Recent Question/Assignment
COIS23001 – Network Security
Assessment item 2â€â€Assignment 2
Due date: Friday (5:00 p.m. AEST) - Week 10
Weighting: 25%
SUBMISSION REQUIREMENTS
You are required to submit:
1. A single Microsoft Word file (unzipped) via the Moodle course web site. Details about the online submission process required for this assessment item are available from the course website.
2. A plain text file named snort.conf which contains your SNORT rules in answer to Question 1.
3. A copy of your message.txt, extra_logo.png, and ass2sig.jpg files from Question 2.
1. Question 1: Snort Rules Case Study [10 Marks]
Scenario
A small company has a network set up behind a NAT router. The router is connected to the Internet via a single ISP provided dynamic IP address. The ISP provided access address may change over short periods of time.
The internal network is RFC 1918 Category 2 compliant, and uses the private address space 192.168.3.0/24. The gateway router is configured to use DHCP allocated IP addresses to internal hosts as they connect. However, a record is kept within the router of what IP addresses have previously been allocated to specific MAC addresses. Whenever those MAC addressed hosts disconnect from and later reconnect to the network they are reallocated the same IP address. It is only if the router has a power off episode, or is manually reset, that allocation of different IP addresses may occur (and even then, the same addresses may be allocated as before).
The company operates an approved internal web server at 192.168.3.21:80, to facilitate in-house development of web pages and web sites that will later be deployed to an external server for public access. It is a company policy that only one approved internal web server is to be in operation on the network.
You are the company IT Manager.
It has come to your notice that a company employee has set up a rogue web server on the internal network, using a personal laptop. The employee is using that web site to provide undesirable material to a small clique of employees, to whom the web server address has been provided secretly.
The company CEO has requested you to:
1. Obtain hard evidence that an employee is in fact using a personal laptop to set up a rogue web server.
2. Find out what other employees are accessing the rogue web site.
Considerations
• The rogue web server may be on any internal IP address, and will be using any of the ephemeral ports. It will not be using a well-known port.
• The clients accessing the rogue web server may come from any internal IP address using any ephemeral port.
• The MAC addresses of all company host devices are on record.
• The MAC address of the device being used to host the rogue web server, and the MAC addresses of all devices that connect to the rogue server, need to be obtained for later use as evidence.
Technical Approach to the Solution
To carry out the CEO's request you have decided to:
A) Use Wireshark to capture packet data on the internal network.
B) Use snort to monitor for any internal network HTTP traffic destined for any internal host on any port address other than the authorised company internal web server and produce an alert message.
The snort monitoring will identify when breaches have occurred. The Wireshark pcap file containing the captured packets can be time correlated with the logged snort alerts to obtain MAC addresses for source and target.
Your Task
You are to write a .conf file containing the snort rule(s) that will accomplish the technical approach to a solution.
Hint
• For this question, make sure you do the Snort Project - Week 8 (Intrusion Detection Concepts), located in the course Moodle Site.
