1) Install and Configure Snort as an Intrusion Prevention System
2) Configure Ubuntu virtual machine to work as a software router
3) Setup apache webserver with basic authentication 4) Perform nmap http-brute force attack using Kali Linux 5) Analyze Packets using Wireshark 6) Configure Snort to defend against the http-brute force attack
In this tutorial , we are demonstrating that snort be configured to block a HTTP
BruteForce Dictionary Login Attack. A BruteForce Login attack is where a attacker attempts to login into a website by using random credentials stored in a dictionary(E.g. a file) We can spot a Bruteforce attack when we see a large the number of login attempts from the same IP address within a given time period. For example , if we see 6 login attempts within 1 seconds from the same IP, we can probably assume that a Bruteforce attack is occurring and we should block the IP initiating the attack. We know this because no human can login 6 times within 1 second. You can implement such blocking logic like this using snort rate_filters (which I demonstrate in the video). The rules demonstrated in the tutorial may not useful in a real world situation. For example, say you have a Website on AWS being logged into 1000 times a second by clients around the world. You could implement the rules from the tutorial and block brute force attacks coming from a single IP However , a smart attacker is likely to use a different IP Address for every login attempt and the rules in this video would not work. To handle such a situation , it would probably make sense to trigger a CAPTCHA through your web application to stop the attack(although some attacks can get through captcha)