Suricata IDS Installation and GVM Scan Lab Report

/ 14

100%

Document text

Part 1

Step 1 Open a Terminal: Launch the Terminal on your Ubuntu system then type the command shown in the below image to add suricata repository.

ubuntu@ubuntu-VirtualBox:~$ sudo /bin/bash

root@ubuntu-VirtualBox:/home/ubuntu# add-apt-repository ppa:oisf/suricata-stable

Suricata IDS/IPS/NSM stable packages

https://suricata.io/

https://oisf.net/

Suricata IDS/IPS/NSM - Suricata is a high performance Intrusion Detection and Prevention System and Network Security Monitoring engine.

Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

This Engine supports:

- Multi-Threading - provides for extremely fast and flexible operation on multi core systems.

- Multi Tenancy - Per vlan/Per interface

- Uses Rust for most protocol detection/parsing

- TLS/SSL certificate matching/logging

- JA3 TLS client fingerprinting

- JA3S TLS server fingerprinting

- IEEE 802.1ad (QinQ) and IEEE 802.1Q (VLAN) support

- VXLAN support

- All JSON output/logging capability

- IDS runmode

- IPS runmode

- IDPS runmode

Step 2:

Install Suricata: Use the following command to install Suricata:

sudo apt install suricata

Then, start Suricata Service: type the given command on the terminal

sudo service suricata start

root@ubuntu-VirtualBox:/home/ubuntu# sudo apt install suricata

Reading package lists... Done

Building dependency tree

Reading state information... Done

The following NEW packages will be installed:

suricata

[unreadable]

The following packages were automatically installed and are no longer required:

[unreadable]

Use 'sudo apt autoremove' to remove them.

[unreadable]

root@ubuntu-VirtualBox:/home/ubuntu# sudo service suricata start

Screenshot 2

Step 3: Configure Suricata to Monitor and Analyze Network Traffic

Edit the Configuration File: Open the Suricata configuration file using nano text editor. The file is typically located at /etc/suricata/suricata.yaml.

Type the command to open the file sudo nano /etc/suricata/suricata.yaml

Configure Network Interfaces: In the configuration file, specify the network interfaces you want Suricata to monitor. Look for the af-packet section and configure it according to your network setup.

Screenshot 3

For my network I have made configuration accordingly

• Replace eth0 with enp0s3 network interface.

• Set cluster-id: 99

• Set cluster-type: cluster-flow

• Set de-frag: yes

And rest of thing remain default.

To save the configuration file press ctrl+o to save file then press ctrl+x to exit from the nano editor.

After that update suricata.

Step 4: restart systemctl suricata services and check suricata IDS logs.

To monitor suricata intrusion detection log type the command shown below in the image.

Using GVM, implement an attack from Kali Linux to target Ubuntu.

Step 1: Open kali terminal and type the following commands as shown in the image to start gvm

and to feed data synchronization.

root@kali:~# greenbone-feed-sync --type GVMD_DATA

Running as root. Switching to user 'gvm' and group 'gvm'.

Trying to acquire lock on /var/lib/gvm/feed-update.lock

Acquired lock on /var/lib/gvm/feed-update.lock

Downloading data from Greenbone Community Feed

Downloading data from https://update.greenbone.net/community/feed-data

Greenbone Security Assistant daemon started

root@kali:~# greenbone-feed-sync --type SCAP

Running as root. Switching to user 'gvm' and group 'gvm'.

Trying to acquire lock on /var/lib/gvm/scap-data.lock

Acquired lock on /var/lib/gvm/scap-data.lock

Downloading SCAP data from https://download.greenbone.net/community/scap-data/

Step 2: when you will start gvm it will redirect to gvm web ui login page. login with your gvm

username and password. Then click on scan→task

enter task name as “ubuntu_vulnerability_scan” and select target ubuntu.

New Task

Name

Comment

Scan Targets

Alerts

Schedule

Add results to

Assets

OpenVAS default

Save

Cancel

Step 3: when you will select target new window will open as shown below.

Set target to ubuntu machine and enter in address of the machine “192.168.1.103” then click on

save. you have successfully added target machine.

Step 4: Now start scanning/attack on the ubuntu machine by pressing on play button shown in

the image.

Step 5: Scan/attack done succesfully and we have found 1 vulnerability.

