I've got some problem using Snort here. I have some topologies that run under GNS3 for my research. I try to penetration testing to my topology that have IDS Snort in Windows 7 using NMAP (scan) and hping3 (TCP syn flood dos). When I try to scan and dos IP address of my IDS Server (192.168.10.4) it appears alert. But when I try to penetration testing to User 2 IP (192.168.10.2) it's doesn't appear alert. Is there something wrong with my snort.conf in windows 7?
Click here "My Snort Config"
I try to change my ipvar HOME_NET, but still, no luck when I try to pentest
ipvar HOME_NET 192.168.10.0/24
change to
ipvar HOME_NET 192.168.10.1/24,192.168.10.2/24,192.168.10.3/24,192.168.10.4/24,192.168.10.5/24
I expect that when I try to penetration testing in other IP except for my IDS Server. it would give me some alert too...
#Hanif
I believe the question to be posed is where do you want to install snort sensors and what are your desired results.
Some insight from the early 2000s. http://www.informit.com/articles/article.aspx?p=21778&seqNum=9
To me it looks like you have installed the IDS on its own host and you anticipate it to cover the other three, well two host running windows. You want to "pentest" the windows machines and see what IDS alerts show for such attacks.
I would urge you to install snort on the two windows hosts and have all the alerts aggregate into something like Elasticsearch. Some further direction for you here: https://blog.snort.org/2017/11/snort-30-with-elasticsearch-logstash.html
Related
I use a local Python web server on my Windows machine. It’s simple, but good enough while in the static web page development stage. I just run it with something like this on my WSL command line:
python3 -m http.server
I can also access it on mobile devices on the same network, by going to my local address, e.g.: http://192.168.1.12:8000. All was good, until suddenly I could no longer access it on external devices, I got a “server not responding” type of message. Also, I could clearly see that when I refreshed the page on my phone, there was no GET request on the logs.
Immediately I tested on the local machine, and it was still working fine. This obviously smelled like a Firewall. In Linux, I’d know what to do, but it’s the first time I had to deal with this on Windows. This is what I’ve tried, without resolving the connection problem:
I opened the Event Viewer but could not see any obvious logs to check
I stopped the server (CTRL+C) and started it again on another port (5000). The Windows Firewall message popped up again asking for permission for Python3 to access the “Public network” and the “Private network”. Normally I just tick the “private network” but this time I checked both, as a troubleshooting step, in case my Wi-Fi was incorrectly being considered “public”.
I went to Windows Firewall and temporarily shut it down on the private network.
I installed and tried running nmap on the WSL, but it failed to run and prompted me to install the Windows version instead.
I installed and ran the Windows version of nmap but it told me that port 5000 was open.
What is the recommended way to troubleshoot and fix this issue?
Still suspecting the firewall, I tried something new, I switched off the “public network” firewall. I tested on my mobile and the page loaded as normal again! I immediately turned the firewall back on. Tested the page on my mobile once more, still fine. So, the solution was to toggle the public network firewall. I would make it more generic and toggle all firewall categories on Windows. And of course, I would make sure that the firewall stays on, this was a very quick operation.
I thought I’d put this here rather than ServerFault or SuperUser as it could potentially be more useful to developers, and it took a precious hour of my time. I still don’t know why it stopped working on its own in the first place. Better troubleshooting steps or suggestions are welcome, but I probably won’t be able to verify it as I don’t know how to purposely induce the issue.
Another solution that worked another time, was to delete all instances of Python 3.8 from the list of allowed apps (I don't know why Windows shows the same app multiple times) then (re)start the Python server and allow it through when the Firewall question pops up again.
In windows firewall you may have 4 options to configure your local web server when you are creating new Inbound connections rule.
1 Program
2 Port
3 Predefined
4 Custom
Try to use port only in "TCP protocol" and the custom port.
Allow connection.
Select: all checks: domain, private and public.
Enter a name.
Thats all.
I have an Ubuntu VM installed on a client's VMware system. Recently, the client's IT informed us that his firewall has been detecting consistent potential port scans to our VM's internal IP address (coming from 87.238.57.227). He asked if this was part of a known package update process on our VM.
He sent us a firewall output where we can see several instances of the port scan, but there are also instances of our Ubuntu VM trying to communicate back to the external server on port 37258 (this is dropped by the firewall).
Based on a google lookup, the hostname of the external IP address is "feris.postgresql.org", with the ASN pointing to a European company called Redpill-Linpro. As far as I can tell, they offer IT consulting services, specializing in open source software (like PostgreSQL, which is installed on our VM). I have never heard of them before though and have no idea why our VM would be communicating with them or vice-versa. I'm also not sure if I'm interpreting the IP lookup information correctly: https://ipinfo.io/87.238.57.227
I'm looking for a way to confirm or disprove that this is just our VM pinging for a standard postgres update. If that's the case I'd like to restrict this behaviour. We would prefer to do these types of updates manually and limit the communication outside of the VM to what is strictly necessary for the functionality of our application.
Update
I sent an email to Redpill's abuse account. They responded quickly saying that the server should not be port scanning anyone and if it appears that way, something is wrong.
The server is part of a cluster of machines that serves apt.postgresql.org among other postgres download sites. I don't think we have anything like ansible or puppet installed that would automatically check for updates but I will look into that to make sure. I'm wondering if Ubuntu reaching out to update the MOTD with the number of available packages would explain why our VM is trying to reach out to the external postgres server?
The abuse rep said in any case there should only be outgoing connections from the VM, not incoming. He asked for some additional info so I will keep communicating with him and try to update this post accordingly
My communication with the client's IT dropped off so I did not get a definitive answer on this, but I'll provide some new details:
I reached out to the abuse email for Redpill-Linpro. He got back to me and confirmed the server corresponding to the detected IP address is part of a cluster that hosts postgres download sites, including apt.postgresql.org. He was surprised to learn we had detected a port scan from their server and seems eager to figure out why that is happening.
He asked if the client IT could pass along some necessary info for them to set up tracking on that server. But the client IT never got back to me. I think he was satisfied that it wasn't malicious and stopped pursuing it.
Here's one of the messages the abuse rep sent me that may be relevant:
That does look a lot like the tcp to the apt download server yes. It's
strange that your firewall reports that many incoming connections, but
they could be fallout from some connection tracking that's not
operating as intended. The timing appears to be matching up more or
less perfectly. And there should definitely not be any ping-back
connections from it.
Since you appear to be using the http version of the server (and not https) bringing the data in cleartext, they should be able to just
dump the TCP connection contents and verify exactly what it does. But
I bet they are going to see a number of http requests initiated by the
apt client that is checking for updates.
thank you for reading my question.
I want to login the virtual machine romotely through rdpweb shipped with virtualbox sdk.Of course, the virtual machine was installed in the virtualbox.The rdpweb(a folder) contains 4 files, webclient3.html, swfobject.js, webclient.js and RDPClientUI.swf.
Firstly, I copy rdpweb to the /.../tomcat/webapp. So i can visit webclinet3.html now. And there is a image which shows what i get.Sorry, i haven't enough reputation for posting a image.I just can put a link to the image.
http://i.minus.com/jbdHDzjWwQntWQ.PNG
An error happened. Google says that putting the crossdomin.xml to the root of webapp would solve the bug.The bug may be aroused by flash.But it is invalid for me. Why ?
My physical host is win7(ip:192.168.1.107), and my virtual guest is windowsxp(ip:192.168.1.111). The version of the virtualbox is 4.1.8.
Any help would be appreciated!Thank you very much.
I am so sorry for my poor english.
