2022-04-12_Lab 11 - Snort - Cyber_Security

Week 11 Lab Snort

image

Task 1:

Join Room – No Answer needed

Task 2:

  1. Navigate to the Task-Exercises folder and run the command “./.easy.sh” and write the output Answer: Too Easy! Task 3:

  2. Which snort mode can help you stop the threats on a local machine? Answer: HIPS
  3. Which snort mode can help you detect threats on a local network? Answer: NIDS
  4. Which snort mode can help you detect the threats on a local machine? Answer: HIDS
  5. Which snort mode can help you stop the threats on a local network? Answer: NIPS
  6. Which snort mode works similar to NIPS mode? Answer: NBA
  7. According to the official description of the snort, what kind of NIPS is it? Answer: full-blown
  8. NBA training period is also known as … Answer: baselining

Task 4:

  1. Run the Snort instance and check the build number. Answer: 149
  2. Test the current instance with “/etc/snort/snort.conf” file and check how many rules are loaded with the current build. Answer: 4151
  3. Test the current instance with “/etc/snort/snortv2.conf” file and check how many rules are loaded with the current build. Answer: 1 Task 5:

No Answer needed

Task 6:

  1. What is the source port used to connect port 53? Answer: 3009
  2. Read the snort.log file with Snort; what is the IP ID of the 10th packet? Answer: 49313
  3. Read the “snort.log.1640048004” file with Snort; what is the referer of the 4th packet? Answer: http://www.ethereal.com/development.html
  4. Read the “snort.log.1640048004” file with Snort; what is the Ack number of the 8th packet? Answer: 0x38AFFFF3
  5. Read the “snort.log.1640048004” file with Snort; what is the number of the “TCP port 80” packets? Answer: 41

Task 7:

  1. What is the number of the detected HTTP GET methods? Answer: 2

Task 8:

  1. What is the number of the generated alerts? Answer: 170
  2. Keep reading the output. How many TCP Segments are Queued? Answer: 18
  3. Keep reading the output. How many “HTTP response headers” were extracted? Answer: 3
  4. What is the number of the generated alerts? Answer: 68
  5. What is the number of the generated alerts? Answer: 340
  6. Keep reading the output. What is the number of the detected TCP packets? Answer: 82

  7. What is the number of the generated alerts? Answer: 1020 Task 9:

  8. What is the request name of the detected packet? Answer: TIMESTAMP REQUEST
  9. Create a rule to filter packets with Syn flag and run it against the given pcap file. What is the number of detected packets? Answer: 1
  10. Write a rule to filter packets with Push-Ack flags and run it against the given pcap file. What is the number of detected packets? Answer: 216
  11. Create a rule to filter packets with the same source and destination IP and run it against the given pcap file. What is the number of detected packets? Answer: 10
  12. Case Example - An analyst modified an existing rule successfully. Which rule option must the analyst change after the implementation? Answer: rev

Task 10:

No Answer needed

Task 11:

No Answer needed

Written on April 12, 2022