If your rules are correct the alert.ids file should contain entries like the following:
[**] [1:1000010:1] Unauthorised HTTP traffic [**]
[Classification: DELETED] [Priority: 1]
09/12-19:10:29.439844 192.168.3.5:49496 - 192.168.3.2:6400
TCP TTL:64 TOS:0x0 ID:18940 IpLen:20 DgmLen:408 DF
***AP*** Seq: 0xE8349C5 Ack: 0xBCB171EE Win: 0xFFFF TcpLen: 32
TCP Options (3) = NOP NOP TS: 1210791384 0
[**] [1:1000010:1] Unauthorised HTTP traffic [**]
[Classification: DELETED] [Priority: 1]
09/12-19:10:29.440554 192.168.3.2:6400 - 192.168.3.5:49496
TCP TTL:128 TOS:0x0 ID:1065 IpLen:20 DgmLen:1300 DF
***A**** Seq: 0xBCB171EE Ack: 0xE834B29 Win: 0xFE9B TcpLen: 32
TCP Options (3) = NOP NOP TS: 195453 1210791384
[**] [1:1000010:1] Unauthorised HTTP traffic [**]
[Classification: DELETED] [Priority: 1]
09/12-19:10:29.449929 192.168.3.5:49496 - 192.168.3.2:6400
TCP TTL:64 TOS:0x0 ID:18942 IpLen:20 DgmLen:367 DF
***AP*** Seq: 0xE834B29 Ack: 0xBCB1799C Win: 0xFFFF TcpLen: 32
TCP Options (3) = NOP NOP TS: 1210791384 195453
[**] [1:1000010:1] Unauthorised HTTP traffic [**]
[Classification: DELETED] [Priority: 1]
09/12-19:10:29.450478 192.168.3.2:6400 - 192.168.3.5:49496
TCP TTL:128 TOS:0x0 ID:1067 IpLen:20 DgmLen:485 DF
***AP*** Seq: 0xBCB1799C Ack: 0xE834C64 Win: 0xFD60 TcpLen: 32
TCP Options (3) = NOP NOP TS: 195453 1210791384
[**] [1:1000010:1] Unauthorised HTTP traffic [**]
[Classification: DELETED] [Priority: 1]
09/12-19:10:43.904673 192.168.3.5:49496 - 192.168.3.2:6400
TCP TTL:64 TOS:0x0 ID:18947 IpLen:20 DgmLen:451 DF
***AP*** Seq: 0xE834C64 Ack: 0xBCB17B4E Win: 0xFFFF TcpLen: 32
TCP Options (3) = NOP NOP TS: 1210791413 195509
[**] [1:1000010:1] Unauthorised HTTP traffic [**]
[Classification: DELETED] [Priority: 1]
09/12-19:10:43.913290 192.168.3.5:49497 - 192.168.3.2:6400
TCP TTL:64 TOS:0x0 ID:18950 IpLen:20 DgmLen:451 DF
***AP*** Seq: 0xBF45540D Ack: 0xBEFA2FE2 Win: 0xFFFF TcpLen: 32
TCP Options (3) = NOP NOP TS: 1210791413 0
[**] [1:1000010:1] Unauthorised HTTP traffic [**]
[Classification: DELETED] [Priority: 1]
09/12-19:10:43.913886 192.168.3.2:6400 - 192.168.3.5:49497
TCP TTL:128 TOS:0x0 ID:1071 IpLen:20 DgmLen:571 DF
***AP*** Seq: 0xBEFA2FE2 Ack: 0xBF45559C Win: 0xFE70 TcpLen: 32
TCP Options (3) = NOP NOP TS: 195597 1210791413
[**] [1:1000010:1] Unauthorised HTTP traffic [**]
[Classification: DELETED] [Priority: 1]
09/12-19:10:43.919054 192.168.3.5:49498 - 192.168.3.2:6400
TCP TTL:64 TOS:0x0 ID:18956 IpLen:20 DgmLen:365 DF
***AP*** Seq: 0x18030D8E Ack: 0xCFE60A18 Win: 0xFFFF TcpLen: 32
TCP Options (3) = NOP NOP TS: 1210791413 0
[**] [1:1000010:1] Unauthorised HTTP traffic [**]
[Classification: DELETED] [Priority: 1]
09/12-19:10:43.946959 192.168.3.2:6400 - 192.168.3.5:49498
TCP TTL:128 TOS:0x0 ID:1075 IpLen:20 DgmLen:660 DF
***AP*** Seq: 0xCFE60A18 Ack: 0x18030EC7 Win: 0xFEC6 TcpLen: 32
TCP Options (3) = NOP NOP TS: 195598 1210791413
[**] [1:1000010:1] Unauthorised HTTP traffic [**]
[Classification: DELETED] [Priority: 1]
09/12-19:11:11.614057 192.168.3.3:1923 - 192.168.3.2:6400
TCP TTL:128 TOS:0x0 ID:44619 IpLen:20 DgmLen:496 DF
***AP*** Seq: 0xC9090643 Ack: 0x550D4778 Win: 0xFFFF TcpLen: 20
[**] [1:1000010:1] Unauthorised HTTP traffic [**]
[Classification: DELETED] [Priority: 1]
09/12-19:11:11.656165 192.168.3.2:6400 - 192.168.3.3:1923
TCP TTL:128 TOS:0x0 ID:1079 IpLen:20 DgmLen:230 DF
***AP*** Seq: 0x550D4778 Ack: 0xC909080B Win: 0xFE37 TcpLen: 20
[**] [1:1000010:1] Unauthorised HTTP traffic [**]
[Classification: DELETED] [Priority: 1]
09/12-19:11:19.504867 192.168.3.3:1926 - 192.168.3.2:6400
