CEH Lab Manual Evading IDS, Firewalls, and Honeypots Module 17 Module 17 - Evading IDS, Firewalls and Honeypots Intrusion Detection System A n intrusion detection system (IDS) is a derice or soft/rare application that monitors netirork and/or system activities fo r malicious activities or policy violations andprod/ices reports to a Management Station I CON KEY [£Z7 Valuable information S = m Test your knowledge Web exercise Workbook review Lab Scenario Due to a growing number o f intrusions and since the Internet and local networks have become so ubiquitous, organizations increasingly implementing various systems that monitor IT security breaches Intrusion detection systems (IDSes) are those that have recently gained a considerable amount o f interest An IDS is a defense system that detects hostile activities 111 a network The key is then to detect and possibly prevent activities that may compromise system security, 01‫ ־‬a hacking attempt 111 progress including reconnaissance/data collection phases that involve, for example, port scans One key feature o f intrusion detection systems is their ability to provide a view o f unusual activity and issue alerts notifying administrators and/or block a suspected connection According to Amoroso, intrusion detection is a “process ot identifying and responding to malicious activity targeted at computing and networking resources.” 111 addition, IDS tools are capable ot distinguishing between insider attacks originating from inside the organization (coming from own employees 01‫ ־‬customers) and external ones (attacks and the threat posed by hackers) (Source: http://www.windowsecurity.com) 111 order to become an expert penetration tester and security administrator, you must possess sound knowledge o f network intrusion prevention system (IPSes), IDSes, malicious network activity, and log information Lab Objectives & Tools Demonstrated in this lab are located at D:\CEHTools\CEHv8 Module 17 Evading IDS, Firewalls, and Honeypots The objective ot tins lab is to help students learn and detect intrusions 111 a network, log, and view all log tiles 111 tins lab, you will learn how to: ■ Install and configure Snort IDS ■ Run Snort as a service ■ Log snort log files to Kiwi Syslog server ■ Store snort log files to two output sources simultaneously Lab Environment To earn‫ ׳‬out tins lab, you need: ■ A computer miming Windows Server 2012 as a host machine ■ A computer running Windows server 2008, Windows 8, 01‫ ־‬Windows as a virtual machine WniPcap drivers installed 011 the host machine C E H L ab M an u al P ag e 847 E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved Reproduction is Stricdy Prohibited Module 17 - Evading IDS, Firewalls and Honeypots ■ Notepads-+ installed 011 the host macliine ■ Kiwi Svslog Server installed 011 the host machine ■ Active Perl installed 011 the host macliine to mil Perl scnpts ■ Administrative pnvileges to configure settings and run tools ■ A web browser with Internet access Lab Duration Time: 40 Minutes Overview of Intrusion Detection Systems An intrusion detection system (IDS) is a device 01‫ ־‬software application that monitors network an d / 01‫ ־‬system activities for malicious activities 01‫ ־‬policv violations and produces reports to a Management Station Some systems may attempt to stop an intrusion attempt but tins is neither required nor expected o f a monitoring system 111 addition, organizations use intrusion detection and prevention systems (IDPSes) for other purposes, such as identifying problems with security policies, documenting existing threats and deterring individuals from violating security policies IDPSes have become a necessary addition to the secuntv infrastructure o f nearly even* organization Many IDPSes can also respond to a detected tlireat by attempting to prevent it from succeeding They use several response techniques, which involve the IDPS stopping die attack itself, changing the security environment IDPSes are primarily focused 011 identifying possible incidents, logging information about