background image

 

 

Lab 7.4.1 Sensor Configuration 

Objectives 

In this lab you will complete the following tasks: 

■ 

Define and configure the internal network definition. 

■ 

Enable the Sensor to generate log files. 

■ 

Test the log file generation. 

Visual Objective 

This figure displays the information you will need to complete this laboratory 
exercise.  

Pod P

Your Pod

Pod Q

Peer Pod

172.30.1.0/24

e0/1

rP

e0/0

.10P

.1

10.0.P.0 /24

CSPM

10.0.P.3

Host ID = 3, Org ID = P

Host Name = cspmP, 

Org Name = podP

sensorP

.4

.6

idsmP

e0/1

rQ

e0/0

10.0.Q.0 /24

.1

.10Q

.4

.6

sensorQ

idsmQ

CSPM

10.0.Q.3

Host ID = 3, Org ID = Q

Host Name = cspmQ, 

Org Name = podQ

 

A pair of students has been assigned to a pod. Each pod has a complete set of 
equipment to do the lab. 

Task 1—Configure the Sensor’s Internal Network Definition 

Complete the following steps to define an internal network: 

Step 1 

Select sensorP (where P = pod number) from the Network Topology folder. 

Step 2 

Select the Properties tab in the Sensor view panel. 

Step 3 

Select the Internal Networks tab within the Properties tab. 

Step 4 

Click Add to add a line in the Internal Networks section to enter the IP addresses 
to be defined as internal for logging purposes by the Sensor. 

Step 5 

Enter the following parameters in their respective fields: 

Setting Value 

IP Address 

10.0.P.0 (where P = pod 
number) 

background image

 

7-2 

Cisco Secure Intrusion Detection System 2.1—Lab 7.4.1 

Copyright 

 2001, Cisco Systems, Inc. 

Subnet Mask 

255.255.255.0 

 

Step 6 

Click OK in the Sensor view panel to accept your changes and close it. 

Step 7 

Click Save on the top toolbar to save your changes. 

Task 2—Enable the Sensor to Generate Log Files 

Complete the following steps to enable the Sensor to generate local log files: 

Step 1 

Select sensorP (where P = pod number) from the Network Topology folder. 

Step 2 

Select the Logging tab in the Sensor view panel. 

Step 3 

Select the Generate audit event log files checkbox. 

Step 4 

Click OK in the Sensor view panel to accept your changes and close it. 

Step 5 

Click Update on the toolbar to save your changes and update the configuration 
files. 

Step 6 

Select sensorP (where P = pod number) from the Network Topology folder. 

Step 7 

Select the Command tab in the Sensor view panel. 

Step 8 

Click the Approve Now button in the Command Approval section. Wait for the 
configuration files to be downloaded to the Sensor. 

Step 9 

After you get an Upload completed message in the Status section, proceed to the 
next task. 

Task 3—Test the Log File Generation 

Complete the following steps to verify the Sensor is generating local log files: 

Step 1 

From your own CSPM host, telnet to your peer’s router, as assigned by the 
instructor, and log on with password cisco. At the router prompt enter the 
following: 

r0> /etc/shadow 

We are simulating an attack in which an attempt is made to retrieve a UNIX 
shadowed password file. Your peer’s Event Viewer will display the new alarm. 

Note 

The router will display an error message. This is expected behavior since the 

router does not have an “/etc/shadow” command.  

Step 2 

After your peer attacked your router, telnet to your Sensor as the netrangr user. 

SunOS 5.8 

login: netrangr 

Password: 

Last login: Tue Dec  5 11:51:59 from 10.0.0.3 

Sun Microsystems Inc.   SunOS 5.8       Generic August 2000 

You have logged in from 10.0.0.3 using ansi 

using DISPLAY=10.0.0.3:0 

netrangr@sensor0:/usr/nr 

background image

 

Copyright 

 2001, Cisco Systems, Inc. 

Cisco Secure Intrusion Detection System 2.1—Lab 7.4.1 

7-3 

Step 3 

View your Sensor’s log files as follows: 

netrangr@sensor0:/usr/nr 

cd var 

netrangr@sensor0:/usr/nr/var 

> ls –l * 

netrangr@sensor0:/usr/nr/var 

> cat log* 

2,1000000,2000/12/06,18:02:06,2000/12/06,12:02:06,10000,4,100,Network connect 

using connection 1 to destination [3.100] 

4,1000001,2000/12/06,18:02:06,2000/12/06,12:02:06,10000,4,100,OUT,OUT,1,996,0,TCP/

IP,0.0.0.0,0.0.0.0,0,0,0.0.0.0,3.100 route 1 up 

4,1000002,2000/12/06,18:02:11,2000/12/06,12:02:11,10000,4,100,OUT,OUT,1,0,0,TCP/IP

,0.0.0.0,0.0.0.0,0,0,0.0.0.0,postofficed initial notification msg 

4,1000003,2000/12/06,18:02:55,2000/12/06,12:02:55,10008,4,100,OUT,IN,5,8000,2302,T

CP/IP,172.30.1.88,10.0.0.1,1609,23,0.0.0.0,/etc/shadow,2F6574632F736168082F6574632

F736861646F2F6574632F73612F6574632F736861646F77ZZ2F6574632F7361680820082F6574632F7

36861646F 

Note 

The log file contains binary data and may cause your telnet session to become 

unusable. 

Answer the following questions: 

Q 1)  What is the filename of the most current log file and what time was the log file 

created? 
__________________________________________________________________ 

Q 2)  What keyword in your log file was used to indicate the location of the source IP 

address of the /etc/shadow attack? 
__________________________________________________________________ 

Q 3)  What keyword in your log file was used to indicate the location of the destination 

IP address of the /etc/shadow attack? 
__________________________________________________________________