TCP TTL:128 TOS:0x0 ID:44648 IpLen:20 DgmLen:450 DF
***AP*** Seq: 0xEC018654 Ack: 0x5E762A07 Win: 0xFFFF TcpLen: 20
[**] [1:1000010:1] Unauthorised HTTP traffic [**]
[Classification: DELETED] [Priority: 1]
09/12-19:11:19.540195 192.168.3.2:6400 - 192.168.3.3:1926
TCP TTL:128 TOS:0x0 ID:1082 IpLen:20 DgmLen:555 DF
***AP*** Seq: 0x5E762A07 Ack: 0xEC0187EE Win: 0xFE65 TcpLen: 20
[**] [1:1000010:1] Unauthorised HTTP traffic [**]
[Classification: DELETED] [Priority: 1]
09/12-19:11:19.550534 192.168.3.3:1926 - 192.168.3.2:6400
TCP TTL:128 TOS:0x0 ID:44650 IpLen:20 DgmLen:451 DF
***AP*** Seq: 0xEC0187EE Ack: 0x5E762C0A Win: 0xFDFC TcpLen: 20
[**] [1:1000010:1] Unauthorised HTTP traffic [**]
[Classification: DELETED] [Priority: 1]
09/12-19:11:19.590606 192.168.3.2:6400 - 192.168.3.3:1926
TCP TTL:128 TOS:0x0 ID:1083 IpLen:20 DgmLen:792 DF
***AP*** Seq: 0x5E762C0A Ack: 0xEC018989 Win: 0xFCCA TcpLen: 20
Note: The classification identifier has been deleted.
Tips:
• Search for the HTTP RFC document “RFC2616†via Google. In particular, you will need to familiarise yourself with the HTTP header contents. You need to identify some text pattern in the HTTP header that will unambiguously indicate whether a client is accessing a web server, or vice versa. (remember, the rogue web server is operating on a non-standard ephemeral port.)
• Certain characters are “special†in SNORT rules. These characters must be escaped to tell SNORT to treat them literally, rather than interpret their special meaning. To escape a special character, you simply precede it with a back-slash “â€Â. For example, if you wish to continue your rule on a new line in the configuration file, then you end the line with a Ҡcharacter to escape the special meaning of the ENTER character at the end of the line. SNORT treats the ENTER character as special. It means it is the end of the current rule. With a Ҡat the end of the line, it tells SNORT to treat it as a literal ENTER which will be interpreted as just spacing for your rule and allows it to continue on the next line. If you receive the following error when you attempt to run your rule through SNORT: “ParsePattern Got Null enclosed in quotation marks (-)!â€Â, then you have a special character in your rule content that needs to be escaped. Refer to the SNORT documentation website for details on which characters have special meanings.
• Make sure you include the standard Snort classtypes in your rule. Refer to the SNORT documentation to determine which classtype is appropriate for this exploit as described above. You will probably have to make use of the classification.config file (located in the Snortetc directory) – research how to make reference to this file from your rules file.
• Failure to use the correct syntax in your rule will mean the rule is ineffective. This means you will lose marks on this question.
• Refer to the Snort manual for assistance in writing the rules – a link to the manual is availed from the Software Resources section of the course web site.
Note: Duplicating the contents from the text, lecture slides, weekly notes or the Internet is not acceptable (even if it is referenced) and will not attract any marks. Your solutions must be written in your own words. If you cannot write your answer in your own words, then you have not yet mastered the topic and require further reading or advice from your tutor. Any information taken from an external source (either from the textbook or any other source) must be referenced appropriately. Failure to do so constitutes plagiarism.