diem, attempting to stop them, and reporting them to security administrators Overview Pick an organization diat you feel is worthy o f your attention Tins could be an educational institution, a commercial company, 01‫ ־‬perhaps a nonprofit charity Recommended labs to assist you 111 using IDSes: ■ Detecting Intrusions Using Snort ■ Logging Snort Alerts to Kiwi Syslog Server ■ Detecting Intruders and Worms using KFSensor Honeypot IDS ■ HTTP Tunneling Using HTTPort Lab Analysis Analyze and document the results related to tins lab exercise Give your opinion 011 your target’s security posture and exposure C E H L ab M an u al Page 848 E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved Reproduction is Stricdy Prohibited Module 17 - Evading IDS, Firewalls and Honeypots PLEASE TALK TO C E H L ab M an u al Page 849 Y O U R I N S T R U C T O R IF YOU R E L A T E D T O T H I S LAB HAVE QUESTIONS E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Module 17 - Evading IDS, Firewalls and Honeypots Delecting Intrusions using Snort Snort is an open source netnvrk intrusion prevention and detection system (IDS/IPS) I CON KEY / Valuable information Test your knowledge □ Web exercise m Workbook review Lab Scenario The trade o f die intrusion detection analyst is to find possible attacks against their network The past few years have witnessed significant increases 111 D D oS attacks 011 the Internet, prompting network security to become a great concern Analysts tins by IDS logs and packet captures while corroborating with firewall logs, known vulnerabilities, and general trending data from the Internet The IDS attacks are becoming more cultured, automatically reasoning the attack scenarios 111 real time and categorizing those scenarios becomes a critical challenge These result ni huge amounts o f data and from tins data they must look for some land o f pattern However, die overwhelming tiows o f events generated by IDS sensors make it hard for security administrators to uncover hidden attack plans 111 order to become an expert penetration tester and security administrator, you must possess sound knowledge o f network IPSes, IDSes, malicious network activity, and log information & Tools Demonstrated in this lab are located at D:\CEHTools\CEHv8 Module 17 Evading IDS, Firewalls, and Honeypots Lab Objectives The objective o f tins lab is to familiarize students widi IPSes and IDSes 111 tliis lab, you need to: ■ Install Snort and verify Snort alerts ■ Configure and validate snortconf file ■ Test the worknig o f Snort by carrying out an attack test ■ Perform intrusion detection ■ Configure Oinkmaster Lab Environment To earn‫ ־‬out dns lab, you need: C E H L ab M an u al P ag e 850 E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Module 17 - Evading IDS, Firewalls and Honeypots ■ A computer running Windows Server 2012 as a host machine ■ Windows running on virtual maclune as an attacker maclune ■ WinPcap dnvers installed on die host machine ■ N otepad++ installed on the host maclune ■ Kiwi Svslog Server installed on the host maclune ■ Active Perl mstalled on the host macliuie to nui Perl scripts ■ Adnunistrative privileges to configure settings and run tools Lab Duration Tune: 30 Minutes You can also download Snort from http:// www.sno1t.org Overview of Intrusion Prevention Systems and Intrusion Detection Systems A 11 IPS is a netw ork secu rity appliance that monitors a network and system activities for m alicious activity Tlie maui functions ot IPSes are to identify malicious activity, log information about said activity, attempt to block/stop activity, and report activity An IDS is a device or software application that m onitors network and/or system activities for m alicious activities or policy violations and produces reports to a Management Station It performs intrusion detection and attempt to stop detected possible incidents Lab Tasks Install Snort l. Snort is an open source network intrusion prevention and detection system (IDS/IPS) C E H L ab M an u al Page 851 Start Windows Server 2012 on