Project 4 Intrusion Detection Systems (IDS) -- Working with Snort & Wireshark for Intrusion Detection Abstract: This project is intended to provide experience with the Snort and Wireshark programs. Snort is a simple and powerful network-monitoring agent. You are provided with packet traces data file – Snort_Data.pcap (which can be open by Wireshark ) and you will write snort rules to identify suspicious packets. I. Tools required for this lab: Install Snort and Wireshark . The packet trace file is provided, “ Snort_Data.pcap ”. Wireshark homepage Snort homepage: How to Write Snort Rules and Keep Your Sanity:
II. Lab Exercises: snort You will be using a previously captured tracefile ( Snort_Data.pcap ). Commonly security administrators are asked to look at a packet trace to analyze a recent attack. In this lab, we are going to examine this trace file within Wireshark and learn how to use Snort to read traces and to write new snort rules. The trace doesn't contain a particular attack in progress, but instead several different distinct types of questionable and suspicious packets. A. Copy the Snort_Data.pcap to Snort home directory, usually it is c:\snort\bin B. Start Wireshark from the start menu. Next, click on the “Open” option under the “Files” header in the middle of the screen, and select “c:\snort\bin\snort_data” in the open dialog. WireShark will display the packets in the trace file listed in rows in three panes. The top pane contains an overview of the trace file. The middle pane shows details for the particular selected row, with sections that expand or collapse for physical layer, data-link layer, network layer, and transport layer content. The pane at the bottom of the screen displays the raw data in a column of hexadecimal side-by-side a column of the data in ASCII format. From the top pane we can easily identify ip address and protocol information. From the middle pane we can 'drill down' into the line that is selected in the top pane, to examine various flags within protocol headers, checksums, etc. In the bottom pane we can see the
You've reached the end of your free preview.
Want to read all 7 pages?
- Spring '16
- IP address, ASCII