Skip to 0 minutes and 4 seconds I am now working on the Security Onion VM, where we first need to start Sguil. It allows us to see the IDS logs in real time and further investigate the events there. Enter username and password as seconion. Select all sensors and start. Let’s now move over to Kali and port scan the COSserver. With OS and version detection on. This is a pretty noisy scan generating a lot of suspicious traffic and should generate quite a few alerts in the IDS. As we can see, Snort is detecting the scan and generating a number of alerts. We can see some further details by selecting one of them and ticking show rule and show packet data.
Skip to 1 minute and 37 seconds We will talk a lot about those alerts and work on analysing them in another module. For now, you need to remember that from a security point of view it is important that we monitor our network and act upon such events.
IDS detection of a port scan
Many cyber attacks begin with a port scan.
Being able to detect such scans will give us an early warning that our network and systems are being targeted and possibly give us an indication of the aim and direction of the attack.
We will now port scan our target and observe how the IDS picks up and alerts us of the scan.
For this exercise three virtual machines are running. The target, which is the COSserver, is running in the background, and the Kali and Security Onion VMs are visible on the video. The Snort IDS is running on Security Onion and monitoring all traffic on the local network. It has a number of security tools installed and configured for monitoring, intrusion detection and log management, including Snort IDS.
Please download the VM from the repository.
When you run the VM for a first time it will ask you whether you Moved or Copied the virtual machine. You must select Moved.
When you start up the VM it will take a bit longer as the IDSs initialise so you will need to wait for a few minutes.
When SecurityOnion starts it will switch one of the network interfaces to promiscuous mode. If you get a warning message from your system or VMware Player, you must allow promiscuous mode. This will allow SecurityOnion to listen to all traffic between the VMs running on your machine (make sure your network interfaces are on Host-only.)
The login username/password are seconion/seconion.