the host maclune Install Snort To uistall Snort, navigate to D:\CEH-Tools\CEHv8 Module 17 Evading IDS, Firewalls, and Honeypots\lntrusion Detection Tools\Snort Double-click the Snort_2_9_3_1_lnstaller.exe file The Snort mstallation wizard appears Accept the License Agreement and uistall Snort with the default options diat appear step-by-step 111 the wizard A wuidow appears after successful mstallation o f Snort Click the Close button Click OK to exit the Snort Installation wuidow E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council All Rights Reserved Reproduction is Stricdy Prohibited Module 17 - Evading IDS, Firewalls and Honeypots Snort 2.9.3.1 SetuD Snort 2.9.3.1 Setup (& ‫ ' ־‬° I * * Snort has successfully been installed Snort also requires W inPcap 1 to be installed on this m achine, r W inPcap can be dow nloaded from : http ://w w w w in p c a p o rg / It w ould also be wise to tighten th e security on th e Snort installation directory to prevent any m alicious m odification of th e Snort executable Next, you m ust m anually edit th e 'sn o rt.co n f file to specify proper paths to allow Snort to find th e rules files and classification files OK Figure 1.1: Snort Successful Installation Window V^/ WinPcap is a tool for link-layer network access that allows applications to capture and transmit network packets bypass the protocol stack Snort requires WinPcap to be installed 011 your machine Install W inPcap by navigating to D:\CEH-T0 ls\CEHv8 Module 17 Evading IDS, Firewalls, and HoneypotsMntrusion Detection Tools\Snort, and double-clicking WinPcap _2.exe By default, Snort installs itself in C:\Snort (C:\ or D :\ depending upon die disk drive in which OS installed) 10 Register 011 die Snort website https://www.snort.org/signup 111 order to download Snort Rules After registration comples it will automaticallv redirect to a download page 11 Click die Get Rules button to download die latest mles 111 tins lab we have downloaded snortrules-snapshot-2931 ■tar.gz 12 Extract die downloaded mles and copy die extracted folder 111 diis padi: D:\CEH-T0 ls\CEHv8 Module 17 Evading IDS, Firewalls, and Honeypots\lntrusion Detection Tools\Snort 13 Rename die extracted folder to snortrules 14 N ow go to die e tc folder 111 die specified location D:\CEH-T0 ls\CEHv8 Module 17 Evading IDS, Firewalls, and Honeypots\lntrusion Detection Tools\Snort\snortrules\etc o f die extracted Snort mles, copy die snort.conf hie, and paste diis hie 111 C:\Snort\etc 15 The Snort.conf tile is already present 111 C:\Snort\etc; replace diis file with die Snort mles Snort.conf tile 16 Copv die so_rules folder from D:\CEH-T0 ls\CEHv8 Module 17 Evading IDS, Firewalls, and Honeypots\lntrusion Detection Tools\Snort\snortrules and paste it 111 C:\Snort C E H L ab M an u al Page 852 E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council All Rights Reserved Reproduction is Stricdy Prohibited Module 17 - Evading IDS, Firewalls and Honeypots 17 Replace die preproc rules folder trom D:\CEH-Tools\CEHv8 Module 17 Evading IDS, Firewalls, and HoneypotsMntrusion Detection Tools\Snort\snortrules and paste it 111 C:\Snort 18 Copy all die tiles from diis location: D:\CEH-Tools\CEHv8 Module 17 Evading IDS, Firewalls, and Honeypots\lntrusion Detection Tools\Snort\snortrules\rules to C:\Snort\rules H TASK Verify Snort Alert 19 N o w navigate to C:\Snort and right-click folder bin, and click CmdHere from die context menu to open it 111 a command prompt 20 Type snort and press Enter Administrator: C:\Windows\system32\cmd.exe - snort C : \S n o r t\b in /s n o r t R unning in p a c k e t dunp node — ■■ I n i t i a l i z i n g S n o r t ■‫—יי‬ I n i t i a l i z i n g O utput P lu g in s ? pcap DAQ c o n f ig u r e d t o p a s s i v e The DAQ u e r s i o n d o e s n o t s u p p o r t r e l o a d A c q u ir in g n etw o rk t r a f f i c f r o n " \D eu ice\N P F _< 0F B 09822-88B 5-411F -A F D 2-F E 3735A 9?7B B> _ D e co d in g E th e r n e t — - - I n it ia liz a t io n y To print out the TCP/IP packet headers to the screen (i.e sniffer