1.1. Identification of Addresses
By inspecting the sample alert.ids entries given above you should be able to identify:
1. The IP address, and port number of the device hosting the rogue web server.
2. The IP addresses of all devices that access the rogue web server.
You are to enter this information into a table (see following), and submit it with your assignment submission document.
Description IP Address Port Number
Rogue Web Server
Accessing Client #1
Accessing Client #2
Explain in your own words how the MAC addresses of these devices can be discovered from the pcap file.
Question 1.1 Marking Criteria
Up to a maximum of 4 marks for correctly identifying the rogue web server and the accessing clients’ information (table above)). 1 mark for explanation of MAC address identification.
1.2. For the SNORT Rule: 2.5 marks for commenting, and 2.5 marks for rule correctness as explained below
Line Number SNORT RULE
1
2
3
4
5
6
7
8
9
10
2. Question 2: Steganography Exercise [10 Marks]
This exercise requires you to use Steganography to embed secret text into a graphic file and also to embed a secret watermark into a second graphic file. To accomplish these tasks you are to download a copy of OpenStego from the internet. You will also need to download the two graphic files cqu_logo.png and Bundaberg.jpg from the Moodle site.
2.1. Data Hiding in a graphic file [5 Marks]
You are to create a “message.txt†file containing the text “This is my hidden text file†to use as your Message File in OpenStego.
You are to use “cqu_logo.png†as your Cover File in OpenStego and “extra_logo.png†as your Output Stego File.
Note: You MUST use your student number (sxxxxxxx) as the password .
You are to include both your message.txt and extra_logo.png files in your assignment submission.
2.2. Watermarking a second graphic file [5 marks]
You are to generate a signature file (“COIS23001Ass2.sigâ€Â) using “Copyright 2014,COIS23001†as the PassPhrase.
You can now embed your watermark in the “Bundaberg.jpg†graphic file to create your Output file called “ass2sig.jpgâ€Â.
You are to submit a copy of your ass2sig.jpg with your assignment submission.
Note: You MUST include a copy of your message.txt , extra_logo.png and ass2sig.jpg files with your assignment submission.
Question 2.1 Marking Criteria
1.5 marks for correct message.txt, 1.5 marks for correct password, 2 marks for correct extra_logo.png file.
Question 2.2 Marking Criteria
2 marks for correct signature file, 3 marks for correct output file.
Question 3 CQURoam [5 marks]
Go to the CQURoam site and download the guide with information on how to connect to the CQU network wireless computers running Microsoft Windows Vista or Windows 7 (http://www.cqu.edu.au/current-student/international-students/student-support/it-and-the-helpdesk/wireless-cquroam)
Based on these instructions, during one of the face-to-face tutorials configure your wireless computer (Laptop or notebook to connect to the CQUniversity network) and answer the following questions:
a. What wireless security type does CQUniversity implement to enable roaming? Explain how this wireless security type work [1/2 mark]
b. What encryption mechanism is used in the CQURoam? Explain how this mechanism works [1/2 mark]
c. What Authentication method is used in the CQURoam? Explain how this authentication method operates [1/2 mark]
d. Provide a screenshot as evidence of your configuration [1/2 mark]
e. What do you think of the CQUniversity’s approach to roaming? Would you suggest something different? Why? [3 marks]
Please note
Your answers need to be thoroughly documented using in-text reference (Harvard or APA style). Please remember that your assignment will be sent to Turnitin for academic integrity, consequently it is your responsibility to answer your questions in your own words. Plagiarism will be referred to CQU authorities for investigation and possible academic penalty.
Assessment item 2â€â€Assignment 2
Due date: Friday (5:00 p.m. AEST) - Week 10
Weighting: 25%
SUBMISSION REQUIREMENTS
You are required to submit:
1. A single Microsoft Word file (unzipped) via the Moodle course web site. Details about the online submission process required for this assessment item are available from the course website.
2. A plain text file named snort.conf which contains your SNORT rules in answer to Question 1.
3. A copy of your message.txt, extra_logo.png, and ass2sig.jpg files from Question 2.
1. Question 1: Snort Rules Case Study [10 Marks]
Scenario
A small company has a network set up behind a NAT router. The router is connected to the Internet via a single ISP provided dynamic IP address. The ISP provided access address may change over short periods of time.
