Changes between Version 6 and Version 7 of GENIExperimenter/Tutorials/NFV/Ryu/HandlingIntrusionwithRyu-portscanning


Ignore:
Timestamp:
10/30/17 17:26:02 (6 years ago)
Author:
Nabeel Akhtar
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • GENIExperimenter/Tutorials/NFV/Ryu/HandlingIntrusionwithRyu-portscanning

    v6 v7  
    218218''' Note: keep the RINA application processes, PI controller process and PI-based Ryu controller process from the previous 3 steps running in the background. '''
    219219
    220 1. We need to first install our own Snort rule on Snort, so that it can detect the intrusion traffic specified in our rule.
    221 
    222  To install our own rule and configure Snort, in separate windows for VNF1 and VNF2, execute the following commands:
    223    
    224     - ''' cd ~ '''
    225     - ''' wget !http://csr.bu.edu/rina/grw-bu2016/nfv_ryu/snort/config_snort.sh '''
     2201. We need to first configure snort so that we can use our rules, or snort’s build-in rules to detect the intrusion traffic.
     221To configure Snort, in separate windows for VNF1 and VNF2, execute the following commands:
     222
     223    - ''' cd ~ '''
     224    - ''' wget https://raw.githubusercontent.com/akhtarnabeel/public/master/Snort/config_snort.sh '''
    226225    - ''' chmod 755 config_snort.sh '''
    227     -  ''' ./config_snort.sh '''
    228 
    229 Here we use a simple rule where all ICMP traffic to the ''destination'' node is considered as intrusion traffic, and the rule is specified as follows: 
    230 
    231 ''' alert icmp any any -> 10.10.1.5 any (msg:"ICMP traffic found to Destination";sid:1000001;) '''
    232 
    233 in the file ''' /etc/snort/rules/my.rules'''.
    234 
     226    - ''' ./config_snort.sh '''
     227
     2282. Make sure that file /etc/snort/rules/my.rules is empty. This file contains any custom rules to generate snort attack alerts. For this experiment, we will be using snort build-in rules for detecting port-scanning attack.
     229
     2303. Update “/etc/snort/snort.conf” to enable port scanning functionality of Snort. You can update it by uncommenting following line and updating it with following information
     231
     232    - ''' preprocessor sfportscan: proto  { all } memcap { 10000000 } sense_level { medium } logfile { /var/log/snort/alert } '''
    235233
    2362342. We then run Snort IDS on VNF1 and VNF2. In separate windows for VNF1 and VNF2, execute the following command:
     
    244242When Snort detects intrusion traffic, it will save the alert messages into the file '' /var/log/snort/alert''. The RINA distributed application keeps reading this alert file, and pass any intrusion information to the Ryu controller which will block the intrusion traffic.
    245243
    246 ''' Note: If you want to re-run this experiment, make sure to remove both files: '' /var/log/snort/alert'' on both VNF nodes, and ''/tmp/attacker.txt'' on the controller node. '''
     244''' Note: If you want to re-run this experiment, make sure to remove /tmp/attacker.txt and /tmp/snortalert files on the controller node. '''
     245
     246== (5) Run Attack Analyzer ==
     247
     248Attack Analyzer reads the snort alerts saved on Controller node and makes decisions about which IP addresses to block. Attack analyzer is the “brain” on the attack control system. It reads the file <i> /tmp/snortalerts </i>, which is generated by RINA on controller node and outputs /tmp/attacker.txt file which has IP address of all the nodes that Attack Analyzer decides to block based on snort alerts.
     249
     250
     251
     252
    247253
    248254==  (5) Generate Regular and Intrusion Traffic ==