mode), type: snort —v C o n p le te - - — —»> S n o r t? < *‫־‬ U e r s io n 1-W IN32 GRE < B u ild ) By M artin R oesch 8r The S n o r t l e a n : h t t p : / / w w w s n o r t o r g / s n o r t / s n o r t - t o '‫׳‬ ‫״ ״‬ ■an C o p y r ig h t 9 -2 S o u r c e f i r e , I n c , e t a l U s in g PCRE u e r s i o n : -0 - U s in g ZLIB u e r s i o n : C on n en cin g p a c k e t p r o c e s s in g < p i d ‫ ־‬S6> Figure 1.2: Snort Basic Command 21 Tlie Initialization Complete message displays Press Ctrl+C Snort exits and comes back to C:\Snort\bin 22 N ow type snort -W Tins command lists your machine’s physical address, IP address, and Ediernet Dnvers, but all are disabled by default Administrator: C:\Windows\system32\cmd.exe S n o rt e x itin g C :\ S n o r t \ b in ‫ נ‬s n o r t -W - * > S n o rt! < *— U e r s i o n - W I N GRE < B u i l d > B y M a r t i n R o e s c h 8r T h e S n o r t T e a m : h t t p : / / w w w s n o r t o r g / s n o r t / s n o r t - t C o p y r i g h t 9 - 2 S o u r c e f i r e , U s i n g PCRE v e r s i o n : - - U s in g Z L IB u e r s i o n : In d e x P h y s ic a l A d d re s s IP 0 :0 :0 :0 :0 :0 A F D -F E A 7 B B > M ic r o s o 0 :0 :0 :0 :0 :0 B -0 F C B D D A > 0 :0 :0 :0 :0 :0 rQRA R e a lte k A d d re s s d is a b le d f t C o r p o r a t io n d is a b le d In c , et D e u ic e a l Name D e s c r ip tio n \ D e u ic e \ N P F _ < F B 2 - 8 B - I F \ D e ‫ ״‬ic e \ N P F _ < B F D F A - E - E - d is a b le d \ D e u ic e \ N P F _ < lD B A - B 1 - - d is a b le d P C Ie GBE F a m i l y \ D e u ic e \ N P F _ < A E B - F B - 8 C o n t r o lle r C : \ S n o r t \ b in > Figure 1.3: Snort -W Command 23 Observe your Ediernet Driver index number and write it down; 111 diis lab, die Ediernet Driver index number is 24 To enable die Ediernet Driver, 111 die command prompt, type snort -dev -i and press Enter C E H L ab M an u al Page 853 E th ical H a ck in g a nd C ountem ieasures Copyright © by EC-Council All Rights Reserved Reproduction is Stricdy Prohibited Module 17 - Evading IDS, Firewalls and Honeypots 25 E To specify a log into logging directory, type snort —dev —1 /logdirectorylocationand, Snort automatically knows to go into packet logger mode You see a rapid scroll text 111 die command prompt It means Ethernet Driver is enabled and working properly Administrator: C:\Windows\system32\cmd.exe - snort -dev -i C : \S n o r t \ b i n , s n o r t -d e v - i Running in p a c k e t dump 11uue — == I n i t i a l i z i n g S n o r t ==— I n i t i a l i z i n g O utpu t P lu g in s ? pcap DAQ c o n f i g u r e d t o p a s s i v e The DAQ v e r s io n d o e s n o t s u p p o r t r e l o a d A c q u ir in g n etw o rk t r a f f i c fr o n " \D e v ic e \N P F _ < A E B -3 F B -4 8 -9 A 7 ‫ ־‬E5AE27E53 B > " D e co d in g E th e r n e t — ■■ I n i t i a l i z a t i o n o '‫~> ׳‬ ‫״״״״‬ C om p lete ■*— -» > S n o r t? < * U e r s io n 1-W IN32 GRE < B u ild 40> By M artin R oesch 8r The S n o r t T ean : h t t p : / / w w w s n o r t o r g / s n o r t / s n o r t - t r u i C o p y r ig h t 9 -2 S o u r c e f i r e , I n c , e t a l U s in g PCRE v e r s i o n : -0 - U s in g ZLIB v e r s i o n : C on n en cin g p a c k e t p r o c e s s in g < p id =2852> 1 / - : 5 : 9 ARP who‫ ־‬h as t e l l Figure 1.4: Snort —dev —i4 Command 26 Leave die Snort command prompt window open, and launch anodier command prompt window 27 Li a new command prompt, type ping google.com and press Enter £ Q Ping [-t] [-a] [-n count] [-1 size] [-£] [-i TTL] [-v TOS] [-r count] [-s count] [[-j host-list] | [-k host-list]] [-w timeout] destination-list Figure 1.5: Ping googje.com Command 28 Tliis pmg command triggers a Snort alert in the Snort command prompt with rapid scrolling text Administrator: C:\Windows\system32\cmd.exe - snort -dev -i To enable Network Intrusion Detect ion System (NIDS) mode so that you don’t record every single packet sent down the wire, type: snort -dev -1 /log-h 192.168.1.0/24-c snort.conf ‫־‬TTD ' : 4 0 : 5 U l x 1 / - : : D4: BE: D9:C 3: C 3: CC 0 : : : 4 TCP