d From the CyberOps Workstation VM mininet prompt open shells for hosts H5 and

Lab – Snort and Firewall Rules mininet> xterm H5 mininet> xterm H10 mininet> e. H10 will simulate a server on the Internet that is hosting malware. On H10 , run the mal_server_start.sh script to start the server. [[email protected] analyst]# . /lab.support.files/scripts/mal_server_start.sh [[email protected] analyst]# f. On H10 , use netstat with the -tunpa options to verify that the web server is running. When used as shown below, netstat lists all ports currently assigned to services: [[email protected] analyst]# netstat -tunpa Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0: 6666 0.0.0.0:* LISTEN 1839/ nginx: master [[email protected] analyst]# As seen by the output above, the lightweight webserver nginx is running and listening to connections on port TCP 6666.  Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 4 of 10

Lab – Snort and Firewall Rules g. In the R1 terminal window, an instance of Snort is running. To enter more commands on R1 , open another R1 terminal by entering the xterm R1 again in the CyberOps Workstation VM terminal window, as shown below. You may also want to arrange the terminal windows so that you can see and interact with each device. The figure below shows an effective arrangement for the rest of this lab. h. In the new R1 terminal tab, run the tail command with the -f option to monitor the /var/log/snort/alert file in real-time. This file is where snort is configured to record alerts. [[email protected] analyst]# tail -f /var/log/snort/alert Because no alerts were yet recorded, the log should be empty. However, if you have run this lab before, old alert entries may be shown. In either case, you will not receive a prompt after typing this command. This window will display alerts as they happen. i. From H5 , use the wget command to download a file named W32.Nimda.Amm.exe . Designed to download content via HTTP, wget is a great tool for downloading files from web servers directly from the command line. [[email protected] analyst]# wget 209.165.202.133:6666/W32.Nimda.Amm.exe --2017-04-28 17:00:04-- Connecting to 209.165.202.133:6666... connected. HTTP request sent, awaiting response... 200 OK  Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 5 of 10

Lab – Snort and Firewall Rules Length: 345088 (337K) [application/octet-stream] Saving to: 'W32.Nimda.Amm.exe' W32.Nimda.Amm.exe 100%[==========================================>] 337.00K --.-KB/s in 0.02s 2017-04-28 17:00:04 (16.4 MB/s) - 'W32.Nimda.Amm.exe' saved [345088/345088]