The internal network is RFC 1918 Category 2 compliant, and uses the private address space 192.168.3.0/24. The gateway router is configured to use DHCP allocated IP addresses to internal hosts as they connect. However, a record is kept within the router of what IP addresses have previously been allocated to specific MAC addresses. Whenever those MAC addressed hosts disconnect from and later reconnect to the network they are reallocated the same IP address. It is only if the router has a power off episode, or is manually reset, that allocation of different IP addresses may occur (and even then, the same addresses may be allocated as before).
The company operates an approved internal web server at 192.168.3.21:80, to facilitate in-house development of web pages and web sites that will later be deployed to an external server for public access. It is a company policy that only one approved internal web server is to be in operation on the network.
You are the company IT Manager.
It has come to your notice that a company employee has set up a rogue web server on the internal network, using a personal laptop. The employee is using that web site to provide undesirable material to a small clique of employees, to whom the web server address has been provided secretly.
The company CEO has requested you to:
1. Obtain hard evidence that an employee is in fact using a personal laptop to set up a rogue web server.
2. Find out what other employees are accessing the rogue web site.
Considerations
• The rogue web server may be on any internal IP address, and will be using any of the ephemeral ports. It will not be using a well-known port.
• The clients accessing the rogue web server may come from any internal IP address using any ephemeral port.
• The MAC addresses of all company host devices are on record.
• The MAC address of the device being used to host the rogue web server, and the MAC addresses of all devices that connect to the rogue server, need to be obtained for later use as evidence.
Technical Approach to the Solution
To carry out the CEO's request you have decided to:
A) Use Wireshark to capture packet data on the internal network.
B) Use snort to monitor for any internal network HTTP traffic destined for any internal host on any port address other than the authorised company internal web server and produce an alert message.
The snort monitoring will identify when breaches have occurred. The Wireshark pcap file containing the captured packets can be time correlated with the logged snort alerts to obtain MAC addresses for source and target.
Your Task
You are to write a .conf file containing the snort rule(s) that will accomplish the technical approach to a solution.
Hint
• For this question, make sure you do the Snort Project - Week 8 (Intrusion Detection Concepts), located in the course Moodle Site.
If your rules are correct the alert.ids file should contain entries like the following:
[**] [1:1000010:1] Unauthorised HTTP traffic [**]
[Classification: DELETED] [Priority: 1]
09/12-19:10:29.439844 192.168.3.5:49496 - 192.168.3.2:6400
TCP TTL:64 TOS:0x0 ID:18940 IpLen:20 DgmLen:408 DF
***AP*** Seq: 0xE8349C5 Ack: 0xBCB171EE Win: 0xFFFF TcpLen: 32
TCP Options (3) = NOP NOP TS: 1210791384 0
[**] [1:1000010:1] Unauthorised HTTP traffic [**]
[Classification: DELETED] [Priority: 1]
09/12-19:10:29.440554 192.168.3.2:6400 - 192.168.3.5:49496
TCP TTL:128 TOS:0x0 ID:1065 IpLen:20 DgmLen:1300 DF
***A**** Seq: 0xBCB171EE Ack: 0xE834B29 Win: 0xFE9B TcpLen: 32
TCP Options (3) = NOP NOP TS: 195453 1210791384
[**] [1:1000010:1] Unauthorised HTTP traffic [**]
