This is my final learning log for COMSEC2. It’s so sad that our security subject is coming to an end but I am expecting to carry on my studying through the references given by our professor 🙂 Although it’s sad 😦 , I am a bit happy because I got to learn so many things about Computer Security this term. I remembered our exercises about the nmap usage for the networks, Snort and other useful applications that I want to explore more. For example, Kali Linux was available to me since our INVESTI subject and I only got to explore BeEF framework and nothing else. I want to learn how to defend systems from attacks that are common in today’s society. That’s one of my motivation to study well in our COMSEC2 class as well as in our other classes. For these two past weeks, we had many events that happened. We learned from the mobile malware lesson that Sir Justin taught us. It was interesting since I taught that mobile malware was limited and not defined that much. We also had our presentation of our correlator this week and it was a success!! Yehey!!!!! :)) I was nervous because at first I thought it was hard to do since we had our basis from two other correlation techniques which are Alert Correlation and Event Correlation. We aptly named our correlation technique as Tree Correlation and we began deciding what types of software should we use to produce the output of correlated logs. We decided to use the Visual Basic language from the Visual Studio application and use the older version of Snort since the newest version doesn’t have the support for the database connection. We used Snort 18.104.22.168 which has the schema example as well as the database connection functionality. I was excited because we were creating a correlator from scratch and we were implementing our correlation technique. Overall, we had great success and we plan to continue this project for a research paper! Thanks for reading!! 🙂
This is my fifth entry on my COMSEC2 learning log and the end of COMSEC2 is near 😥 I know it’s sad but the continuation of COMSEC depends on the person because security is an evolving subject because of possible new attacks and holes that the hackers could exploit. Anyway, we had a Snort activity during our 9th week and it was about how to implement the rules on Snort. Since we already had experience with Snort, all we had to do was to think about the formation of the rule and what are necessary protocols and ports that we should use. The first rule was your basic alert on Outbound Connection. Since the exercise stated that it should be Outbound, we set the protocol to tcp and the outgoing IP address port to 80 which is HTTP specifically. For the next rule that should be created, it should detect a Telnet connection. The port for telnet is 23 so we just copied the Outbound rule then replaced the port number and the message of the alert. The next rule that we should create is a rule that would detect an XMAS scan being conducted. For that rule, we had to research on what consist of an XMAS scan. It contained the flags of: FIN; PSH, URG. The last set of rules we had to create was to detect strings which contained the keywords of INSERT, DELETE, SELECT. This was an important rule because these keywords could be possible SQL queries being conducted. Each of the rules were given specific sid or their ID so that it would uniquely identify the rules in the logs.
After creating all the rules, we ran some initial problems such as having to set up a virtual machine to test the telnet connection and to install Nmap to scan but I thought it was hard; I was wrong and it was a breeze 🙂 . We ran Snort first and executed the attacks, instantly the syslog was getting the logs from Snort. It was awesome!! :)) I saw at the bottom of syslog that there were logs coming in from Snort in real-time. I knew that this was an important lesson to remember and I am going to keep on studying Snort. Thanks for reading! 🙂