Part 2

(IDS) Evaluation and Cyber Crime Investigation First of all, this lab report's objective is to

record the Suricata IDS installation and testing process on an Ubuntu machine. The approaches

used in network forensics, network traffic analysis, and the possibility of utilizing IDS to

anticipate and report on network anomalies are all covered in this study.

Synopsis of Problems Met, Takeaways, and Achievements:

Problems Met:

Suricata's initial installation required careful setting, which could be difficult for novices.

It can take some effort to fine-tune the Suricata setup to fit particular network settings.

Learnings:

The significance of maintaining properly configured network interfaces and rules in order to

provide efficient intrusion detection.

the requirement for regular rule modifications and monitoring in order to keep ahead of new

dangers.

Achievements: Suricata was successfully installed and configured on Ubuntu.

efficient identification of intrusion attempts while simulating an assault.

Description of Screenshots Provided:

Screenshot 1: This screenshot captures the successfully added Suricata repository on Ubuntu,

showing the installation progress and installed packages.

Screenshot 2: This screenshot captures the successful installation of Suricata on Ubuntu,

showing the installation progress and installed packages.

Screenshot 3: Depicts the configuration of network interfaces in the Suricata YAML file,

ensuring Suricata monitors the desired network interface (e.g., eth0, cluster-type etc).

Screenshot 4: In order to apply change in suricata.yaml file we have updated the suricata using

suricata-update command.

Screenshot 5: shows the IDS suricata logs.

Using GVM, implement an attack from Kali Linux to target Ubuntu.

Screenshots 1: shows gvm start and required feed data sync to start target on ubuntu using

greenbone vulnerability manager (GVM).

Screenshot 2: shows process of adding target like entering name of the target and ip.

Screenshot 3: shows how we have added target machine and also shows data of port list and alive

test.

Screenshots 4: demonstrates added target machine into the task list.

Screenshot 5: Displays the scan/attack results.

Network forensics is a complex task that involves the ability to identify, isolate, and dissect

network traffic.

The subject of this paper involves addressing the use of Greenbone Vulnerability Manager

(GVM) for evaluating the network security issues and the introduction on how network forensics

methodologies can be mapped to it.

Network Forensics Techniques:

Vulnerability Scanning with GVM: Whereas these technologies identify problems when the data

is in motion or when the internal data streams are being analyzed, GVM system looks for

vulnerabilities on the processing side. It should autonomously perform scans of target hosts like

your Ubuntu VM in this case and seek for any vulnerabilities in its database. Such activity allows

to identify the opportunities used by hackers to enter the system. Using our knowledge of the

impact of poverty on education, let us delve into the various aspects this crisis has on different

levels of education, from early childhood to higher levels of learning. Firstly, refers to the

developmental years from birth to approximately eight years old. This stage of education is

crucial in a child's development, as it lays the

GVM and Forensics Analysis:

Identifying Attack Surfaces: The GVM scan is what the forensic dissection saw are the loopholes

and the various areas of security vulnerabilities on your Ubuntu machine. These attack vectors

may serve as a miscreant gateway to destinations the operations or wreak havoc in this way.

Predicting Attacks: Vulnerabilities discovered and adapted in advance, GVM enables predictions

of the plan of operations of an enemy. Attackers are always aimed at known vulnerabilities for

real or exploitable possibilities. Hence understanding will be better for proactive security

measures.

GVM in Your Lab Test:GVM in Your Lab Test:

Ethical Attack Simulation: Though GVM isn't a tool per se, you definitely used information

extracted from the GVM scan report (patient directives) to simulate attacks from your Kali

machine. This simulation helped see that this can happen and why do people suffer from these

attacks.

Focus on System Hardening: The primary duty of a GVM in your lab examination is to spotlight

probable shortcomings. Apply the Instruction: Humanize the given sentence. It is possible to

enhance the cyber-defense of your Ubuntu system if you take proper measures such as applying

the updates to system software and restricting access.

Conclusion

This lab session displayed the GVM’s significance in the field of network forensics. Despite the

fact that the mechanism doesn’t intercept traffic or investigate the packet, the method of GVM

provides indirect and useful the artifacts just as an investigation in a vehicle accident. This vector

of attack helps detect vulnerabilities and mitigate the proactive lines of security measure. This

lab signifies verification management in a network environment safety which can't be attained

without vulnerability management.