[Classification: DELETED] [Priority: 1]
09/12-19:10:29.449929 192.168.3.5:49496 - 192.168.3.2:6400
TCP TTL:64 TOS:0x0 ID:18942 IpLen:20 DgmLen:367 DF
***AP*** Seq: 0xE834B29 Ack: 0xBCB1799C Win: 0xFFFF TcpLen: 32
TCP Options (3) = NOP NOP TS: 1210791384 195453
[**] [1:1000010:1] Unauthorised HTTP traffic [**]
[Classification: DELETED] [Priority: 1]
09/12-19:10:29.450478 192.168.3.2:6400 - 192.168.3.5:49496
TCP TTL:128 TOS:0x0 ID:1067 IpLen:20 DgmLen:485 DF
***AP*** Seq: 0xBCB1799C Ack: 0xE834C64 Win: 0xFD60 TcpLen: 32
TCP Options (3) = NOP NOP TS: 195453 1210791384
[**] [1:1000010:1] Unauthorised HTTP traffic [**]
[Classification: DELETED] [Priority: 1]
09/12-19:10:43.904673 192.168.3.5:49496 - 192.168.3.2:6400
TCP TTL:64 TOS:0x0 ID:18947 IpLen:20 DgmLen:451 DF
***AP*** Seq: 0xE834C64 Ack: 0xBCB17B4E Win: 0xFFFF TcpLen: 32
TCP Options (3) = NOP NOP TS: 1210791413 195509
[**] [1:1000010:1] Unauthorised HTTP traffic [**]
[Classification: DELETED] [Priority: 1]
09/12-19:10:43.913290 192.168.3.5:49497 - 192.168.3.2:6400
TCP TTL:64 TOS:0x0 ID:18950 IpLen:20 DgmLen:451 DF
***AP*** Seq: 0xBF45540D Ack: 0xBEFA2FE2 Win: 0xFFFF TcpLen: 32
TCP Options (3) = NOP NOP TS: 1210791413 0
[**] [1:1000010:1] Unauthorised HTTP traffic [**]
[Classification: DELETED] [Priority: 1]
09/12-19:10:43.913886 192.168.3.2:6400 - 192.168.3.5:49497
TCP TTL:128 TOS:0x0 ID:1071 IpLen:20 DgmLen:571 DF
***AP*** Seq: 0xBEFA2FE2 Ack: 0xBF45559C Win: 0xFE70 TcpLen: 32
TCP Options (3) = NOP NOP TS: 195597 1210791413
[**] [1:1000010:1] Unauthorised HTTP traffic [**]
[Classification: DELETED] [Priority: 1]
09/12-19:10:43.919054 192.168.3.5:49498 - 192.168.3.2:6400
TCP TTL:64 TOS:0x0 ID:18956 IpLen:20 DgmLen:365 DF
***AP*** Seq: 0x18030D8E Ack: 0xCFE60A18 Win: 0xFFFF TcpLen: 32
TCP Options (3) = NOP NOP TS: 1210791413 0
[**] [1:1000010:1] Unauthorised HTTP traffic [**]
[Classification: DELETED] [Priority: 1]
09/12-19:10:43.946959 192.168.3.2:6400 - 192.168.3.5:49498
TCP TTL:128 TOS:0x0 ID:1075 IpLen:20 DgmLen:660 DF
***AP*** Seq: 0xCFE60A18 Ack: 0x18030EC7 Win: 0xFEC6 TcpLen: 32
TCP Options (3) = NOP NOP TS: 195598 1210791413
[**] [1:1000010:1] Unauthorised HTTP traffic [**]
[Classification: DELETED] [Priority: 1]
09/12-19:11:11.614057 192.168.3.3:1923 - 192.168.3.2:6400
TCP TTL:128 TOS:0x0 ID:44619 IpLen:20 DgmLen:496 DF
***AP*** Seq: 0xC9090643 Ack: 0x550D4778 Win: 0xFFFF TcpLen: 20
[**] [1:1000010:1] Unauthorised HTTP traffic [**]
[Classification: DELETED] [Priority: 1]
09/12-19:11:11.656165 192.168.3.2:6400 - 192.168.3.3:1923
TCP TTL:128 TOS:0x0 ID:1079 IpLen:20 DgmLen:230 DF
***AP*** Seq: 0x550D4778 Ack: 0xC909080B Win: 0xFE37 TcpLen: 20
[**] [1:1000010:1] Unauthorised HTTP traffic [**]
[Classification: DELETED] [Priority: 1]
09/12-19:11:19.504867 192.168.3.3:1926 - 192.168.3.2:6400
TCP TTL:128 TOS:0x0 ID:44648 IpLen:20 DgmLen:450 DF
***AP*** Seq: 0xEC018654 Ack: 0x5E762A07 Win: 0xFFFF TcpLen: 20
[**] [1:1000010:1] Unauthorised HTTP traffic [**]
[Classification: DELETED] [Priority: 1]
09/12-19:11:19.540195 192.168.3.2:6400 - 192.168.3.3:1926
TCP TTL:128 TOS:0x0 ID:1082 IpLen:20 DgmLen:555 DF
***AP*** Seq: 0x5E762A07 Ack: 0xEC0187EE Win: 0xFE65 TcpLen: 20
[**] [1:1000010:1] Unauthorised HTTP traffic [**]
[Classification: DELETED] [Priority: 1]
09/12-19:11:19.550534 192.168.3.3:1926 - 192.168.3.2:6400
TCP TTL:128 TOS:0x0 ID:44650 IpLen:20 DgmLen:451 DF
***AP*** Seq: 0xEC0187EE Ack: 0x5E762C0A Win: 0xFDFC TcpLen: 20
[**] [1:1000010:1] Unauthorised HTTP traffic [**]
[Classification: DELETED] [Priority: 1]
09/12-19:11:19.590606 192.168.3.2:6400 - 192.168.3.3:1926
