Assignment 3 2024-25, Part 1

COMP9046
Do not use WireShark for any of these tasks unless specifically instructed

For every task, I want to see your initials or full name in every screenshots that you take.
The best way to achieve this is to add those to the linux prompt.
In a Windows screenshot, you can equally create a folder that is you name, and/or you could have a
small notepad window open with your name in it.

Write everything in your own words, and if you're getting information from somewhere, include
that as a reference. Do NOT copy/paste from anywhere.
All submissions are sent to plagiarism checking software.
If there are similarities to the work of a present student, you will both receive the same sanction.
If there are similarities to a submission made by a past student, there will be consequences for both
the present and the past student, and this is viewed very seriously indeed.
This is the case for all modules on the MSc.

Note:

The usernames and passwords for the Windows machines on the CYRIN labs
are:
Windows 10 Pro : User - "CYRIN User", Password: 'SamplePass1'
Windows 7 : User - "CYRIN User", Password: 'SamplePass1'

Vincent Ryan 1
TASK 1: IDPS (Text based)

Discuss the issues around deploying and managing an IDPS in 2024.

As part of your answer highlight

a) false positives vs. false negatives
b) deployment : passive vs inline, span port vs. tap
c) some evasion techniques
d) DoS against the IDPS itself

Approx 4-5 pages

Vincent Ryan 2
Task 2 : Windows Event Logs

You can use the Win10 VM on Cyrin or any Windows VM/host.

On the Win10 VM on CYRIN, the username is ‘Cyrin User’ and the password is ‘SamplePass1’.

Make sure your name is on every screenshot.

Part A : Add a User:

net user admin123 P@ssw0rd /add

Find the event log entry(s) that was/were generated.

Part B : Try to login as that user with the wrong password

Find the event log entry(s) that was/were generated.

Part C : Start and stop a service (such as EFS or DNS Client)

Find the event log entry(s) that was/were generated.

Part D : Stop the Windows Firewall Service (MpsSvc) and restart it

The command to turn it off is NetSh Advfirewall set allprofiles state off
The command to turn it back on is NetSh Advfirewall set allprofiles state on
Find the event log entry(s) that s/were generated.

Part E : Clear out the system logs :

In Powershell, started as administrator, use the command
Clear-EventLog -LogName system

Find the event log entry(s) that was/were generated.

Vincent Ryan 3
Task 3 : rsyslog
Designate one Kali as a rsyslog server, and another as a client.

Configuring the rsyslog server

The default port is 514 which we’ll keep.

You will need to edit the file /etc/rsyslog.conf and uncomment the following lines:
# provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514

# provides TCP syslog reception

#$ModLoad imtcp
#$InputTCPServerRun 514

After uncommenting the lines, it should look like the following:

# provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# provides TCP syslog reception

$ModLoad imtcp
$InputTCPServerRun 514

The first lines of each section ($ModLoad imudp and $ModLoad imtcp) load the imudp
and imtcp modules, respectively. The imudp stands for input module udp, and imtcp stands
for input module tcp. These modules listen for incoming data from other syslog servers.

The second lines of each section ($UDPSerververRun 514 and $TCPServerRun 514)
indicate that rsyslog should start the respective UDP and TCP servers for these protocols listening
on port 514 (which is the syslog default port).

In this case, we will be getting both UDP and TCP connections at the same time.

restart the rsyslog service by running the command service rsyslog restart.

Your rsyslog instance is now ready to receive logs from remote hosts.

Vincent Ryan 4
Part A:

On this server, set things up so that mail facility logs of severity crit on the server are sent to the file
/var/log/mail-crit-logs

Test using something like (on the server itself)

logger -i -p mail.err "Err Error"

Part B: Remote log server

This involves creating a file inside the /etc/rsyslog.d folder usually called
10-rsyslog.conf

Inside that file, you need to put is

*.* @remote.server:514

The @ symbol before the IP address tells rsyslog to use UDP to send the messages.

You would change this to @@ if you wanted to use TCP.

Once you write that file, restart the rsyslog service by running
# service rsyslog restart

and your logs will now start being shipped to your remote server.

Now run a suitable test on the client, and ensure that the log is received by and processed on the
server.

Vincent Ryan 5