Navigate to the task folder.
Use the given pcap file.
Write rules to detect "all TCP port 80 traffic" packets in the given pcap file.
What is the number of detected packets?
local.rules
alert tcp any any <> any 80 (msg:"TCP Port 80 Traffic Detected inbound"; sid:10001;)
alert tcp any 80 <> any any (msg:"TCP Port 80 Traffic Detected outbound"; sid:10002;)
Kali
sudo snort -c local.rules -r mx-3.pcap -A full -l .
What is the destination address of packet 63?
The easiest way to look at a certain packet is to use -n to only show the amount of packets we want to see.
Kali
sudo snort -r snort.log.1690286170 -n63
What is the ACK number of packet 64?
Kali
sudo snort -r snort.log.1690286170 -n64
What is the SEQ number of packet 62?
Kali
sudo snort -r snort.log.1690286170 -n62
What is the TTL of packet 65?
Kali
sudo snort -r snort.log.1690286170 -n65
What is the source IP of packet 65?
What is the source port of packet 65?
Writing IDS Rules (FTP)
local.rules
alert tcp any any <> any 21 (msg:"FTP inbound"; sid:10001;)
alert tcp any 21 <> any any (msg:"FTP outbound"; sid:10002;)
What is the number of detected packets?
Kali
sudo snort -c local.rules -r ftp-png-gif.pcap -A full -l .
What is the FTP service name?
Kali
sudo snort -r snort.log.1690287034 -X
Write a rule to detect failed FTP login attempts in the given pcap. What is the FTP service name?
local.rules
alert tcp any any <> any 21 (msg: "Failed FTP Login"; content:"530 User"; sid: 100003; rev: 1;)alert tcp any any <> any 21 (msg: "Failed FTP Login"; content:"530 User"; sid: 100003; rev: 1;)alert tcp any any <> any 21 (msg: "Failed FTP Login"; content:"530 User"; sid: 100003; rev: 1;)
Kali
sudo snort -c local.rules -r ftp-png-gif.pcap -A full -l .
Write a rule to detect successful FTP logins in the given pcap. What is the number of detected packets?
local.rules
alert TCP any any <> any 21 (msg:"FTP Success Login"; content:"230 User"; sid:100000; rev:1;)
Kali
sudo snort -c local.rules -r ftp-png-gif.pcap -A full -l .
Write a rule to detect failed FTP login attempts with a valid username but a bad password or no password. What is the number of detected packets?
local.rules
alert tcp any any <> any 21 (msg: "FTP Failed Login-Bad or No Password"; content:"331 Password"; sid: 100005; rev: 1;)
Kali
sudo snort -c local.rules -r ftp-png-gif.pcap -A full -l .
Write a rule to detect failed FTP login attempts with "Administrator" username but a bad password or no password. What is the number of detected packets?
local.rules
alert tcp any any <> any 21 (msg: "FTP Failed Login-Bad or No Password"; content:"331 Password"; sid: 100005; rev: 1;)
Kali
sudo snort -c local.rules -r ftp-png-gif.pcap -A full -l .
Writing IDS Rules (PNG)
Write a rule to detect the PNG file in the given pcap.
local.rules
alert TCP any any <> any any (msg:"PNG File Dectected"; content:"|89 50 4E 47 0D 0A 1A 0A|"; sid:100002; rev:1;)
Investigate the logs and identify the software name embedded in the packet.
Kali
sudo snort -c local.rules -r ftp-png-gif.pcap -A full -l .
sudo snort -r snort.log* -X
Write a rule to detect the GIF file in the given pcap.
local.rules
alert TCP any any <> any any (msg:"GIF87a detected"; content:"|47 49 46 38 37 61|"; sid:10000003; rev:1;)
alert TCP any any <> any any (msg:"GIF89A detected"; content:"|47 49 46 38 39 61|"; sid:10000004; rev:1;)
Investigate the logs and identify the software name embedded in the packet.
Kali
sudo snort -c local.rules -r ftp-png-gif.pcap -A full -l .
sudo snort -r snort.log* -X
Writing IDS Rules (Torrent Metafile)
Write a rule to detect the torrent metafile in the given pcap.
local.rules
alert TCP any any <> any any (msg:"Torrent Detected"; content:".torrent"; sid:10000003; rev:1;)
What is the number of detected packets?
