| Student Name (s): | |||
| Course: | |||
| Professor: | |||
| Chapters #: | 2 | Due Date: |
-0.5 points
Remember that students can select 2 of the 3 chapters per session, however, those choosing to complete all the chapters, extra credit will be awarded as per the syllabus. Save your file in the following format: NWIT247_Team#_Chapter#. One template per chapter. Submit any extra credit work along your submission and assign one person in your team to upload all the documents at one. Extra credit will only be applied when the first 2 chapters have been fully completed. Proofread your work, otherwise, the resubmission policy applies if you need to resend an updated version.
0.5 points
Chapter Summary:
Detailed summary outlining the highlights of the chapter
| Chapter # and Title | Chapter Concepts | Details as to why this is a highlight |
| Chapter 2: IR Management Handbook | What Are the Goals of Incident Response? Who Is Involved in the IR Process? The Incident Response Process | This section explains the main goal of incident response which is to remove a threat entirely from an organization’s network while reducing damage and restoring operations as soon as possible. To accomplish this goal, we are reminded that investigating and remediating is needed. This section details who exactly is part of the incident response team and that it is made up of personnel from other disciplines besides cybersecurity. These disciplines can include human resource personnel, legal counsel, public relations, business managers and other employees that may find themselves involved when responding to an incident. This section details the individual steps taken to achieve the goals of incident response. There are three main steps which include initial response, investigation, and remediation with dedicated personnel for each step. |
0.5 points
Cyber Event Related to This Chapter (2019 and forward): Provide summary of what this event was about and how it relates to the chapter contents.
| Event Date/Year | Event Title | Description of Event | Relationship of Event to Chapter Contents |
| July 2020 | Twitter Spear Phishing Attack | Hackers targeted Twitter employees by calling them and asking them for login credentials while posing as colleagues. They gained access to the company’s internal support system and used this access to target more employees and later gained control of several famous twitter users. They then tweeted on each of the accounts they were doing a bitcoin giveaway, tricking unsuspecting followers into sending them Bitcoin, thinking they would send it back doubled. | This attack is the very definition of a cyber incident. It was an unauthorized and unlawful action involving use of Twitters internal systems to gain access to celebrity accounts which were then used to complete the hackers’ mission of stealing bitcoin. |
Technology (Software / Tool) Related to the Chapter Contents: The technology of your choice will be related to the chapter contents. The chapters reference various software. You can select any of the software mentioned or one of your choice. You will need to demonstrate your work by providing detailed steps and screenshots for each step taken to demonstrate how the technology works. This entails installing, configuring, and running the software.
0.25 points
| Chapter # | Software Referenced in the Chapter |
| 2 | Open IOC, Yara, Snort |
| Software Chosen | Snort | ||
| Version Installed | 2.9.20 | Open Source? | Yes ☒ No ☐ |
| Latest Version Available | 2.9.20 | Trial Version? | Yes ☐ No ☒ |
| OS Compatibility | Windows 7/8/10/11 | OS Used | Windows 11 |
To demonstrate your work, provide detailed steps and screenshots for each step taken for each of the following:
0.5 points
Installation
- Open your favorite browser (Chrome, Firefox, Internet Explorer, Edge…)
- Navigate to snort.org
- Under Get Started, choose Windows and download the exe file.
- Once the file is downloaded and the executable is running, you will be presented with the following screen:
- You can read through the license agreement and once you done, click “I Agree”. There are three key components so one is snort itself, the second is the dynamic modules and the third one is Documentation. Click on Next to continue:
- Here, you can choose the location to install Snort, or you can leave it into the default folder which is C:\Snort and this will only require a 7.5 megabyte. Once you click Next the installation will complete very quickly.
- Click close and then click Ok to finish the installation process. You can click on show details to see what are the things that have been generated and so on.
- In the windows search bar, type cmd and then run command prompt as an administrator. Navigate to the c:\snort\bin folder. This is where all the binaries have been kept that and if you enter start on exe, you realize that you get a failure because we do not have a bin PCAP installed.
- To fix this issue, if you are running windows 8 or earlier, navigate to https://www.winpcap.org/install/ using your favorite web browser and then install the installer for windows.
- Once the file is downloaded and the executable is running, you will be presented with the following screen. Click next
- Read the License agreement and then accept it by clicking “I Agree”.
- Make sure the Automatically start the WinPcap driver at boot time is selected. Click install and then finish. once the installation is completed, restart the computer to ensure that all the drivers have been installed properly.
- Warning *** If you are running windows 10 or later and encounter any issues running snort after this installation, it is because Winpcap is no longer supported. There is a compatible alternative npcap that can be downladed and install via: https://nmap.org/npcap/#download.
When installing npcap, use the latest version (now it’s 1.7) and make sure you install npcap with the compatible API option in the installer enabled.
- You can now navigate to the windows terminal to verify the software is running properly
0.5 points
Configuration
- After installing Snort on Windows 11, Another important step to get started with Snort is configuring it.
- Navigate to https://www.snort.org/downloads#rules to download the latest rules
- The subscriber rules are only available to registered user. Extract the file to a folder on your computer.
- Copy all files and directory from the \etc folder to the appropriate directory. For example, you would copy all files and directory from the etc\snort\rules (downloaded folders) to the c:\snort\etc\rules
- Once you’ve done that you can start the configuration process.
