Lab 7.4.1 Sensor Configuration

Objectives

In this lab you will complete the following tasks:

■

Define and configure the internal network definition.

■

Enable the Sensor to generate log files.

■

Test the log file generation.

Visual Objective

This figure displays the information you will need to complete this laboratory
exercise.

Pod P

Your Pod

Pod Q

Peer Pod

172.30.1.0/24

e0/1

rP

e0/0

.10P

.1

10.0.P.0 /24

CSPM

10.0.P.3

Host ID = 3, Org ID = P

Host Name = cspmP,

Org Name = podP

sensorP

.4

.6

idsmP

e0/1

rQ

e0/0

10.0.Q.0 /24

.1

.10Q

.4

.6

sensorQ

idsmQ

CSPM

10.0.Q.3

Host ID = 3, Org ID = Q

Host Name = cspmQ,

Org Name = podQ

A pair of students has been assigned to a pod. Each pod has a complete set of
equipment to do the lab.

Task 1—Configure the Sensor’s Internal Network Definition

Complete the following steps to define an internal network:

Step 1

Select sensorP (where P = pod number) from the Network Topology folder.

Step 2

Select the Properties tab in the Sensor view panel.

Step 3

Select the Internal Networks tab within the Properties tab.

Step 4

Click Add to add a line in the Internal Networks section to enter the IP addresses
to be defined as internal for logging purposes by the Sensor.

Step 5

Enter the following parameters in their respective fields:

Setting Value

IP Address

10.0.P.0 (where P = pod
number)

7-2

Cisco Secure Intrusion Detection System 2.1—Lab 7.4.1

Copyright



2001, Cisco Systems, Inc.

Subnet Mask

255.255.255.0

Step 6

Click OK in the Sensor view panel to accept your changes and close it.

Step 7

Click Save on the top toolbar to save your changes.

Task 2—Enable the Sensor to Generate Log Files

Complete the following steps to enable the Sensor to generate local log files:

Step 1

Select sensorP (where P = pod number) from the Network Topology folder.

Step 2

Select the Logging tab in the Sensor view panel.

Step 3

Select the Generate audit event log files checkbox.

Step 4

Click OK in the Sensor view panel to accept your changes and close it.

Step 5

Click Update on the toolbar to save your changes and update the configuration
files.

Step 6

Select sensorP (where P = pod number) from the Network Topology folder.

Step 7

Select the Command tab in the Sensor view panel.

Step 8

Click the Approve Now button in the Command Approval section. Wait for the
configuration files to be downloaded to the Sensor.

Step 9

After you get an Upload completed message in the Status section, proceed to the
next task.

Task 3—Test the Log File Generation

Complete the following steps to verify the Sensor is generating local log files:

Step 1

From your own CSPM host, telnet to your peer’s router, as assigned by the
instructor, and log on with password cisco. At the router prompt enter the
following:

r0> /etc/shadow

We are simulating an attack in which an attempt is made to retrieve a UNIX
shadowed password file. Your peer’s Event Viewer will display the new alarm.

Note

The router will display an error message. This is expected behavior since the

router does not have an “/etc/shadow” command.

Step 2

After your peer attacked your router, telnet to your Sensor as the netrangr user.

SunOS 5.8

login: netrangr

Password:

Last login: Tue Dec 5 11:51:59 from 10.0.0.3

Sun Microsystems Inc. SunOS 5.8 Generic August 2000

You have logged in from 10.0.0.3 using ansi

using DISPLAY=10.0.0.3:0

netrangr@sensor0:/usr/nr

>

Copyright



2001, Cisco Systems, Inc.

Cisco Secure Intrusion Detection System 2.1—Lab 7.4.1

7-3

Step 3

View your Sensor’s log files as follows:

netrangr@sensor0:/usr/nr

> cd var

netrangr@sensor0:/usr/nr/var

> ls –l *

netrangr@sensor0:/usr/nr/var

> cat log*

2,1000000,2000/12/06,18:02:06,2000/12/06,12:02:06,10000,4,100,Network connect

using connection 1 to destination [3.100]

4,1000001,2000/12/06,18:02:06,2000/12/06,12:02:06,10000,4,100,OUT,OUT,1,996,0,TCP/

IP,0.0.0.0,0.0.0.0,0,0,0.0.0.0,3.100 route 1 up

4,1000002,2000/12/06,18:02:11,2000/12/06,12:02:11,10000,4,100,OUT,OUT,1,0,0,TCP/IP

,0.0.0.0,0.0.0.0,0,0,0.0.0.0,postofficed initial notification msg

4,1000003,2000/12/06,18:02:55,2000/12/06,12:02:55,10008,4,100,OUT,IN,5,8000,2302,T

CP/IP,172.30.1.88,10.0.0.1,1609,23,0.0.0.0,/etc/shadow,2F6574632F736168082F6574632

F736861646F2F6574632F73612F6574632F736861646F77ZZ2F6574632F7361680820082F6574632F7

36861646F

Note

The log file contains binary data and may cause your telnet session to become

unusable.

Answer the following questions:

Q 1) What is the filename of the most current log file and what time was the log file

created?
__________________________________________________________________

Q 2) What keyword in your log file was used to indicate the location of the source IP

address of the /etc/shadow attack?
__________________________________________________________________

Q 3) What keyword in your log file was used to indicate the location of the destination

IP address of the /etc/shadow attack?
__________________________________________________________________