TCP TTL:128 TOS:0x0 ID:1083 IpLen:20 DgmLen:792 DF
***AP*** Seq: 0x5E762C0A Ack: 0xEC018989 Win: 0xFCCA TcpLen: 20
Note: The classification identifier has been deleted.
Tips:
• Search for the HTTP RFC document “RFC2616†via Google. In particular, you will need to familiarise yourself with the HTTP header contents. You need to identify some text pattern in the HTTP header that will unambiguously indicate whether a client is accessing a web server, or vice versa. (remember, the rogue web server is operating on a non-standard ephemeral port.)
• Certain characters are “special†in SNORT rules. These characters must be escaped to tell SNORT to treat them literally, rather than interpret their special meaning. To escape a special character, you simply precede it with a back-slash “â€Â. For example, if you wish to continue your rule on a new line in the configuration file, then you end the line with a Ҡcharacter to escape the special meaning of the ENTER character at the end of the line. SNORT treats the ENTER character as special. It means it is the end of the current rule. With a Ҡat the end of the line, it tells SNORT to treat it as a literal ENTER which will be interpreted as just spacing for your rule and allows it to continue on the next line. If you receive the following error when you attempt to run your rule through SNORT: “ParsePattern Got Null enclosed in quotation marks (-)!â€Â, then you have a special character in your rule content that needs to be escaped. Refer to the SNORT documentation website for details on which characters have special meanings.
• Make sure you include the standard Snort classtypes in your rule. Refer to the SNORT documentation to determine which classtype is appropriate for this exploit as described above. You will probably have to make use of the classification.config file (located in the Snortetc directory) – research how to make reference to this file from your rules file.
• Failure to use the correct syntax in your rule will mean the rule is ineffective. This means you will lose marks on this question.
• Refer to the Snort manual for assistance in writing the rules – a link to the manual is availed from the Software Resources section of the course web site.
Note: Duplicating the contents from the text, lecture slides, weekly notes or the Internet is not acceptable (even if it is referenced) and will not attract any marks. Your solutions must be written in your own words. If you cannot write your answer in your own words, then you have not yet mastered the topic and require further reading or advice from your tutor. Any information taken from an external source (either from the textbook or any other source) must be referenced appropriately. Failure to do so constitutes plagiarism.
1.1. Identification of Addresses
By inspecting the sample alert.ids entries given above you should be able to identify:
1. The IP address, and port number of the device hosting the rogue web server.
2. The IP addresses of all devices that access the rogue web server.
You are to enter this information into a table (see following), and submit it with your assignment submission document.
Description IP Address Port Number
Rogue Web Server
Accessing Client #1
Accessing Client #2
Explain in your own words how the MAC addresses of these devices can be discovered from the pcap file.
Question 1.1 Marking Criteria
Up to a maximum of 4 marks for correctly identifying the rogue web server and the accessing clients’ information (table above)). 1 mark for explanation of MAC address identification.
