Reputation-Based Detection is one of the simplest yet most effective methods for detecting a threat. Multiple entities sharing intelligence about known IP addresses that have been a threat in the past can rapidly inform us about the future. The goal of this assignment is to have you utilize one of these lists, build a basic script thatkeeps the list up-to-date and integrate the list with Suricata's alerts. In steps: Write a Bash (simpler) or Python (a bit of an overkill but can be kept better organized) script that maintains a reputation list based on the Malware Domain List (MDL). The script needs to also update its MDL list of addresses. The script needs to output in mdl.list (suricata reputation list compatible format). The bash needs to be able to run through cron daily (meaning that I can call it multiple times and it refreshes the mdl.list). The MDL downloadable list can be found here: http://www.malwaredomainlist.com/forums/index.php?topic=3270.0 Links to an external site. To avoid ATHINA being blacklisted, use instead MDL's copied files from our local repo: assignment-files-master.zip Download assignment-files-master.zip Setup Suricata's configuration filesto utilize the mdl.list file Develop Suricata alerts for any address from within the local network that is communicating with an address that exists in MDL: High confidence if the score is larger thanthe middle score from the range of available confidence rating (considering using the number of hits of an IP on MDL or other reputation lists. Some also give you a confidence rating directly.) Low confidence if the score is lower than the middle score from the range of available confidence rating. Note: Follow naming conventions for the message alert construction as well as appropriate logistic fields associated with each alert. Specify also the list that an alert came from in your message so that one can further investigate the threat associated with that alert. What to use for the assignment You can utilize VirtualBox (or some other VM) to build your testing machines. Lab computers may be more appropriate if you load demanding machines. Useful distros include: SELKS: https://www.stamus-networks.com/open-source/#selks Links to an external site. SecurityOnion: https://securityonion.net/ Links to an external site. Kali: https://www.kali.org/ Links to an external site. SO is by far the most demanding requiring a min of 8GB if ELK stack is utilized. With SELKS, you can get away with 3GB. SELKS contains ELK stack as well as Suricata as the main IDS. Kali is useful for pentests but many of these you can initiate from your host computer. If you do not have sudo access in the host machine check this guide if you need to build several tools from source: Installing with no sudo access An automated testing suite (ATHINA -AutomatedTestingHomeworkInterface forN Assignments) will assist in verifying that your application is compliant with the project requirements. Once you submit the location of your files, it will test the repository and submit 90% of your grade depending on the outcome of the tests. With every new commit to your repository, it will re-evaluate and submit a new grade. This is meant to give you immediate feedback and multiple opportunities to correct your code and get full points for the assignment. I will also test your program by reading your source code and evaluating that everything is in order. Your program must be developed in a gitversion control repository.Use WWU CS's GitLab (https://gitlab.cs.wwu.edu/).The repository must be namedReputationBasedDetection. Set the visibility settings onPrivateand add my account (tsikerm) as aMasterto your repository. In your repository include the following files only: suricata.yaml, update-mdl.sh, local.rules, categories.txt, ip.txt (the IP list file or some other file that contains the ip to be processed by update-mdl.sh) Your code will be tested using the following commands: suricata -c suricata.yaml -r badpcap.pcap. This means that all your configuration and files need to be self-contained in the same directory and pointed to using suricata.yaml suricata.yaml ( suricata.yaml Download suricata.yaml ) will be a downsized version of the configuration file. It will need to point to local.rules as well as the iprep file. update-mdl.sh will create a file mdl.list that is compatible with suricata's iprep. local.rules will contain the two rules raising an alert depending on the severity. Messages need to be defined as: "BAD IP REPUTATION: High Confidence Alert" and "BAD IP REPUTATION:Low Confidence Alert" depending on whether the rating is higher or lower than 50.

Reputation-Based Detection is one of the simplest yet most effective methods for detecting a threat. Multiple entities sharing intelligence about known IP addresses that have been a threat in the...

1 answer below »

Reputation-Based Detection is one of the simplest yet most effective methods for detecting a threat. Multiple entities sharing intelligence about known IP addresses that have been a threat in the past can rapidly inform us about the future.

