Changes between Version 6 and Version 7 of GENIExperimenter/Tutorials/NFV/Ryu/HandlingIntrusionwithRyu-portscanning
- Timestamp:
- 10/30/17 17:26:02 (7 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
GENIExperimenter/Tutorials/NFV/Ryu/HandlingIntrusionwithRyu-portscanning
v6 v7 218 218 ''' Note: keep the RINA application processes, PI controller process and PI-based Ryu controller process from the previous 3 steps running in the background. ''' 219 219 220 1. We need to first install our own Snort rule on Snort, so that it can detect the intrusion traffic specified in our rule. 221 222 To install our own rule and configure Snort, in separate windows for VNF1 and VNF2, execute the following commands: 223 224 - ''' cd ~ ''' 225 - ''' wget !http://csr.bu.edu/rina/grw-bu2016/nfv_ryu/snort/config_snort.sh ''' 220 1. We need to first configure snort so that we can use our rules, or snort’s build-in rules to detect the intrusion traffic. 221 To configure Snort, in separate windows for VNF1 and VNF2, execute the following commands: 222 223 - ''' cd ~ ''' 224 - ''' wget https://raw.githubusercontent.com/akhtarnabeel/public/master/Snort/config_snort.sh ''' 226 225 - ''' chmod 755 config_snort.sh ''' 227 - ''' ./config_snort.sh ''' 228 229 Here we use a simple rule where all ICMP traffic to the ''destination'' node is considered as intrusion traffic, and the rule is specified as follows: 230 231 ''' alert icmp any any -> 10.10.1.5 any (msg:"ICMP traffic found to Destination";sid:1000001;) ''' 232 233 in the file ''' /etc/snort/rules/my.rules'''. 234 226 - ''' ./config_snort.sh ''' 227 228 2. Make sure that file /etc/snort/rules/my.rules is empty. This file contains any custom rules to generate snort attack alerts. For this experiment, we will be using snort build-in rules for detecting port-scanning attack. 229 230 3. Update “/etc/snort/snort.conf” to enable port scanning functionality of Snort. You can update it by uncommenting following line and updating it with following information 231 232 - ''' preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { medium } logfile { /var/log/snort/alert } ''' 235 233 236 234 2. We then run Snort IDS on VNF1 and VNF2. In separate windows for VNF1 and VNF2, execute the following command: … … 244 242 When Snort detects intrusion traffic, it will save the alert messages into the file '' /var/log/snort/alert''. The RINA distributed application keeps reading this alert file, and pass any intrusion information to the Ryu controller which will block the intrusion traffic. 245 243 246 ''' Note: If you want to re-run this experiment, make sure to remove both files: '' /var/log/snort/alert'' on both VNF nodes, and ''/tmp/attacker.txt'' on the controller node. ''' 244 ''' Note: If you want to re-run this experiment, make sure to remove /tmp/attacker.txt and /tmp/snortalert files on the controller node. ''' 245 246 == (5) Run Attack Analyzer == 247 248 Attack Analyzer reads the snort alerts saved on Controller node and makes decisions about which IP addresses to block. Attack analyzer is the “brain” on the attack control system. It reads the file <i> /tmp/snortalerts </i>, which is generated by RINA on controller node and outputs /tmp/attacker.txt file which has IP address of all the nodes that Attack Analyzer decides to block based on snort alerts. 249 250 251 252 247 253 248 254 == (5) Generate Regular and Intrusion Traffic ==