Update:
Your configuration looks like you have configured your WinXP guest with a bridged network adapter, and you are trying to connect directly to it. Have you enabled Remote Desktop on the WinXP guest? Go to the Control Panel -> System applet, then choose the remote tab and be sure to check both boxes to allow remote desktop connections. You will also need to make sure the firewall will allow this connection to the guest.
VirtualBox also have the capability to serve up a virtual machines display over RDP or VNC (VNC in the OSE - Open Source Edition). If you are wanting to use that capability then you should be connecting to the HOST IP address - not the guest. Since your host is Windows 7 you will also need to adjust the Remote Display Server Port for your guest (in the VM Settings in VirtualBox) to use a port besides 3389. I usually pick 3390. Your screenshot doesn't show somewhere you can enter the TCP port, so this approach may not be supported, but you could try appending :3390 to the IP address.
Original Answer:
Could you post the crossdomain.xml file you are currently using? This is almost certainly a problem with it.
My guess is that your crossdomain.xml file should look something like this:
<?xml version="1.0"?>
<!-- http://127.0.0.1:8080/crossdomain.xml -->
<cross-domain-policy>
<allow-access-from domain="192.168.1.111" />
</cross-domain-policy>
You could start with just putting * instead of the IP address in the file as well - though that is generally not recommended as it opens the possibility that the flash player can access any resource on any network. It would make it easier to access other virtual machines you might use in the future with different addresses.
I have written a small client server socket application. It is a proof of concept for some socket programming that I want to apply to a much bigger project.
For the moment I want to user wireshark to analyse the traffic that goes between them. They are both running on my local machine.
I have installed a loopback interface, and have tried to use wireshark with it.
No joy. Any ideas?
I have successfully analysed traffic between my machine and other machines no problems.
I have had a look here,
http://wiki.wireshark.org/CaptureSetup/Loopback
And I am not using the address 127.0.0.1 which they mention saying you can't capture traffic on 127.0.0.1
Thanks.
You might try creating a virtual machine to run your application and using wireshark on it.
Save yourself some grief and download Microsoft Network Monitor.
As good as Wireshark is on Unixen, Windows is a "special" case :)
I am writing a script that powers on a system via network. And then i need to run a few commands on the other host. How do I know whether the system has powered on?
My programming language is Perl and the target host is RHEL5.
Is there any kernel interrupt or network boot information that indicates the system has powered on and the os has loaded?
[In a different scenario] I was also wondering just in case if i just switch on my Machine manually. when is it exactly said to have powered on. and when is the OS is supposed to have booted completely for a network related operation such as executing a network command there. What if the system is on DHCP how would a remote system then search for this machine [i guess it is possible via mac address. but if i am wrong ].
If I have missed out any info please feel free to ask me. If you have any suggestions to make the task easier please surface them :)
thanx
imkin
Well, I'd say the system is booted when it can perform the request you've made of it. That is, the sshd daemon is running. That's booted sufficiently for your purposes (I assume - substitute for whatever daemon you really need).
So, I'd send the power-on signal, and check back every 15-30 seconds to see if I could connect. If I've failed to connect within whatever is a reasonable time for that machine (2 minutes or 5 minutes or whatever), then I'd send an alert to the IT support team. Well, I'd send it to myself first, and only once I've investigated a few failures or so and found them to all be legitimate would I start sending it directly to IT.
DHCP is kind of a different question. You'd have to start learning about broadcasting, or having a daemon on that machine "call home" during boot to register its current IP address. And it would have to "call home" every time a DHCP renewal changed its IP address. This is decidedly more convoluted. Try to avoid DHCP on such server machines if at all possible.
On the rebooting machine you can install a script in your crontab with the special #reboot assertion (see man 5 crontab). That script could send a notification of some kind to the other machine, notifying it that it's up now.
I think checking for sshd sounds like a good approach.
As for the DHCP problem: if the other computer is on the same subnet you can look it up by MAC address using Net::ARP.
How about adding a script to the remote machine which gets run on startup to have it tell you when it is ready.