Kali
sudo snort -c local.rules -r torrent.pcap -A full -l .
sudo snort -r snort.log* -X
Troubleshooting Rule Syntax Errors
Fix the syntax error in local-1.rules file and make it work smoothly.
local-1.rules
alert TCP any 3372 -> any any (msg:"Troubleshooting 1"; sid:1000001; rev:1;)
What is the number of the detected packets?
Kali
sudo snort -c local-1.rules -r mx-1.pcap -A full -l .
Fix the syntax error in local-2.rules file and make it work smoothly.
local-2.rules
alert icmp any any -> any any (msg:"Troubleshooting 2"; sid:1000001; rev:1;)
What is the number of the detected packets?
Kali
sudo snort -c local-2.rules -r mx-1.pcap -A full -l .
Fix the syntax error in local-3.rules file and make it work smoothly.
local-3.rules
alert icmp any any -> any any (msg:"ICMP Packet Found"; sid:1000001; rev:1;)
alert tcp any any -> any 80,443 (msg:"HTTPX Packet Found"; sid:1000002; rev:1;)
What is the number of the detected packets?
Kali
sudo snort -c local-3.rules -r mx-1.pcap -A full -l .
Fix the syntax error in local-4.rules file and make it work smoothly.
local-4.rules
alert icmp any any -> any any (msg:"ICMP Packet Found"; sid:1000001; rev:1;)
alert tcp any any -> any 80,443 (msg:"HTTPX Packet Found"; sid:1000002; rev:1;)
What is the number of the detected packets?
Kali
sudo snort -c local-4.rules -r mx-1.pcap -A full -l .
Fix the syntax error in local-5.rules file and make it work smoothly.
local-5.rules
alert icmp any any <> any any (msg: "ICMP Packet Found"; sid:1000001; rev:1;)
alert icmp any any <> any any (msg: "Inbound ICMP Packet Found"; sid:1000002; rev:1;)
alert tcp any any -> any 80,443 (msg: "HTTPX Packet Found"; sid:1000003; rev:1;)
What is the number of the detected packets?
Kali
sudo snort -c local-5.rules -r mx-1.pcap -A full -l .
Fix the syntax error in local-6.rules file and make it work smoothly.
local-6.rules
alert tcp any any <> any 80 (msg: "GET Request Found"; content:"|47 45 5sudo snort -c local-6.rules -r mx-1.pcap -A full -l .4|"; sid:100001; rev:1;)
What is the number of the detected packets?
Kali
sudo snort -c local-6.rules -r mx-1.pcap -A full -l .
Fix the syntax error in local-7.rules file and make it work smoothly.
local-7.rules
alert tcp any any <> any 80 (msg:"No Message"; content:"|2E 68 74 6D 6C|"; sid: 100001; rev:1;)
Kali
sudo snort -c local-7.rules -r mx-1.pcap -A full -l .
Using External Rules (MS17-010)
Use the given rule file (local.rules) to investigate the ms1710 exploitation. What is the number of detected packets?
Kali
sudo snort -c local.rules -A full -l . -r ms-17-010.pcap
Clear the previous log and alarm files. Use local-1.rules empty file to write a new rule to detect payloads containing the "\IPC$" keyword. What is the number of detected packets?
local-1.rules
alert tcp any any -> any 445 (msg: "Exploit Detected!"; flow: to_server, established; content: "IPC$"; sid:2094285; rev: 3;)
Kali
sudo snort -c local-1.rules -A full -l . -r ms-17-010.pcap
sudo snort -r snort.log* -X
Using External Rules (Log4j)
Use the given rule file (local.rules) to investigate the log4j exploitation.
What is the number of detected packets?
Kali
sudo snort -c local.rules -A full -l . -r log4j.pcap
Investigate the log/alarm files. How many rules were triggered?
Investigate the log/alarm files. What are the first six digits of the triggered rule sids?
Kali
sudo snort -c local.rules -A Full -l . -r log4j.pcap
local-1.rules
alert tcp any any -> any any (msg:"Payload 770-855 bytes"; dsize:770<>855; sid:100001; rev:1;)
What is the number of detected packets?
Kali
sudo snort -c local-1.rules -A full -l . -r log4j.pcap
sudo snort -eX -r snort.log* | vi -