View the step-by-step solution to:

CSEC 640: Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing Lab Exercise #2: Working with Snort &...

Snort rule questions. Please see attached file

Question 1 [10 %]
What does each of the flags in this snort command line do?

snort -r snort.out -P 5000 -c csec640.rules -e -X -v –k none -l log

Question 2 [60% - 10% for each of 6 snort rules]
There are several distinct packet signatures in the packet trace file. In the trace file, there are 30 packets total. Your task is to create 6 new snort rules that will uniquely identify the 6 different packet signatures. One snort rule is already shown as an example (i.e., alert icmp any any -> any (msg:"ping detected"; itype:8; sid:999;)). Since you were already provided with the example snort rule, you need to “comment out” that the example rule in the csec640.rules file by putting the “#” at the beginning of the line in front of the word “alert”. Look though the packet trace to identify the other rules. Look for more general signatures where you can, however, be careful not to write signatures that are too general (e.g., no 3 “any”s in a single rule). Part of the intent of the lab is to learn how to write effective rules. It is easy to write a rule that matches all IP datagrams regardless of content, but this would be a very ineffective rule at detecting anomalous or malicious activity.

Include in your write up the 6 additional rules you have created as well as the c:snortbinlogalert.ids output (you may screen-capture the alert output and include it in the report). The alert output file is appended each time snort has output, so you want to erase the alert file by typing
del C :snortbinlogalert.ids before each snort run while experimenting with different rules. Be sure to include a descriptive message ("msg" and “sid:xxx”) with each alert. In addition, briefly explain each rule you write.

The report should include the following information:

Rule #1:
• Snort alert rule you’ve created.
• Explain how rule #1 works.
• Snort alert output: the result obtained from c:snortbinlogalert.ids by running rule #1.

Rule #2:
• Snort alert rule you’ve created.
• Explain how rule #2 works.
• Snort alert output: the result obtained from c:snortbinlogalert.ids by running rule #2.

Repeat for (Rule #3 - Rule #6)

Please test each rule individually and comment on any previous rules that you have successfully tested. This allows you to test each rule for better troubleshooting.

The rules you write may be instructive, but not the most useful for a real system.

3.3 Gimmiv.A Analysis

Read the analysis at the below links:

Question 3 [20%]
The threat expert links above describes Gimmiv.a as:

“….it could technically be classified as a network-aware trojan that employs functionality of a typical RPC DCOM network-aware worm to attack other hosts in the network.”

Describe “in your own words” your interpretation of the above quote. Focus on the behavior and explain how the code could impact a network. Explain in a few paragraphs what techniques you may use to detect the above threat caused by Gimmiv.a. You will likely have to do research to explain this sufficiently. What snort rule(s) should you use to prevent (or detect) the above threat?

Question 4 [10%]

You learned a covert channel in Week 6. Do you think IDS like Snort can easily detect a covert channel? For example, can you write an effective set of Snort rules to prevent any information leak through a covert channel? Explain your answer in detail.

Note: When you save the lab report, label it as: (xxx is a file extension (e.g., doc, docx, or PDF)).

. current directory
.. parent directory (up one directory)
../ parent directory (up one directory)
* zero or more of any characters
? any one character

dir directory_to_view list directory to_view
cd directory_to_go_to change to directory_to_go_to
copy source_file dest_file copy source_file to dest_file
ren old_name new_name rename file from old_name to new_name
move dir1file1 dir2file2 move dir1file1 to dir2file2

edit /R file1 view file1 (read only)
edit file1 edit file1
del delete one or more files


dir list current directory
dir . list current directory
dir .. list parent directory
dir *rules list current directory where name ends w/ "rules"
dir log list current directory where name=”log”

cd change to default user directory
cd .. change to parent directory
cd c:snortbin change to the bin directory in c:snort

copy csec.rules csec.rules.orig make backup copy in current directory
ren alert alert1 rename "alert" file to "alert1" in same directory

move logalert log2alert1 move "alert" file in "log" directory to "alert1" in "log2" directory

edit /R csec.rules view the file "csec.rules" from the current directory read-only
edit csec.rules open the file "csec.rules" from the current directory for editing
edit /R logalert* view file starting with “alert” in the log directory

CSEC 640: Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing Lab Exercise #2: Working with Snort & Wireshark for Intrusion Detection Abstract: This lab is intended to provide experience with the Snort and Wireshark programs. Snort is a simple and powerful network monitoring agent. We will provide you with a packet trace and you will write snort rules to identify specific packet types. I. Tools required for this lab: Access to UMUC - VM machine with Snort and Wireshark installed. The packet trace, “snort.out”, available from the UMUC - VM site. II. Pre-lab Background: Below is suggested background reading to help you complete the questions: Wireshark homepage Specifically, the FAQ and the Documentation links: Snort homepage: Snort FAQ: Snort Overview: (If the above link is broken, then google-search the following document: Snort User Manual 2.9.0 by the Snort Project (published in Dec 2010) ). How to Write Snort Rules and Keep Your Sanity: rules The “modifying and writing” snort rules document above is an especially helpful reference for writing the snort rules needed for this lab. Step1. Read the step-by-step instructions in CyberlabVPNAccess640.doc to  access VPN. 
Background image of page 01
Step2.  Read the step-by-step instruction in CyberlabVMAccess640.docx to  connect to VM. 
Background image of page 02
Show entire document

Recently Asked Questions

Why Join Course Hero?

Course Hero has all the homework and study help you need to succeed! We’ve got course-specific notes, study guides, and practice tests along with expert tutors.


Educational Resources
  • -

    Study Documents

    Find the best study resources around, tagged to your specific courses. Share your own to gain free Course Hero access.

    Browse Documents
  • -

    Question & Answers

    Get one-on-one homework help from our expert tutors—available online 24/7. Ask your own questions or browse existing Q&A threads. Satisfaction guaranteed!

    Ask a Question