INFA 630–Lab #2In previous parts of the course we have looked at network packet capture and packet analysis,rule writing in Snort, and the functions of the IDS detection engine, all while consistently tracingback to the security requirements and objectives that we’re trying to achieve in the first place.Over the last two weeks we focused in our readings on specific ways in which network and hostbased IDS tools could be used to identify different threats, look for interesting events, or monitortypes of behavior. Your second lab assignment asks that you apply both your technicalknowledge and your practical knowledge of IDS in order to come up with a way to monitor for aspecific type of behavior. This assignment is also intended in part to highlight the potential foreffective use of NIDS tools for detecting internal threats, despite the fact that some of yourreading has suggested NIDS is poorly suited for this type of task.The Scenario: Assume that you are a security analyst working for a medium-sized companywhere many employees use computers connected to the Internet (as well as to the internalcompany LAN of course) as part of their daily job functions. Your company has implemented anacceptable-use policy for all employees that includes a general prohibition on using companycomputing resources to conduct inappropriate activities, such as downloading copyrighted musicand videos, participating in online gambling, visiting “adult-oriented” web sites, and postingsensitive company information to blogs, message boards, or similar sites. Your company isconsidering deploying content-filtering software to help enforce this policy, but is not surewhether the cost and potentially over-broad restrictions imposed by the software would bejustified. As a knowledgeable security analyst, you voice an educated opinion that you can useSnort, the company’s chosen NIDS tool, to help monitor network activity and provideinformation that might support a decision about whether content filtering software is warranted.The Assignment: Pick a web site that fits one or more of the prohibited categories above (orsomething similarly likely to fall on the wrong side of “acceptable use”), and create the necessaryruleset to use within Snort to fire an alert whenever an attempt is made to connect to, access,browse, or otherwise visit the site you have chosen. Stated simply, you want to be alerted if anyinternal network user tries to access the site you have chosen. Set up your ruleset and your Snortconfiguration to load the rule in Snort. Then, with Snort running and including your ruleset, opena browser and visit the prohibited site you have chosen. Verify that your rule fires when thishappens. Your completed lab assignment should contain the following:1. The “unacceptable” site you selected.2. The ruleset created to detect attempts to visit the site.3. The Snort output produced when the rule fired and the alert was generated (a screenshotof the terminal window showing Snort running with console output or a copy of theASCII log file is sufficient).Please note: the successful completion of this exercise does not require you to use an actualinappropriate site – the structure of the rule you write would likely be the same for any specificweb site you selected. At least one student in a prior iteration of this class received a somewhatunpleasant visit from her corporate information security officer because her attempted browsingof an Internet gambling site was detected by the security operations team. Please stay within yourown comfort zone on the selection of any target site for this assignment, and please also beconscious of the environment in which you are operating whenever you are using the Internet.Your lab assignment should be submitted via your Assignments folder.
Let’s block ads! (Why?)