TTL:128 TOS:0x0 ID :2 9 Ip L e n :2 DgnLe n :4 DF S eq : 0x4C743C54 Ack: 0x81047C 77 Win: 0xFB27 T cpLen: 20 / - : : ARP w h o-h as t e l l 0 1 / - : : 5 ARP w h o-h as t e l l 0 1 / - : : ARP w h o-h as t e l l 0 Figure 1.6: Snort Showing Captured Google Request C E H L ab M anual Page 854 E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved Reproduction is Stricdy Prohibited Module 17 - Evading IDS, Firewalls and Honeypots 29 Close both command prompt windows The verification o f Snort installation and triggering alert is complete, and Snort is working correcdy 111 verbose mode T A S K Configure snort.conf File 30 Configure die snort.conf file located at C:\Snort\etc 31 Open die snort.conf file with N otepad++ 32 Tlie snort.conf file opens 111 N otepad++ as shown 111 the following screenshot & Make sure to grab the rules for the version you are installing Snort for m Log packets in tcpdump format and to produce minimal alerts, type: snort -b -A fast -c snort.conf Figure 1.7: Configuring Snortconf File in Notepad++ 33 Scroll down to die Step #1: Set the network variables section (Line 41) o f snort.conf file 111 the HOME_NET line, replace any widi die IP addresses (Line 45) o f die machine where Snort is ranning *C:\Sn0ft\etc\$n0rtx0nf - Notepad+ Be Edit Search 'iict* Encoding Language Settings Macro Run Plugns frndcw o 10 e H | 41 □ -!□ X' I & JS * £‫ |נ‬.< »‫ **צ‬x 44Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx # Seep # 1: Sec che necw ork v a r ia b le s For ito ie m r o r a a c lo n » se tu p tn e n e cwcrx a a a re a aca you a re c rc c e c c 1.no ip v e r HOME TOT 110.0.0.10| : * c a t s it u a t i o n s m Notepad‫־)־‬+ is a free source code editor and Notepad replacement that supports several languages It runs in the MS Windows environment ygth: 25421 lines :657 45: ‫ ת‬Cel: 25 Sd Figure 1.8: Configuring Snortconf File in Notepad‫־־(־‬1‫־‬ 34 Leave die EXTERNAL_NET any line as it is C E H L ab M anual Page 855 Etliical H a ck in g a nd C o untenneasures Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Module 17 - Evading IDS, Firewalls and Honeypots KFSensor Professional - Evaluation Trial File j View a 0- Scenario Signatures Settings Help a if^]a ifrtln Tpili kfsensor - localhost - M FIGURE4.12: WindowsFirewall selectingaRuleType 32 Now select All local ports in the Protocol and Ports section * New Outbound Rule W izard P r o t o c o l a n d P o rts Specify the protocol and ports that this rule matches Steps: S Y o u need to install htthost on a P C , w h o is generally accessible on the Internet ‫־‬ typically you r "hom e" P C This means that i f you started a Webserver o n the hom e P C , everyone else m ust be able to connect to it There are two shows toppers fo r htthost on hom e P C s « Rule Type Does this lule apply to TCP or UDP^ ftp f t p c e r t ifie d h a c k e r.c o n C o n n e c te d to f c e r tifie d h a c k e r c o n 2 -h ic ro s o ft FTP S eruice 220 We leone TO FTP Account User < ftp c e rtifie d h a c k e r.c o n :< n o n e > > : _ 2^7 HTTPort makes it possible to open a client side of a TCP/IP connection and provide it to any software The keywords here are: "client" and "any software" FIGURE4.21: Executingftpcommand Lab Analysis Document all die IP addresses, open ports and running applications, and protocols you discovered during the lab PLEASE TALK TO T o o l/U tility Y O U R I N S T R U C T O R IF YOU R E L A T E D T O T H I S LAB HAVE QUESTIONS In fo rm atio n C o lle c te d /O b je c tiv e s A chieved Proxy server U sed: 10.0.0.4 H T T P o rt P o rt scanned: 80 R esult: ftp 127.0.0.1 connected to 127.0.0.1 C E H L ab M anual Page 899 E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved Reproduction is Stricdy Prohibited Module 17 - Evading IDS, Firewalls and Honeypots Questions How would you set up an HTTPort to use an email client (Outlook, Messenger, etc.)? Examine if the software does not allow editing the address to connect to In te rn e t C o n n ectio n R eq u ired Yes □No P latform S upported □ iLabs C E H L ab M an u al Page 900 E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited [...]