334.2 - Network Intrusion Detection
Key Knowledge Areas:
- Implement bandwidth usage monitoring
- Configure and use Snort, including rule management
- Configure and use OpenVAS, including NASL
Partial list of the used files, terms and utilities:
- ntop
- snort
- snort-stat
- pulledpork.pl
- /etc/snort/*
- openvas-adduser
- openvas-rmuser
- openvas-nvt-sync
- openvassd
- openvas-mkcert
- openvas-feed-update
- /etc/openvas/*
Files
/etc/snort/*
A major difference between Snort 2 and Snort 3 is the main configuration file. Snort 2 is using /etc/snort/snort.conf in Snort-specific language, and Snort 3 uses /etc/snort/snort.lua written in Lua. The snort2lua tool converts from the old to the new format. Rule sets are stored at /etc/snort/rules/.
/etc/openvas/*
Configuration files for OPENVAS.
Utilities
ntop
The current evolution of ntop is named ntopng. It is a web-based traffic monitoring application.
snort
Snort is an intrusion prevention system (IPS) of which the engine is open source. It can be configured as a sniffer, packet logger, and network intrusion detection system based on rules. There is a free community-managed set of rules, a free set of commercial rules published with a 30-day delay (Registered Rule Set), and a commercial set of rules (Subscriber Rule Set) offered by Cisco.
snort-stat.pl
A shell script originally created by Chen Yen-Ming, snort-stat appears deprecated. An authoritative source cannot be located.
pulledpork.pl
PulledPork is a rule manager for Snort and Suricata.
openvas-adduser
Add a user to the openvassd userbase.
Each user has their own set of rules. Rules are here to restrict the rights of the users. For instance, you can add user “alice” so that she can only test the host “192.168.1.1”, whereas you can add user “bob” so that he can test whatever IP address he wishes.
openvas-rmuser
Remove a user from the openvassd userbase by removing it from the openvasad configuration files, as well as its data (saved KBs and saved sessions).
openvas-nvt-sync
Fetch all the newest security checks and install them.
openvassd
OpenVAS Scanner Daemon (openvassd) listens for ingress connections and starts scan processes to run vulnerability tests. It collects results and reports them to the management daemon. Has been replaced with openvas scanner application per GVM 11.
openvas-mkcert
Create a scanner certificate.
The OpenVAS Security Scanner protects the communication between the client and the scanner by using SSL. SSL requires the scanner to present a certificate to the client, and the client can optionally present a certificate to the scanner.
openvas-feed-update
#!/bin/bash
echo "Updating OpenVas Feeds"
openvas-nvt-sync
openvas-scapdata-sync
openvas-certdata-sync
echo "Updating Ports"
wget -q http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xml -O /tmp/ports.xml
openvas-portnames-update /tmp/ports.xml
Notes
Nessus Attack Scripting Language (NASL)
The openvas-nasl command executes a set of NASL scripts against a given target host. It can also be used to determine if a NASL script has any syntax errors by running it in parse (-p) or lint (-L) mode.