Verification – Cisco Network Analysis and Intrusion Policies

Verification
To verify whether an intrusion policy is active, you can run traffic to and from hosts on either side of the threat defense. However, if the traffic does not carry a signature of any vulnerability, the threat defense does not trigger an intrusion alert for it. To verify the action of an intrusion policy, this chapter uses the simple Snort rule 1:718. Here is the rule syntax:
Click here to view code image
alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:”PROTOCOL-
TELNET login incorrect”; flow:to_client,established; content:”Login
incorrect”; metadata:ruleset community, service telnet;
classtype:bad-unknown; sid:718; rev:16; )

According to the syntax of this rule, when a Telnet server does not approve an authentication request (typically due to the user supplying incorrect login credentials) and responds to the client with a Login incorrect message (contained in the payload of the packet), the threat defense triggers the rule to prevent any potential brute-force attacks. Assuming the variable set is customized precisely, this rule analyzes Telnet traffic (port 23) destined to the $EXTERNAL_NET network. It should not evaluate any Telnet traffic destined to the $HOME_NET network.
Figure 15-32 shows the topology that is used in the lab exercises in this chapter. If you attempt to connect to your Telnet server from an external network host and enter valid login credentials, you will be able to access the server as usual. However, if you enter incorrect credentials, the server sends the Login incorrect message. Any subsequent connection attempts on that Telnet session are blocked by the threat defense; more specifically, they are blocked by Snort rule 1:718.

Figure 15-32 Lab Topology Used in This Chapter
Example 15-1 shows the messages on the CLI when you attempt to connect to a Telnet server running on a Linux-based system. Note the Login incorrect message when the login attempt is unsuccessful.
Example 15-1 Telnet Server Connection Attempts
Click here to view code image
! When a login attempt is unsuccessful

end-user@Linux:~$
telnet 192.168.1.200

Trying 192.168.1.200… Open
Connected to 192.168.1.200.

learner login:
student

Password:

Login incorrect

learner login:

! When a login attempt is successful

end-user@Linux:~$
telnet 192.168.1.200

Trying 192.168.1.200… Open
Connected to 192.168.1.200.

learner login:
student

Password: ********

Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-122-generic x86_64)
student@Server:~$

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *