When we are building our range, we have to take into account the types of switches that we have and whether we need to configure either a Switch Port Analyzer (SPAN) or a Test Access Point (TAP). Like most things, there are advantages and disadvantages to each. You can find out more at the website http://www.networktaps.com.
An example of a comparison from the website is shown in the following screenshot:
If you are building your range with physical switches, then this is something you will have to take into consideration. However, if you are using virtual switches, then we do not have this challenge. We have looked at this once, but we want to look at it from an intrusion detection perspective. To do this, we are going to run our scans, but this time not directly at the sensor. You will need the Kali Linux machine, OWASP, and the Network Security Toolkit. Start all the three virtual machines before we continue.
Once the machines are online, we will conduct a scan from our Kali Linux machine against the OWASP machine and across the VMnet2 switch with the Network Security Toolkit running a Snort sensor. The setup is shown in the following diagram:
You will next need to start the Snort sensor on the Network Security Toolkit machine. We covered the steps for this earlier in this chapter.
Once the sensor is up and running, start the BASE GUI and clear all of the alerts that are currently listed. The next thing we want to do is conduct a scan against the OWASP machine from the Kali Linux machine. We can use any tool we want, but for the demonstration, we will use the Nikto tool that we used earlier. The target IP address for our OWASP machine is 192.168.20.133, and this is the address we will use in our tools. In a Kali Linux terminal window, enter nikto -h 192.168.20.133 to scan the OWASP machine. Return to the BASE display and see whether the attack has been detected.
An example is shown in the following screenshot:
As the previous screenshot shows, the traffic has generated some alerts. The next thing we will do is look at the alerts that the sensor generated. Click on 100% and this will bring up a list of the alerts that the sensor reported. As we are using the Nikto tool, we are looking for the alerts that are related to web traffic. An example is shown in the following screenshot:
We now have the alerts, so select one of them and examine it further. Earlier in the chapter, when we examined the alerts, we saw additional information about the packet that generated the alert. However, we did not have any information on the payload of the packet. This is because there was no payload to capture. As these packets are attack patterns, we have a better chance of finding a payload. An example of a Payload for a directory traversal attack is shown in the following screenshot:
You can see that the sensor on a virtual switch does not require a SPAN or mirror to see the network traffic as a physical switch would, so we are ready to move on to another section.