1.2. For the SNORT Rule: 2.5 marks for commenting, and 2.5 marks for rule correctness as explained below
Line Number SNORT RULE
1
2
3
4
5
6
7
8
9
10
2. Question 2: Steganography Exercise [10 Marks]
This exercise requires you to use Steganography to embed secret text into a graphic file and also to embed a secret watermark into a second graphic file. To accomplish these tasks you are to download a copy of OpenStego from the internet. You will also need to download the two graphic files cqu_logo.png and Bundaberg.jpg from the Moodle site.
2.1. Data Hiding in a graphic file [5 Marks]
You are to create a “message.txt†file containing the text “This is my hidden text file†to use as your Message File in OpenStego.
You are to use “cqu_logo.png†as your Cover File in OpenStego and “extra_logo.png†as your Output Stego File.
Note: You MUST use your student number (sxxxxxxx) as the password .
You are to include both your message.txt and extra_logo.png files in your assignment submission.
2.2. Watermarking a second graphic file [5 marks]
You are to generate a signature file (“COIS23001Ass2.sigâ€Â) using “Copyright 2014,COIS23001†as the PassPhrase.
You can now embed your watermark in the “Bundaberg.jpg†graphic file to create your Output file called “ass2sig.jpgâ€Â.
You are to submit a copy of your ass2sig.jpg with your assignment submission.
Note: You MUST include a copy of your message.txt , extra_logo.png and ass2sig.jpg files with your assignment submission.
Question 2.1 Marking Criteria
1.5 marks for correct message.txt, 1.5 marks for correct password, 2 marks for correct extra_logo.png file.
Question 2.2 Marking Criteria
2 marks for correct signature file, 3 marks for correct output file.
Question 3 CQURoam [5 marks]
Go to the CQURoam site and download the guide with information on how to connect to the CQU network wireless computers running Microsoft Windows Vista or Windows 7 (http://www.cqu.edu.au/current-student/international-students/student-support/it-and-the-helpdesk/wireless-cquroam)
Based on these instructions, during one of the face-to-face tutorials configure your wireless computer (Laptop or notebook to connect to the CQUniversity network) and answer the following questions:
a. What wireless security type does CQUniversity implement to enable roaming? Explain how this wireless security type work [1/2 mark]
b. What encryption mechanism is used in the CQURoam? Explain how this mechanism works [1/2 mark]
c. What Authentication method is used in the CQURoam? Explain how this authentication method operates [1/2 mark]
d. Provide a screenshot as evidence of your configuration [1/2 mark]
e. What do you think of the CQUniversity’s approach to roaming? Would you suggest something different? Why? [3 marks]
Please note
Your answers need to be thoroughly documented using in-text reference (Harvard or APA style). Please remember that your assignment will be sent to Turnitin for academic integrity, consequently it is your responsibility to answer your questions in your own words. Plagiarism will be referred to CQU authorities for investigation and possible academic penalty.
Looking for answers ?
Recent Questions
Assessment 2: (20%) Case Study Presentation Due Date weeks 10This assessment builds on your theoretical knowledge and tests your ability to apply this knowledge to practice.you are required to formulate...Assessment 2Assessment 2Report: 30%Word count: 1400 – 1600 wordsDue date: Sunday of Week 8DescriptionYou are playing the role of a community service worker supporting a young adult son who is 18 years...1500-1800 wordsInstructions From TutorPlease download the eTask3 spreadsheet from Canvas and save the eTask spread as an Excel file. The main content of the force method is taught in Lectures 6,7&8.eTask3.1 is a...ASSIGNMENT INSTRUCTIONSAssessment Practical assessmentAssessment code: 011Academic Year: 2023/2024Trimester: 2Module Title: Critical Perspectives on Cross-Border BusinessModule Code: MOD009194Level: 6Module...Information Systems Analysis & DesignAssignmentDue date: Week 5 Friday (5 Apr 2024) 11:59 pm AESTWeighting: 30%Length: 1,200 to 1,500 words (penalty will apply if the length is outside this limit)Assessment...Problem:University of Technology Sydney 48353: CONCRETE DESIGN Autumn 2024 - Assignment 2 (13 Marks)The figure illustrates the cross-section of a reinforced concrete column with a hexagonal shape (equal...Show All Questions