The assignment is to scan a network and a host, and to write some *simple* intrusion detection software. Your usual CS login should work on w4180.cs.columbia.edu and w4180-target.cs.columbia.edu. (If it doesn't, please let me know.) You'll use w4180.cs.columbia.edu to scan the other machine. Both of these hosts are, in fact, virtual machines running on the same physical box. Each machine has two network interfaces, xennet0 (attached to the regular CS network) and xennet1 (connects all of the virtual machines on this physical host). Because w4180-target is configured much less securely than most machines, I've configured it so that it can only talk to Columbia IP addresses. If you have a strong need to get to it from elsewhere, let me know the IP address in question. If the request is reasonable (and not, say, "all Verizon DSL addresses in Manhattan"), I'll enable them. You'll need root privileges for this exercise; you'll find the root password in a file on your home directory. (Note: everyone else in the class will have this password, too -- take that into account when deciding what files to store on it. You may also wish to change your password...) Also note that I'll be wiping the (virtual) disks when the semester ends. You have several tasks. 1) Scan network 192.168.42.0 and see what hosts exist 2) Using tools discussed in class -- nmap, rpcinfo, showmount -- scan w4180-target.cs.columbia.edu. Learn what versions of what services are running. 3) You may, if you wish, run the same sort of scan on any machines on 192.168.42.0. (w4180-target is one of them.) 4) Some of the services -- three of them, to be precise -- can serve up files. What are the contents of these files? 5) Detect the scans. Log in to w4180-target and write some programs that notice the anomalies. How? Many of the applications that are enabled create log entries. Look at files in /var/log, /var/log/httpd, and /var/squid/logs and see what they contain. Note that an attempt to connect to a service isn't suspicious. What is suspicious is attempts from the same source to connect to many different services in a short time. Also look for evidence in the logs of failed connections. You may or may not want to run tcpdump as well, per the class notes, to detect inbound connections. You will probably find it easier to run your scans, then make a copy of the logfiles on another, faster machine, to write your analysis programs. Remember that this is a shared machine, and it's not that fast. For any programming on these machines, there is a C compiler, a Java compiler, and Perl available, plus all the standard Unix utilties. If you're using Java, you'll need to add /usr/pkg/java/scsl-1.5/bin to your path and put the following lines into your .profile: ulimit -d 262144 ulimit -s 8192 Again, though, you're better off doing your programming on some other machine. The deliverables: * Scripts to do the scanning * The output of the scripts * The contents of any of those exported file, plus the commands you used to obtain the contents. (Note: you *must* retrieve the contents from w4180; logging in to w4180-target to get them isn't fair....) * The analysis programs and its output. Additionally, include a copy of the logfiles you used as input data. Again, I stress that this is supposed to be a *simple* analyzer. I want you to show that you know some of the things to look for, not a perfect job or even the sort of job that would be expected in COMS E6185. Commands you may find useful: nmap showmount rpcinfo vnc ftp tcpdump mount There are man pages available for all of these.