Time: March 16, 2008
Objective: Get to know how the Network Security Monitoring works in Knoppix-NSM to capture package stream and the differences between Knoppix and Knoppix-NSM.
Procedures & Results:
A team of two worked together on this lab session, my partner is Lee James.
I used Knoppix and Lee used Knoppix-NSM.
Knoppix boot process:
For the booting of Knoppix into the RAM, a live CD is loaded into the CD drive. The initial Knoppix screen has come up. Later I opened the Console terminal program icon which opened the Console window. In that Console window I typed in ifconfig.
My IP address is 129.7.236.112, and Lee's computer IP address is 129.7.236.230
Knoppix-NSM boot process:
Step-1:
Lee: The Knoppix-NSM CD is loaded into the CD drive and the system is turned on.
He opened the Root console and cleared all the iptables by executing the following command
/etc/init.d/iptables clear
This clears the firewall. Next the DHCP server is enabled to assign the TCP configuration information by using the pump command which is
pump –I eth0.
Step-2: Once the system is successfully booted mysql, apache2 and sguild servers are started by the following commands
/etc/init.d/mysql start
/etc/init.d/apache2 start
/etc/init.d/sguild start
Next the sguil-sensor is started by typing ‘sensor default start’
ntop is started by typing
/etc/init.d/ntop.default start.
Step-3: Start Sguil client
Open the NSM sguil client which shows up the following screen
The username and password are sguil and password respectively.
Step 4 - Start BASE client
Base client is started by opening the firefox and then type the following
https://localhost/base/
The following screen appears then enter the username as admin and the password as password.
Step 5 - View Statistical data with Ntop
Statistical data is observed by clicking on the ntop button in a new browser.
Step 6 - Test it
It is all my part of hand-on lab. I opend a console and do several Nmap scans for Lee's computer.
Null Scan
Command: nmap -sN 129.7.236.230
Screenshot:
X-mas Scan
Command I input: nmap -sX 129.7.236.230
Screenshot:
Then I used Hping2 to do a DP based ping of Lee's computer:
command: hping2 129.7.236.230
ctrl+c ->to stop hping2 command
Screenshot:
Lee monitored what I did to his computer:
Reflections:
1. What is Network Security Monitoring?
NSM can be defined as the collection analysis, and escalation of indications and warnings to detect and respond to intrusions. NSM is a detective rather than a preventative process.
2. Briefly, compare and contrast Knoppix-NSM and Knoppix?
Knoppix is a desktop Linux system, which has a window flat for users to interact, more friendly and easily to use. But Knoppix-NSM has a focus on Network Security Monitoring, which almost gives professional users instant NSM. Knoppix has some functions to track traffic in the network like Wireshark. For Knoppix-NSM, it provides a complete package for detective tracking, including Sguil and Snort, ntop, SANCP, Wireshark and even BASE(web-based consoles).
3. How would you use Knoppix-NSM to establish a network baseline? Be specific in your answers and be sure to capture and display relevant screens.
By starting BASE client and viewing statistical data with Ntop. The process and screenshots are shown in Step 4-5.
4. Squil has several major elements. Present and define these elements.
Sguil is built by network security analysts for network security analysts. Sguil's main component is an intuitive GUI that provides access to real-time events, session data, and raw packet captures. Sguil facilitates the practice of Network Security Monitoring and event driven analysis. The Sguil client is written in tcl/tk and can be run on any operating system that supports tcl/tk (including Linux, *BSD, Solaris, MacOS, and Win32).
5. Identify interesting traffic that you received during the lab from other people in your class.
Refer to Step 6 screenshots.
6. Identify interesting traffic that your system received from systems other than those involved in the lab.
Refer to Step 6 screenshots.
No comments:
Post a Comment