The goal of this assignment is to have you utilize one of these lists, build a basic script thatkeeps the list up-to-date and integrate the list with Suricata's alerts. In steps:

Write a Bash (simpler) or Python (a bit of an overkill but can be kept better organized) script that maintains a reputation list based on the Malware Domain List (MDL). The script needs to also update its MDL list of addresses. The script needs to output in mdl.list (suricata reputation list compatible format). The bash needs to be able to run through cron daily (meaning that I can call it multiple times and it refreshes the mdl.list). The MDL downloadable list can be found here:

http://www.malwaredomainlist.com/forums/index.php?topic=3270.0

Links to an external site.

To avoid ATHINA being blacklisted, use instead MDL's copied files from our local repo:

assignment-files-master.zip

Download assignment-files-master.zip

Setup Suricata's configuration filesto utilize the mdl.list file

Develop Suricata alerts for any address from within the local network that is communicating with an address that exists in MDL:
- High confidence if the score is larger thanthe middle score from the range of available confidence rating (considering using the number of hits of an IP on MDL or other reputation lists. Some also give you a confidence rating directly.)
- Low confidence if the score is lower than the middle score from the range of available confidence rating.

Note: Follow naming conventions for the message alert construction as well as appropriate logistic fields associated with each alert. Specify also the list that an alert came from in your message so that one can further investigate the threat associated with that alert.

What to use for the assignment

You can utilize VirtualBox (or some other VM) to build your testing machines. Lab computers may be more appropriate if you load demanding machines. Useful distros include:

SELKS:
https://www.stamus-networks.com/open-source/#selks

Links to an external site.

SecurityOnion:
https://securityonion.net/

Links to an external site.

Kali:
https://www.kali.org/

Links to an external site.

SO is by far the most demanding requiring a min of 8GB if ELK stack is utilized. With SELKS, you can get away with 3GB. SELKS contains ELK stack as well as Suricata as the main IDS. Kali is useful for pentests but many of these you can initiate from your host computer. If you do not have sudo access in the host machine check this guide if you need to build several tools from source:
Installing with no sudo access

An automated testing suite (ATHINA -AutomatedTestingHomeworkInterface forN
Assignments) will assist in verifying that your application is compliant with the project requirements. Once you submit the location of your files, it will test the repository and submit 90% of your grade depending on the outcome of the tests. With every new commit to your repository, it will re-evaluate and submit a new grade. This is meant to give you immediate feedback and multiple opportunities to correct your code and get full points for the assignment.

I will also test your program by reading your source code and evaluating that everything is in order.

Your program must be developed in a gitversion control repository.Use WWU CS's GitLab (https://gitlab.cs.wwu.edu/).The repository must be namedReputationBasedDetection. Set the visibility settings onPrivateand add my account (tsikerm) as aMasterto your repository.

In your repository include the following files only:
suricata.yaml, update-mdl.sh, local.rules, categories.txt, ip.txt (the IP list file or some other file that contains the ip to be processed by update-mdl.sh)

Your code will be tested using the following commands: suricata -c suricata.yaml -r badpcap.pcap. This means that all your configuration and files need to be self-contained in the same directory and pointed to using suricata.yaml

suricata.yaml
(
suricata.yaml

Download suricata.yaml

) will be a downsized version of the configuration file. It will need to point to local.rules as well as the iprep file.

update-mdl.sh
will create a file mdl.list that is compatible with suricata's iprep.

local.rules
will contain the two rules raising an alert depending on the severity. Messages need to be defined as: "BAD IP REPUTATION: High Confidence Alert" and "BAD IP REPUTATION:Low Confidence Alert" depending on whether the rating is higher or lower than 50.

ip-puzri3w1.txt mdl-klorgdkt.csv suricata-kdukl2nb.yaml

Answered 3 days After Feb 08, 2023

Solution

Aditi answered on Feb 09 2023

32 Votes

SOLUTION.PDF

Reputation-Based Detection is one of the simplest yet most effective methods for detecting a threat. Multiple entities sharing intelligence about known IP addresses that have been a threat in the...

What to use for the assignment

Solution

Answer To This Question Is Available To Download

Related Questions & Answers

Submit New Assignment