Sr No. Practical Date Sign 1 Encrypting and Decrypting Data Using OpenSSL 2 Demonstrate the use of Snort and Firewall Rules 3 Demonstrate Extract an Executable from a PCAP 4 Demonstrate Analysis of DNS Traffic 5 Create your own syslog Server 6 Configure your Linux system to send syslog messages to a syslog server and Read them 7 Install and Run Splunk on Linux 8 Install and Configure ELK on Linux 9 Install and Configure GrayLog on Linux PRACTICAL NO.1 AIM: Encrypting and decrypting data using OPENSSL PROCEDURE: Download link: https://code.google.com/archive/p/openssl-for-windows/downloads Set SYSTEM PATH VARIABLE : D:\soc\OPENSSL\bin For Encryption: OpenSSL> enc -aes-256-ecb -a -salt -in Plain_Text.txt -out cipher.txt enter aes-256-ecb encryption password: Verifying - enter aes-256-ecb encryption password: For decryption: OpenSSL> enc -d -aes-256-ecb -a -salt -in cipher.txt -out decipher.txt enter aes-256-ecb decryption password: OUTPUT: PRACTICAL 2 AIM: Demonstrate the use of Snort and Firewall Rules. PROCEDURE: Step 1: Download winpcap by browsing to the URL winpcap.org. Step 2: Download npcap by browsing to the URL nmap.org/npcap. Click on the Download tab. Click on npcap 1.60 installer for windows. Step 3: Download snort by browsing to the URL snort.org. Click on Get Started. Go to the windows tab and download latest version of snort installer.exe that is available. Step 4: Again click on Download Rules. Click on Sign in on top right to obtain rules for registered users. Click on Signup. After you register yourself, sign in using your registered details. Download the rules from the registered users tab based on the version of snort that you have downloaded. Extract the rules files that you have downloaded. Step 5 : Install winpcap,npcap and snort. Step 6 : Copy paste the rules and preproc_rules directory from the extracted location to c: \snort directory and replace the existing rules. Step 7: Open the C:\Snort\etc\snort.conf file in Notepad++ and make following changes in file. Line 45: ipvar HOME_NET 172.16.0.0/22 (Change ANY to your Network Address) Line 48: ipvar EXTERNAL_NET !$HOME_NET Line 104: var RULE_PATH C:\Snort\rules Line 105: Comment it by placing # at the beginning. Line 106 : var PREPROC_RULE_PATH c:\Snort\preproc_rules Line 113 : var WHITE_LIST_PATH c:\Snort\rules (First create the whitelist.rules file in the directory c:\snort\rules. For that use the blacklist.rules file . Change BLACKLIST RULES to WHITELIST RULES and save the file as whitelist.rules using save as option.) Line 114: var BLACK_LIST_PATH c:\Snort\rules Line 186: Remove Comment of line 186 and change the path of log directory. config logdir c:\Snort\log Line 247: dynamicpreprocessor directory c:\Snort\lib\snort_dynamicpreprocessor Line 250: dynamicengine c:\Snort\lib\snort_dynamicengine\sf_engine.dll Line 253 : Comment it by placing # at the beginning. Comment the lines from 265 to 269 by placing # at the beginning. Line 335: Comment it by placing # at the beginning. Line 418 : Remove comment Line 511: whitelist $WHITE_LIST_PATH \whitelist.rules, \ Line 512: blacklist $BLACK_LIST_PATH \blacklist.rules (Change / to \ in path) Line 546- 651: Replace all / in path to \ using find and replace one line at a time) Line 659-661: include $PREPROC_RULE_PATH\preprocessor.rules include $PREPROC_RULE_PATH\decoder.rules include $PREPROC_RULE_PATH\sensitive-data.rules Step 8: Add the following lines at the end in local.rules file in c:\Snort\rules. alert icmp any any -> any any (msg:"Testing ICMP alert "; sid:1000001;) alert udp any any -> any any (msg:"Testing UDP alert "; sid:1000002;) alert tcp any any -> any any (msg:"Testing TCP alert "; sid:1000003;) Step 9: Open Command prompt and run it as administrator. Execute following commands: a) cd c:\Snort\bin b) snort –V c) snort –i 1 –c c:\Snort\etc\snort.conf –T d) snort –W e) snort –i 1 –c c:\Snort\etc\snort.conf –A console f) To stop [ctrl +c] PRACTICAL NO.3 AIM: Demonstrate Extract an executable from a PCAP. PROCEDURE: https://www.cloudshark.org/captures/a9472fbe700a Export original file and open on Wireshark. Right- click on HTTP and select Protocol Preferences and select TCP and check if “Allow” is selected. PRACTICAL 4: AIM: Demonstrate Analysis of DNS traffic. PROCEDURE: Step 1: Start a Wireshark capture. Step 2: Select ethernet from the options given. Step 3: Start the capture. Step 4: Click on Google Chrome. Step 5: Select a site of your choice (after completing the load). Step 6: Stop the capture. Step 7: In protocols search for “DNS”. Step 8: In DNS search the site that you had selected in Chrome. PRACTICAL 5 AIM: Create your own syslog server. PROCEDURE: Step 1: Open VM Workstation. Step 2: Create a new virtual machine in Ubuntu. And name it as Server. Step 3: Now, Create another virtual machine in Ubunti and name it as Client.\ Step 4: Switch to Server vm, and open terminal Step 5: Write the following steps in the terminal. [root@localhost Desktop]# vi /etc/rsyslog.conf [Press 1] [Remove comment of the following lines at start of file by deleting # at the beginning.] $ModLoad imudp.so $UDPServerRun 514 $ModLoad imtcp.so $InputTCPServerRun 514 [At the end of file,add following line:] Local4.*/var/log/DSM.log [Press ESC and type :wq] [root@localhost Desktop] #touch /var/log/DSM.log [root@localhost Desktop]# chmod 666 /var/log/DSM.log [root@localhost Desktop]# service rsyslog restart Shutting down system logger: [OK] Starting system logger: [OK] OUTPUT: PRACTICAL 6 AIM: Configure your Linux system to send syslog messages to a syslog server and read them. PROCEDURE: Step 1: Open the VMware Workstation. Step 2: Start the virtual machines of Server and Client which we have create in Practical no.5. Step 3: Open the terminal in Client VM and Fetch the ip-address by writing the command ~$ ip address. Note down the ip address. Step 4: Download the PuTTy and configure the ip-address along with the rsyslog session of Client virtual Machine. Step 5: Now open the Server VM. Step 6: Open the terminal of Server VM and enter the command to open the file rsyslog.conf ~$vim /etc/rsyslog.conf Step 7: Make the required changes in rsyslog file. To save and exit type the command: :wq Step 8: Enter the command to check the forwarding messages status over syslog. ~$ rsyslogd Step 9: Then change the mode of rsyslog.conf file ~$ sudo chmod a+rw /etc/rsyslog.conf ~$sudo nano /etc/rsyslog.conf Step 10: Restart the service of rsyslog ~$sudo service rsyslog restart Step 11: Lastly check the status of the service. ~$sudo service rsyslog status. OUTPUT: