CSEC 640: Monitoring, Auditing, Intrusion Detection,
Intrusion Prevention, and Penetration Testing
Lab Exercise #2: Working with Snort & Wireshark for Intrusion Detection
This lab is intended to provide experience with the Snort and Wireshark programs.
Snort is a simple and powerful network monitoring agent. We will provide you with a
packet trace and you will write snort rules to identify specific packet types.
I. Tools required for this lab:
• II. Access to UMUC - VM machine with Snort and Wireshark installed.
The packet trace, “snort.out”, available from the UMUC - VM site.
Pre-lab Background: Below is suggested background reading to help you complete the questions:
• Wireshark homepage http://www.wireshark.org/ Specifically, the FAQ and the Documentation links:
http://www.wireshark.org/docs/ Snort homepage: http://www.snort.org
Snort FAQ: http://www.snort.org/snort/faq/
• Snort Overview: https://www.procyonlabs.com/snort_manual/2.9/node2.html
(If the above link is broken, then google-search the following document:
Snort User Manual 2.9.0 by the Snort Project (published in Dec 2010) ).
How to Write Snort Rules and Keep Your Sanity:
http://searchsecurity.techtarget.com/tip/Modifying-and-writing-custom-Snort-IDSrules The “modifying and writing” snort rules document above is an especially helpful
reference for writing the snort rules needed for this lab. Step 1. Read the step-by-step instructions in the Lab1 manual to connect to
VM (i.e., A. DOWNLOADING THE VPN CLIENT and B. GETTING CONNECTED TO
THE CLOUD FOR THE FIRST TIME ) Step 2. After Connecting to VM:
• When you are logged into the cloud system, click "Add Cloud Computer System"
At the Select vApp Template screen, select “CSEC640_Lab02” and click "Next"
At the "Name this vApp" screen, add your login name to the end of the name
Wait while the screen indicates "Creating..."; several Virtual Machines on their own
isolated virtual network are being created for you in the cloud. When the screen indicates
"Stopped", your virtual systems and network have been created.
Click the green start arrow button. Now the screen should indicate "Starting..."
When the screen indicates "Running", move your mouse over the first VM to the left -the popup label will indicate "CSEC640_Lab02"; double-click this VM to open its
When Windows XP VM login prompt is displayed, type the following:
◦ Username: Student1
◦ Password: Csec640 III. Lab Exercises: snort 3.1
Please complete the following exercises. You are required to submit a
lab write up containing answers to questions asked for each task.
Snort is similar to tcpdump, but has cleaner output and a more versatile rule language.
Just like tcpdump, snort will listen to a particular interface, or read a packet trace from a
You will be using a previously captured tracefile (snort.out). Commonly security
administrators are asked to look at a packet trace to analyze a recent attack. In this lab,
we are going to examine this trace file within Wireshark and learn how to use Snort to
read traces and to write new snort rules. The trace doesn't contain a particular attack in
progress, but instead several different distinct types of questionable packets.
Start Wireshark on your virtual machine from the start menu.
Next, click on the “Open” option under the “Files” header in the middle of the screen,
and select “c:\snort\bin\snort.out” in the open dialog. WireShark will display the packets in the trace file listed in rows in three panes. The top
pane contains an overview of the trace file. The middle pane shows details for the
particular selected row, with sections that expand or collapse for physical layer, data-link
layer, network layer, and transport layer content. The pane at the bottom of the screen
displays the raw data in a column of hexadecimal side-by-side a column of the data in
ASCII format. From the top pane we can easily identify ip address and protocol information. From the
middle pane we can 'drill down' into the line that is selected in the top pane, to examine
various flags within protocol headers, checksums, etc. In the bottom pane we can see
the raw contents that are selected in the top pane, and whatever we have selected in
the middle pane is highlighted in the bottom pane.
Let's take a closer look at the bottom pane. Some suspicious material contains nonalphanumeric ASCII characters or binary content. In such cases it is helpful to view the
corresponding hexadecimal representation of the contents. Note in the above example (which is taken from a different trace file) on the right of the
pane, we see various ASCII characters. The “.” indicators in the right-hand column
identify either an ASCII period or binary data, while the alpha-numeric characters and
other punctuation symbols in the right-hand column represent the raw data as ASCII
characters. The values, to the left, represent the data in hexadecimal. Here in this
trace, “00 C0 9F 34 9E AC”, represents the destination MAC address in the frame. The
binary representation to the left shows that the first four bytes are represented by the
hexadecimal characters “00 c0 9f 34”; here the hex characters “34” are part of the
destination MAC address. At the end of the fourth row we see, to the right, the
characters “SMB2”. The fourth row, as represented in hexadecimal, is: “fa 94 aa f1 00
00 00 00 00 86 ff 53 4d 42 32 00“. Note that the ASCII value for “S” is represented in
hex as 53. “53 4d 42 32” is the hexadecimal representation of “SMB2”. If we wanted to
identify these packet contents in a snort rule, we could look for binary content “fa 94 aa
f1”, which is the first four bytes of the fourth row in hexadecimal, and we could also look
for the ASCII content “SMB2”, which is found towards the end of the fourth row.
