Even complicated and confusing topics will be easily developed and covered if you request our help writing an essay. Place an order today!

This question presents a  fictitious security vulnerability in a range of lasers printers.  The question requires that you develop SNORT IDS rules to detect exploits of this fictitious vulnerability. All information regarding this vulnerability is fabricated to give the illusion of a real security threat.  As a result, searches on the Internet will not yield any information regarding the signature of this vulnerability.  All the information required to detect exploits for this vulnerability are presented in this question, except where noted otherwise.
You are a security specialist working for XYZ Incorporated.  XYZ use SNORT as their NIDS which protects both their IP sub-networks being 192.168.1.0/24 and 192.168.2.0/24.

A security vulnerability has been detected in the Humphrey Pollard Laserprint 12050 printer model.  This vulnerability is remotely exploitable and allows the execution of arbitrary code.
There is a bug in the way the printer processes the postscript spool management header.  A sample of a spool header is given below:
%!PS-Adobe-3.0 %%Creator: texttops/CUPS v1.2.2%%CreationDate: Thu 21 Sep 2006 11:49:57 AM EST%%Title: TODO %%For: username %%DocumentNeededResources: font Courier-Bold …
The printer’s code which parses these headers only allows 8 bytes for the “%%For” field value buffer in memory.  In the example above, the field value is “username”.  It is possible to overflow the buffer by providing a value to the “%%For” field that is greater than 8 bytes. The “%%For” field can be found anywhere in the packet.

An exploit has been released in the form of a worm which when infecting the Laser printer’s memory, tricks the laser printer into emailing all documents received for printing to an email account in Russia.  The worm propagates by scanning networks in proximity of its own for other vulnerable printers.  On finding vulnerable machines, it copies itself to them and the cycle continues. It also propagates via email as a PDF attachment.  The malicious code is embedded in the PDF file. The email message suggests that the attached document contains a joke and requires printing to a laser printer to view.  When the user prints the PDF, its payload is sent to the printer either directly, or via a printer spooling server.  Effectively, this means the worm can attack printers from any host on the network.

If a printer is found to be compromised, power-cycling (turning off and then on) the printer will erase the worm from the printer’s volatile memory.  However, this does not prevent the printer from being re-infected.   

You are required to write 2 SNORT IDS rules labeled (a) and (b) to manage this vulnerability until patches are applied and printers reset.
Rule (a) must detect attempts to exploit this vulnerability on any printer in the company network.  The rule should scan for attempts from any host on the network to any host on the network.  It should also scan only for connections to the Jetdirect printing TCP/IP port number, used by this range of printers. You may need to research Jetdirect to identify which port number it uses for printing and what transport protocol. Google is a good place to start.

The signature of the exploit is given as follows:
%%For: username
The value “username” can be any sequence of characters, but must be exactly 8 characters long. For example, “username” could be “abcdefgh”.  Note also there is a space between the colon and “username”.  Immediately following the 8 characters for the username is the payload of the exploit, which is given below as decimal byte values:
124 185 30 135 99 214 51 29
Your rule should match the entire sequence as described above starting from “%%For:” through to the last decimal byte of the exploit payload “29”.  On detecting packets, your rule should generate an alert with a message stating: “Attempt to exploit laser printer vulnerability”.

Rule (b) must detect attempts by the malicious payload running on any infected printers to email documents to the Internet. You have 6 printers on your network that are vulnerable to this attack.  Their IP addresses are:

192.168.1.45
192.168.1.40
192.168.2.15
192.168.2.30
192.168.2.31
192.168.2.40

Your email rule must apply only to the vulnerable printers on the network.  In other words, your rule should detect attempts to email the hacker from only the above printers, and no other hosts.

This model of laser printer also provides scanning and faxing capabilities.  When the scanning function is used, the unit will email the scanned document to an Internet email address given by the user when scanning. As a result, it is normal behaviour for these printers to send emails via SMTP.  Therefore, it is necessary to check the recipient email address of the document.  The rule should detect attempts to email users outside of the organisation, as no document should be emailed outside the company from a printer.  The organisation’s domain name is: xyzcorp.com.au.  So any emails sent to an address of form: [email protected] should not be detected as these addresses are for company employees.  Any other email addresses without the exact domain name above should be detected. Any mail server could be used to deliver the email.  On detecting an email from one of these printers to an address outside the organisation, your rule should generate an alert with the message: “Compromised printer attempting to email document outside organisation”

For both rules, be sure to complete the following.

1.    Allocate an appropriate SID value and a revision number
2.    Designate an appropriate class type for this attack.
3.    Annotate your rules with comments describing what each component of the rule does, so other security specialists in your team can see how your rules are written.
4.    Comments can be introduced to your rules file snort.conf by preceding each line with a hash character “#”.  Anything after the hash character to the end of the line will be treated as a comment by SNORT and ignored by the rule parsing code.  

An example of how to present your rules in your assignment document is shown below:

# Your explanation of the below in italics
var HOME_NET 138.77.23.0/16
var EXTERNAL_NET !138.77.23.0/16
# Your explanation of the below
drop udp $EXTERNAL_NET any -> $HOME_NET 993



testimonials icon
The will utilize the following risk processes including; Schedule The creation of the schedule Timescale P...
testimonials icon
use this Texts: Foner, Give Me Liberty (Seagull Edition), Volume 2, Fourth Edition (2013) Wright, Black Boy Terry, BloodsPresent a...
testimonials icon
Running Head: AMERICAN FOREING POLICYAmerican Foreign PolicyStudents NameUniversity Affiliation1AMERICAN FOREING POLICY2American Foreign PolicyIn the...
testimonials icon
This is the final project link.http://cs.boisestate.edu/~cs121/projects/p5/this is the rubric for the project.http...
testimonials icon
What is the role of the accounting manager in completing the financial portion of a strategic plan? How does this role differ from the...
testimonials icon
Assignment 2: Analyzing ReligionsThe US culture has a broad spectrum of religious affiliations and religiosity. As a result of interacting w...
testimonials icon
1. Provide a definition of ethics in an organizational and business context. Discuss some of the issues that make inter...
testimonials icon
/*! elementor - v3.6.5 - 27-04-2022 */ .elementor-heading-title{padding:0;margin:0;line-height:1}.elementor-widget-heading .elementor-heading...
testimonials icon
Using the Wall Street Journal menu link, select an article that relates to: (1) conflicts in organizations; or (2) leadership and decision...
testimonials icon
In the book Runaway Slaves: Rebels on the Plantation , by John Hope Franklin and Loren Schweninger, the plight of the...
testimonials icon
In this assignment, you will be completing a comprehensive health screening and history on a young adult. To c...

Other samples, services and questions:

Calculate Price

When you use PaperHelp, you save one valuable — TIME

You can spend it for more important things than paper writing.

Approx. price
$65
Order a paper. Study better. Sleep tight. Calculate Price!
Created with Sketch.
Calculate Price
Approx. price
$65