... Rights Reserved Reproduction is Stricdy Prohibited Module 17 - Evading IDS, Firewalls and Honeypots ^_ You can also download KFSensor from http://www.keyfocus.net ■ KF Sensor located at D: \CEH- Tools\CEHv8 Module 17 Evading IDS, Firewalls, and Honeypots\ Honeypot Tools\KFSensor ■ Install KF Sensor 111 Windows 8 ■ MegaPing located at D: \CEH- Tools\CEHv8 Module 03 Scanning Networks\Scanning Tools\MegaPing... 861 63 Start Snort in IDS mode, 111 the command prompt type snort C:\Snort\etc\snort.conf -I C:\Snort\log -i 2 and dien press Enter E th ical H a ck in g a nd C ounterm easures Copynght © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Module 17 - Evading IDS, Firewalls and Honeypots Figure 2.19: Start Snort in IDS Mode Command 64 Snort starts running in IDS mode It first initializes... networks, and related resources 111 order to become an expert penetration tester and security administrator, you must possess sound knowledge ot network mtnision prevention system (IPSes), IDSes, identify network malicious activity, and log information, stop, or block malicious network activity Lab Objectives H Tools dem onstrated in this lab are located at D:\CEHTools\CEHv8 Module 17 Evading IDS, Firewalls, ... incidents, logging information about them, attempting to stop diem, and reporting diem to security administrators ™ TASK 1 Log Snort Alerts to Syslog Server Lab Tasks 1 Navigate to D: \CEH- Tools\CEHv8 Module 17 Evading IDS, Firewalls, and Honeypots\ lntrusion Detection Tools\Kiwi Syslog Server double click on Kiwi_Syslog_Server_9.3.4.Eval.setup.exe and install Kiwi Syslog Server on die Windows Server 2012 host... in this lab are located at D: \CEH Tools\CEHv8 Module 17 Evading IDS, Firewalls, and Honeypots SolarWinds, Inc Figure22: Kiwi Syslogserverinstallation 4 111 die Install Kiwi Syslog Web A c c e ss wizard, uncheck die option selected and click Next > Kiwi Syslog Server 9.3.4 Installer X I n s ta ll K iw i S y s lo g W e b A c c e s s solarwinds I Remote viewing, filtering and highlighting of Syslog events... network activity Lab Objectives H Tools dem onstrated in this lab are located at D:\CEHTools\CEHv8 Module 17 Evading IDS, Firewalls, and Honeypots C E H L ab M an u al Page 874 The objective of tins lab is to make students learn and understand IPSes and IDSes 111 tins lab, you need to: ■ Detect hackers and worms 111 a network ■ Provide network security Lab Environment To carry-out tins lab, you need:... alerts .ids .ids E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved Reproduction is Stricdy Prohibited Module 17 - Evading IDS, Firewalls and Honeypots _ log v Search log C P alerts .ids Favorites ■ ‫ם‬ Desktop £ Downloads M i Recent places Libraries )=‫״ יז‬ 1 item Figure 1 .17: Configuring Snort.conf File in Notepad++ 53 111 die snort.conf tile, find and replace... message and on what basis messages are prioritized In te rn e t C o n n ectio n R eq u ired □ Yes 0 No P latform S upported 0 C lassroom C E H L ab M an u al Page 873 0 !Labs E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council All Rights Reserved Reproduction is Stricdy Prohibited Module 17 - Evading IDS, Firewalls and Honeypots 3 Detecting Intruders and Worms Using KFSensor Honeypot IDS. .. system running Snort 56 Navigate to C:\Snort\rules and open die icmp-info.rules file widi Notepad ++ 57 Uncomment the Line number 47 and save and close die file C E H L ab M anual Page 860 E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved Reproduction is Stricdy Prohibited Module 17 - Evading IDS, Firewalls and Honeypots C:\Srxwi\rules\icrnp info.rules Nofepad♦... Supported 0 Classroom C E H L ab M an u al Page 864 0 !Labs E th ical H a ck in g a nd C ountem ieasures Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Module 17 - Evading IDS, Firewalls and Honeypots Lab Logging Snort Alerts to Kiwi Syslog Server Sno/t is an open source network intrusionprevention and detection system (IDS/ IPS) I CON KEY _ Valuable information Test your