Scroll through the “c:\snort\bin\snort.out” trace file by using the scroll-bar in the top-pane
that has the colored rows of network traffic. Select a line in the top pane. Click in the
middle pane and select information in the middle pane. Notice the pane at the bottom of the screen. The highlighted contents correspond to what was selected in the middle
Now let's see how we can use this information in Snort.
For snort, we will be using the command-line. The last page of this document contains
a DOS cheat sheet, which you may find helpful during this lab. Open up the commandline console from the start menu in your Cloud VM. Press “Start” then “Run...”, and then
type “cmd.exe” in the entry box and click “ok.” To enter the snort directory, type the following at the command prompt:
You can always get a list of command line options by typing "snort --help". A good set of
command line arguments to pass snort in this lab is:
snort -r snort.out -P 5000 -c csec640.rules -e -X -v -k none -l log
Reading the help file, include in your lab write-up what each of those flags should do.
The intention of snort is to alert the administrator when any rules match an incoming
Administrators can keep a large list of rules in a file, much like a firewall rule set, may be
All the rules are generally about one line in length and follow the same format. Here's an
log tcp any any -> 184.108.40.206 23 (msg: "telnet to www machine!"; sid:999;) This rule tells snort to record ("log") all packets destined to the telnet port on
220.127.116.11 and to include a user readable string. The sid is the Snort rule ID (a.k.a.
Signature ID). You can use any sid number (sid:xxx) you wish to use for this exercise.
In general, all rules are of this form:
action protocol address port direction address port (rule option)
In our example, the action was "log". We could simply write to a common alert file with
command "alert". The difference between log and alert is that each IP address gets its
own log file for later analysis, while all alerts are stored in one common file.
The protocol field can be "tcp", "udp",or "icmp". "Any" is not allowed. Addresses can be
specified in CIDR notation, and ports can be given as ranges and with the "!" operator.
The example below, (stolen from the documentation!), logs all packets to a range of
machine not on ports 6000-6010.
log tcp any any -> 192.168.1.0/24 !6000:6010
The direction operator is either "->" or "<-"or "<>" for bi-directional traffic between two
addresses. The rule options specify tasks to be performed if the addresses and
For example, here's a snort rule to catch all ICMP echo messages:
alert icmp any any -> 192.168.10.2 any (msg:"ping detected"; itype:8; sid:999;)
You should be in the “c:\snort\bin” directory. Open up “c:\snort\bin\csec640.rules” in the
editor by entering the following in the command prompt (assuming that you are in the
Enter the rule listed above, which alerts on icmp type 8 packets. Save and then Exit the
editor by using your mouse to click the File menu and Save, then click the File menu
and Exit, or with your keyboard press “Alt-F” “s” followed by “Alt-F” “x”.
Now run snort so that it uses this rule file.
snort -r snort.out -P 5000 -c csec640.rules -e -X –v –k none -l log To take a look at the results which were written to c:\snort\bin\log\alert.ids, type the following command (assuming that you are in c:\snort\bin directory):
In your write up include the output of this command.
Note that within a snort rule, several options can be listed inside the parentheses. Each
option must end with a semicolon, even if there is only one option. Other useful options
include, "content", "flags", "ipoption". More are listed in the "writing snort rules"
3.2 Complete and Submit Questions 1-3 to the instructor Question 1 [10 %]
What does each of the flags in this snort command line do?
snort -r snort.out -P 5000 -c csec640.rules -e -X -v –k none -l log
Question 2 [60% - 10% for each of 6 snort rules]
There are several distinct packet signatures in the packet trace file. In the trace file,
there are 30 packets total. Your task is to create 6 new snort rules that will uniquely
identify the 6 different packet signatures. One snort rule is already shown as an
example (i.e., alert icmp any any -> 192.168.10.2 any (msg:"ping detected"; itype:8;
sid:999;)). Since you were already provided with the example snort rule, you need
to “comment out” that the example rule in the csec640.rules file by putting the
“#” at the beginning of the line in front of the word “alert”. Look though the packet
trace to identify the other rules. Look for more general signatures where you can,
however, be careful not to write signatures that are too general (e.g., no 3 “any”s in a
single rule). Part of the intent of the lab is to learn how to write effective rules. It is easy
to write a rule that matches all IP datagrams regardless of content, but this would be a
very ineffective rule at detecting anomalous or malicious activity.
