeans.com/s/EiWzm3BxScx/

You will need to log in with your GaTech login information. When viewing the video, please slide right at the bottom of the screen to see the second screen in full screen mode.

We recommend that you read over the project description before viewing the video.

There are probably more filters(such as the filtering on the http method etc) that you can apply. We encourage you to read over the wire shark related links at the end of the project description to learn more about it.

Project Tasks (100 points):

The goal is to:

• Explore the given pcaps in Wireshark and identify the attack traffic patterns.
• Write Snort rules to raise alerts to identify the attacks.

Towards this goal, please follow the tasks below:

• Install Wireshark in your local machine (we provide a VM but we recommend inspecting the pcaps via Wireshark on your local machine – instead of the VM as it is very CPU and RAM intensive).
• Download: The vm from this link.

In case you are doing the project on your local machine. We also provide the evaluation pcap in the link so you don’t need to scp it.

MD5 hash of 2021SP4.ova: ee14a57afceb03046a4e7f524b3aac12

• Import the VM from this link. Login to the VM using: login: student, password: project4
• Locate the pcap files on your desktop. In this directory, you will find the sample pcaps and the evaluation pcap pcap.
• Make observations on the pcaps:

Observe the sample pcaps to get an idea about how each type of malicious traffic looks like. You can use

Wireshark or tshark to isolate some traffic. For example, in Wireshark, you can apply display filters

e.g. tcp (to display only TCP traffic), ip.addr == 10.0.0.1 (to display traffic that originates from or is destined to this IP address). Also, you can combine filters using or/and.

You should use the attack descriptions above – to understand how these attacks should look like in network traffic.

• Write Snort rules – keep in mind, we are using Snort3, and not Snort2 – please make sure you use the Snort version installed in the VM.

You can write your Snort rules in any file.  As an example, we’ll write them in ~/Desktop/eval.rules ●      You can now run these snort rules on the evaluation pcap using:

sudo snort -c /usr/local/etc/snort/snort.lua -r ~/Desktop/evaluation.pcap -R ~/Desktop/eval.rules -s 65535 -k none -l . (The result will be in `alert_json.txt`. The dot at the end means the result will be generated in the current directory)

Example Snort alert rule based on IP: alert tcp 10.0.0.1 any -> any any (msg:”TCP traffic detected from IP 10.0.0.1″; GID:1; sid:10000001; rev:001;) It creates an alert message: TCP traffic detected from IP 10.0.0.1 when there is a TCP connection from the source IP 10.0.0.1 and any port to any destination IP and any destination port.

• You can then view the Snort alert log using sudo vim alert_json.txt.
• Use EXACTLY ONE of the following strings as the alert message in the Snort rule:
  1. DoS,
  2. Bruteforce,3. WebAttack,
  3. Botnet.

For example, if you are writing a rule to detect ssh brute force, then the alert message should be “Bruteforce”. This will be used to grade your result – getting this part wrong can lead to a point loss.

Statistics for each type of unique connections (Important!):

Bruteforce: 3673

DoS: 8095

WebAttack: 40 Botnet: 47621

(The number might be a little different when you try to find it in Wireshark. Use the number that Snort gives you)

We consider a connection to be “src_ip:src_port:dest_ip:dest_port”. run  “python3

~/Desktop/cal_unique_connection_2021.py  yourAlertFile” to check the unique connections of your alert_json.txt and generate the results in `connections.txt`. If your alert JSON file is generated in the home directory, you might need to add sudo in front of your command.

Resources:

Readings on botnets behavior: Please read through the following papers, to get an understanding of what is a bot, and how botnets behave. Please note that we are not asking you to implement the proposed methodologies, e.g. a machine learning method to detect bots.

• ”BotHunter: Detecting            Malware             Infection             Through              IDS-Driven         Dialog Correlation”,     Gu                     al. http://faculty.cs.tamu.edu/guofei/paper/Gu_Security07_botHunter.pdf
• ”BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic”, G. Gu, J. Zhang, W. Lee, http://faculty.cs.tamu.edu/guofei/paper/Gu_NDSS08_botSniffer.pdf
• ”BotMiner: Clustering Analysis of Network Traffic for Protocol-and Structure-Independent Botnet

Detection”,                G.                Gu,                R.               Perdisci,                J.                Zhang,               W.                Lee,

https://www.usenix.org/legacy/event/sec08/tech/full_papers/gu/gu.pdf

Snort resources: Here you can find some examples of Snort rules, and some resources so that you get familiar with Snort rules. The purpose of these resources is only to get you familiar with how Snort rules look like. You are expected to write your own Snort rules.

• https://usermanual.wiki/Document/snortmanual.760997111/view
• https://snort-org-site.s3.amazonaws.com/production/document_files/files/000/000/596/original/ pdf

Example: Writing Snort rules to detect dos traffic: This is an example to give you an idea about how we can use our understanding of an attack, and write Snort rules with potentially long shelf life, to detect this attack. Intro reading for dos: https://en.wikipedia.org/wiki/Denial-of-service_attack. Snort for dos: Please read this to get a general idea about how Snort can be used for this purpose. Please focus on sections 3 and 4. http://www.ijeert.org/pdf/v2-i9/3.pdf. After reading the above, one way to detect dos traffic is to monitor the rate of incoming traffic. Here is an example Snort rule based on traffic rate:

http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node35.html

Useful tools/commands:

• You can SCP the files from the VM to your local machine and view them using Wireshark.
• SCP: http://www.hypexr.org/linux_scp_help.php
• Redirecting a program’s output: http://linuxcommand.org/lc3_lts0070.php
• You can install Wireshark from here: https://www.wireshark.org/
• Wireshark display filters to view part of the traffic: https://wiki.wireshark.org/DisplayFilters
• How to scp a file named file to the VM: scp file student@<VM’s ip>:/home/student. If your VM has a different IP address than the above then you can find it by starting the VM, then log-in, and then do: ip a.
• The above scp command is just an example. Modify it accordingly. Resource for scp syntax: http://www.hypexr.org/linux_scp_help.php

Subnet:

• Why is 172.31.0.0/16 a subnet?

Because it uses CIDR notation. CIDR and subnetting are virtually the same thing.

• What’s CIDR?

CIDR is Classless inter-domain routing. It is the /number representation.  In this case, we have /16 ● What does /16 mean again?

/16 represents the subnet mask of 255.255.0.0

If you convert 255.255.0.0 into binary, you will see 16   1’s and that’s where the number 16 comes from. Of course, I can’t remember all those conversions for all netmask. There is a cheat sheet:

Wait, what’s a subnet mask?

Feel free to read this link if you want to know more: https://avinetworks.com/glossary/subnet-mask/

Important Notes

Disclaimer for background traffic. Please note that the traffic that is found in the evaluation pcap, and/or at the Sample pcaps is not generated by us. The dataset closely resembles realist traffic. Part of this traffic might contain inappropriate content or language. We have taken extra measures and we have performed considerable effort to filter all traffic, based on commonly used inappropriate words. We have filtered the http payload and URIs. Nevertheless, it might still be possible that some inappropriate content or words might have not been filtered entirely. In case you locate such content, we are letting you know, that it is not intentional, and we are not responsible for it. Also, to complete this assignment, you do not need (nor do we ask you) to click on URLs found inside http payloads.

Additional tools are not allowed. For the assignment, you are not allowed to use any available tools, related to Snort or others. For example, you are not allowed to use Snort preprocessors that may be publicly available, pre-compiled Snort rules, detection tools. etc. You are expected to write your own Snort rules.