- The etc folder contains all configuration files and the most important file is the snort.conf file. We will use notepad to edit it.
- First thing we will do is to set up my home network ip address which is 192.168.7.0/24: ipvar HOME_NET 192.168.7.0/24
- Setup the external network into anything that is not the home network.: ipvar EXTERNAL_NET !$HOME_NET
- Define the directory for our rules and preproc rules folder
var RULE_PATH c:\snort\rules
#var SO_RULE_PATH ../so_rules
var PREPROC_RULE_PATH c:\snort\preproc_rules
- Setup our white list and black list path it will be in our snorts’ rule folder
var WHITE_LIST_PATH c:\snort\rules
var BLACK_LIST_PATH c:\snort\rules
- Enable to log directory, so that we store logs in our log folder. Uncomment this line and set absolute path to log directory
config logdir: c:\snort\log
- Set the path to dynamic preprocessors and dynamic engine: dynamicpreprocessor directory c:\snort\lib\snort_dynamicpreprocessor
- dynamicengine c:\snort\lib\snort_dynamicengine\sf_engine.dll
- Set our reputation preprocessors: # dynamicdetection directory /usr/local/lib/snort_dynamicrules
- Comment out these lines as shown in figure 19 in doing so we are excluding packet normalization of different packets.
# Inline packet normalization. For more information, see README.normalize
# Does nothing in IDS mode
#preprocessor normalize_ip4
#preprocessor normalize_tcp: block, rsv, pad, urp, req_urg, req_pay, req_urp, ips, ecn stream
#preprocessor normalize_icmp4
#preprocessor normalize_ip6
#preprocessor normalize_icmp6
- Scroll down to the reputation preprocessors. We will just change the name of the files since white list , black list are not rules they are just the list of IP addresses labelled as black or white:
whitelist $WHITE_LIST_PATH\white_list, \
blacklist $BLACK_LIST_PATH\black_list
- Convert all lines back slashes to forward slashes under site specific rules include $RULE_PATH\local.rules
- Convert all lines back slashes to forward slashes under decoder and preprocessor event rules
- verify the presence of this command at the bottom of snort.conf file and then save the file.
include threshold.conf
- Now recalling the Step 10 white list , black list are not rules they are just the list of IP addresses labelled as black or white right now these files don’t exist in our rule path which is why we have to create them manually , save them in this folder C:\Snort\rules.
Go to Notepad++ and create new file.
Comment it #White-listed IPs.
Name the file white.list and save the file.
Create another new file.
Comment it #Black-listed IPs.
Name the file black.list and save the file.
1 points
Verification | Running the Software: How the software works and that it works as intended as related to the chapter contents
- Let’s verify the software is running with the following two commands:
snort -W
snort -i 1 -c C:\Snort\etc\snort.conf -T
- To conclude we will add some basic rules in snort and do some monitoring.
To add rules, navigate to c:\snort\rules and open the local.rules file with your favorite text editor. Modify it as follow:
- Open a command line and then type the following command: snort -i 1 -c c:\snort\etc\snort.conf -A console
The number “1” is for the interface that is being used. In my case I am using interface 6. The program will continue working and you will see some packets being processed. To stop the program you can press Crl + C.
0.5 points
Best Practice: Provide details on how to mitigate against the cyber event chosen (as per section above).
| Event Date/Year | Event Title | Mitigation Against Cyber Event Chosen |
| July, 2020 | Twitter Spear-Phishing Attack | This attack could have been mitigated if the initial employee that gave out their credentials were properly trained on the company’s policies and never shared their credentials. |
-1 points
Bibliography (MLA or APA format only): Include all resources used (Textbook for specific chapter used, YouTube videos, software downloads, Internet resources, etc.). Be sure to also include the link as appropriate.
1.Snort is an intrusion detection system that can be installed on your Windows or Linux operating system. It sniffs packets and it is a packet logger. Snort can intercept all the packets off TCP IP traffic that’s coming in and out of the operating system in real time. The snort application is accepted as the de facto way for network-based IOCs.
The program allows you to put in some advanced rules to see whether there are indicators of compromise or indicators of attacks. You can then do a lot of processing and rule-based engine classification to see what kind of attacks is going on.
YouTube. (2016, May 10). Install snort 2.9.8 on windows. YouTube. Retrieved June 29, 2022, from https://www.youtube.com/watch?v=RwWM0srLSg0
Installing snort on windows. Installing Snort on Windows | Installing Snort from Source on Unix. (n.d.). Retrieved June 29, 2022, from https://flylib.com/books/en/2.12.1/installing_snort_on_windows.html
SathiyaMoorthy. (2010, August 6). Snort: 5 steps to install and configure snort on linux. The Geek Stuff. Retrieved June 29, 2022, from https://www.thegeekstuff.com/2010/08/snort-tutorial/
Grading of this assignment will depend on individual and team participation
Teams Only: Detailed information for the role that each team member played in completing this deliverable. Include all names even if a student didn’t participate or met deadlines. Failure to provide these details will result in point reduction.
-1 points
| Team # | Student Name | Role Details | Did this student fully participate? |
| 2 | Installation, Configuration, Verification, assist in putting file together. | Yes | |
| 2 | Lead (putting Final files together) | Yes | |
| 2 | Cyber Event Related, Best Practice | Yes | |
| 2 | Bibliography | Yes | |
| 2 | Chapter Summary | Yes |