Include in your write up the 6 additional rules you have created as well as the
c:\snort\bin\log\alert.ids output (you may screen-capture the alert output and include it in
the report). The alert output file is appended each time snort has output, so you want to
erase the alert file by typing
del C :\snort\bin\log\alert.ids before each snort run while experimenting with different
rules. Be sure to include a descriptive message ("msg" and “sid:xxx”) with each alert. In
addition, briefly explain each rule you write.
The report should include the following information:
• Snort alert rule you’ve created.
• Explain how rule #1 works.
• Snort alert output: the result obtained from c:\snort\bin\log\alert.ids by running rule #1.
• Snort alert rule you’ve created.
• Explain how rule #2 works.
• Snort alert output: the result obtained from c:\snort\bin\log\alert.ids by running
Repeat for (Rule #3 - Rule #6)
Please test each rule individually and comment on any previous rules that you have
successfully tested. This allows you to test each rule for better troubleshooting.
The rules you write may be instructive, but not the most useful for a real system. 3.3 Gimmiv.A Analysis Read the analysis at the below links:
Question 3 [20%]
The threat expert links above describes Gimmiv.a as:
“….it could technically be classified as a network-aware trojan that employs
functionality of a typical RPC DCOM network-aware worm to attack other hosts
in the network.”
Describe “in your own words” your interpretation of the above quote. Focus on the
behavior and explain how the code could impact a network. Explain in a few paragraphs
what techniques you may use to detect the above threat caused by Gimmiv.a. You will
likely have to do research to explain this sufficiently. What snort rule(s) should you use
to prevent (or detect) the above threat?
Question 4 [10%]
You learned a covert channel in Week 6. Do you think IDS like Snort can easily detect
a covert channel? For example, can you write an effective set of Snort rules to prevent any information leak through a covert channel? Explain your answer in detail.
Note: When you save the lab report, label it as: Firstname_LastName_Lab2.xxx (xxx
is a file extension (e.g., doc, docx, or PDF)). DOS CHEAT SHEET
COMMANDLINE: EXPLANATION: .
? current directory
parent directory (up one directory)
parent directory (up one directory)
zero or more of any characters
any one character dir directory_to_view
list directory to_view
change to directory_to_go_to
copy source_file dest_file copy source_file to dest_file
rename file from old_name to new_name
move dir1\file1 to dir2\file2
edit /R file1
del view file1 (read only)
delete one or more files Examples:
dir log list current directory
list current directory
list parent directory
list current directory where name ends w/ "rules"
list current directory where name=”log” cd
cd c:\snort\bin change to default user directory
change to parent directory
change to the bin directory in c:\snort copy
ren make backup copy in current directory
rename "alert" file to "alert1" in same directory csec.rules csec.rules.orig
alert1 move log\alert log2\alert1
directory move "alert" file in "log" directory to "alert1" in "log2" edit /R csec.rules
edit /R log\alert* view the file "csec.rules" from the current directory readopen the file "csec.rules" from the current directory for editing
view file starting with “alert” in the log directory
Dear Student, Your assignment is in... View the full answer
- Please I need complete with clear answer and show all steps
- how to complete Guess object
- Complete Phase 4: Problem Solving with Loops. Total order: Fill the table. Calculate Profits: Complete the design. Rock-Paper-Scissors: Trace the execution.
- Complete the Premiere Products Exercises in Chapter 6 - Name your Answers Last Name Design Methodology (i.e. Smith Design Methodology)
- Need answers (complete solution of the working code) for problem #8 and bonus question. Please use at least OpenGL 3.0., so must use the buffers and shaders
- Need this lab complete regarding Application Layer Protocols and Port Numbers.
Recently Asked Questions
- Can someone help me with course project, need it ASAP Thank you so much
- Please refer to the attachment to answer this question. This question was created from Chap008 <a
- Can anyone write a Lit Review essay? I have the main idea and outline but it's hard to write. All the information is in attachments. All the resources should