Question 1 What does each of the flags in this snort command line do? Answer one by one clearly in a list or table format. Document the source of your information as well. snort -r snort.out -P 5000 -c csec640.rules -e -X -v k none -l log FlagCommand Line -rThis allows snort to read the output file much like it would read in real time, however this can be used to analyze a packet trace of the data that was collected earlier. -p 5000This points to the packet capture length, for this example it is 5000 bytes. Some administrators caution setting a maximum packet length since it could cause the user to overlook large suspicious packets which can be located at the very end of the string of data. -c csec640.rulesThis command points snort to the configuration/destinationpath you want to use. By having several different configurations with variousrules you may want to use. For this lab we used the Csec640 rules. -eThis displays the destination and or logs in the packet headers. By using the e flag, a user can see more information when viewing captured packets while running snort in sniffing mode. -XThis allows the user to see the raw packet data located in the link layer(TCP/IP). By having this flag, the user can see the entire packet. -vThe verbose option allows all packets to be seeing in snort. kThis command controls which checksums snorts transmits. There are several checksum modes including all, noip, notcp and none By using this option is very useful when a user is trying to eliminate packets that have failed their checksums. There are several reasons why this could happen including problems in the network and or possible intrusion attempts. -lThis command tells to log the output of the specified directory in Snort,any alert is placed in this directory. The default logging directory can be found at: /var/log/snort. Source: (Gerg & Cox, 2004) Rule #1: alert udp 255.255.255.255 any -> 192.168.10.2 any (msg:"Malformed Packet"; content:"|44|"; sid:111111;) This rule identifies a possible malformed packet in port 44. Malformed packet meaning that the protocol cannot verify the contents of the packet. There are several reason why a packet could be malformed including if a packet was not reassembled correctly when it was communicating between one node to another. In addition, Wireshark could have mistakenly have chosen the wrong protocol dissector. Another possible reason was that is
malformed ie not following the proper protocol requirements. If the packet was maliciously malformed a nefarious individual can locate vulnerabilities within applications and or the operating system. If a nefarious individual finds a vulnerability within the network, they may cause a denial of service request and force the system to execute a malicious code. Snort alert output: Rule #2: alert tcp 192.168.1.0/24 any -> any 80 (msg: "Outgoing HTTP connection"; sid:222222;) This rule will alert on traffic on the Hypertext Transfer Protocol (HTTP), port 80 is the server which expects to receive any traffic from the Web.
You've reached the end of your free preview.
Want to read all 6 pages?
- Spring '18
- IP address, Hypertext Transfer Protocol, Secure Shell