SNORT

OPERATION MODE 2: PACKET LOGGER MODE

Investigate the traffic with the default configuration file with ASCII mode. Then execute the traffic generator script and choose "TASK-6 Exercise". What is the source port used to connect port 53?
root@thm:~$ sudo snort -dev -K ASCII -l .
root@thm:~$ cd ~/Desktop/Task-Exercises/
root@thm:~$ sudo ./traffic-generator.sh
 Task-6 Exercise
 
root@thm:~$ sudo su
root@thm:~$ cd ~/Desktop/145.254.160.237/
root@thm:~$ ls -la
root@thm:~$ cat UDP\:3009-53
 * 145.254.160.237:3009 -> 145.253.2.203:53
   145.253.2.203:53 -> 145.254.160.237:3009
Read the snort.log file snort.log.1640048004 with Snort; what is the IP ID of the 10th packet? 
root@thm:~$ cd ~/Desktop/Task-Exercises/Exercise-Files/TASK-6
root@thm:~$ ls -la
 snort.log.1640048004
root@thm:~$ sudo snort -r snort.log.1640048004 -n 10 -dev
 * 65.208.228.223:80 -> 145.254.160.237:3372 TCP TTL:47 TOS:0x0 ID:49313
Read the "snort.log.1640048004" file with Snort; what is the referrer of the 4th packet?
root@thm:~$ cd ~/Desktop/Task-Exercises/Exercise-Files/TASK-6
root@thm:~$ ls -la
 snort.log.1640048004
root@thm:~$ sudo snort -r snort.log.1640048004 -n 4 -Xe
 * Referrer: http://www.ethereal.com/development.html
Read the "snort.log.1640048004" file with Snort; what is the Ack number of the 8th packet?
root@thm:~$ cd ~/Desktop/Task-Exercises/Exercise-Files/TASK-6
root@thm:~$ ls -la
 snort.log.1640048004
root@thm:~$ sudo snort -r snort.log.1640048004 -n 8 -Xe
 * ***A**** Seq: 0x114C66F0  Ack: 0x38AFFFF3  Win: 0x1920  TcpLen: 20
Read the "snort.log.1640048004" file with Snort; what is the number of the "TCP port 80" packets?
root@thm:~$ cd ~/Desktop/Task-Exercises/Exercise-Files/TASK-6
root@thm:~$ ls -la
 snort.log.1640048004
root@thm:~$ sudo snort -r snort.log.1640048004 -Xe 'tcp and port 80'
 * Packet I/O Totals:
   Received:           41
   Analyzed:           41 (100.000%)

OPERATION MODE 3: IDS/IPS

Investigate the traffic with the default configuration file. Then execute the traffic generator script and choose "TASK-7 Exercise". What is the number of the detected HTTP GET methods?

OPERATION MODE 4: PCAP INVESTIGATION

Investigate the mx-1.pcap file with the default configuration file. What is the number of the generated alerts?
Investigate the mx-1.pcap file with the default configuration file. Keep reading the output. How many TCP Segments are Queued?
Investigate the mx-1.pcap file with the default configuration file. Keep reading the output. How many "HTTP response headers" were extracted?
Investigate the mx-1.pcap file with the second configuration file. What is the number of the generated alerts?
Investigate the mx-2.pcap file with the default configuration file. What is the number of the generated alerts?
Investigate the mx-2.pcap file with the default configuration file. What is the number of the detected TCP packets?
Investigate the mx-2.pcap and mx-3.pcap files with the default configuration file. What is the number of the generated alerts?

SNORT RULE STRUCTURE

Use "task9.pcap". Write a rule to filter IP ID "35369" and run it against the given pcap file. What is the request name of the detected packet?
Use "task9.pcap". Create a rule to filter packets with Syn flag and run it against the given pcap file. What is the number of detected packets?
Clear the previous log and alarm files and deactivate/comment out the old rule. Use "task9.pcap". Write a rule to filter packets with Push-Ack flags and run it against the given pcap file. What is the number of detected packets?
Clear the previous log and alarm files and deactivate/comment out the old rule. Use "task9.pcap". Create a rule to filter packets with the same source and destination IP and run it against the given pcap file. What is the number of packets that show the same source and destination address?
Case Example - An analyst modified an existing rule successfully. Which rule option must the analyst change after the implementation?
PreviousNETWORK SECURITY & TRAFFIC ANALYSISNextNETWORK MINER

Last updated