Snort Challenge - Live Attacks

Put your snort skills into practice and defend against a live attack

Scenario 1 | Brute Force

Start Snort in sniffer mode and try to figure out the attack source, service and port.

sudo snort -v -i eth0:eth1

Write an IPS rule and run Snort in IPS mode to stop the brute-force attack.

drop tcp any 22 -> any any would be more direct

IPS mode and dropping packets

Full alert mode provides all possible information about the alert. There is no console output in this mode. Start the Snort instance in full alert mode (-A full ) with the following command sudo snort -c /etc/snort/snort.conf -A full

IDS/IPS mode with parameter "-A full"

Snort IPS mode activated with -Q --daq afpacket parameters. This mode can also be activated by editing snort.conf file.

Activate the Data Acquisition (DAQ) modules and use the afpacket module to use snort as an IPS: -i eth0:eth1

Block the traffic at least for a minute and then the flag file will appear on your desktop.

What is the name of the service under attack?

SSH

What is the used protocol/port in the attack?

TCP/22

TCP/22

Scenario 2 | Reverse-Shell

Start Snort in sniffer mode and try to figure out the attack source, service and port.

Transfer Control Protocol (TCP)/4444

What is the used protocol/port in the attack?

TCP/4444

Which tool is highly associated with this specific port number?

Metasploit

Write an IPS rule and run Snort in IPS mode to stop the brute-force attack.

Block the traffic at least for a minute and then the flag file will appear on your desktop.