> For the complete documentation index, see [llms.txt](https://jacob-taylor.gitbook.io/security-analyst/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://jacob-taylor.gitbook.io/security-analyst/path-3/network-security-and-traffic-analysis/snort-challenge-live-attacks.md).

# Snort Challenge - Live Attacks

## <mark style="color:red;">Scenario 1 | Brute Force</mark>

***Start Snort in sniffer mode and try to figure out the attack source, service and port.***

<figure><img src="/files/ktZjwDq1sdX0LAdGCMoI" alt=""><figcaption><p><code>sudo snort -v -i eth0:eth1</code></p></figcaption></figure>

***Write an IPS rule and run Snort in IPS mode to stop the brute-force attack.***

<figure><img src="/files/CTcRackLtu4qeE5lkGwc" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/4ObVEZlGvysT4qHXsvnt" alt=""><figcaption><p><code>drop tcp any 22 -> any any</code>  would be more direct</p></figcaption></figure>

### <mark style="color:orange;">IPS mode and dropping packets</mark>

<mark style="color:yellow;">Full alert mode provides all possible information about the alert. There is no console output in this mode. Start the Snort instance in full alert mode (-A full ) with the following command</mark> <mark style="color:yellow;"></mark><mark style="color:yellow;">`sudo snort -c /etc/snort/snort.conf -A full`</mark>

### <mark style="color:orange;">IDS/IPS mode with parameter "-A full"</mark>

<mark style="color:yellow;">Snort IPS mode activated with</mark> <mark style="color:yellow;"></mark><mark style="color:yellow;">`-Q --daq afpacket`</mark> <mark style="color:yellow;"></mark><mark style="color:yellow;">parameters. This mode can also be activated by editing snort.conf file.</mark>

<mark style="color:yellow;">Activate the Data Acquisition (DAQ) modules and use the afpacket module to use snort as an IPS:</mark> <mark style="color:yellow;"></mark><mark style="color:yellow;">`-i eth0:eth1`</mark>

***Block the traffic at least for a minute and then the flag file will appear on your desktop.***

<figure><img src="/files/OYeEr0euVlE1zQjyaQrg" alt=""><figcaption></figcaption></figure>

***What is the name of the service under attack?***

SSH

***What is the used protocol/port in the attack?***

TCP/22

<figure><img src="/files/JjbFVdVuKZS8EQutAPhg" alt=""><figcaption><p>TCP/22</p></figcaption></figure>

### <mark style="color:red;">Scenario 2 | Reverse-Shell</mark>

***Start Snort in sniffer mode and try to figure out the attack source, service and port.***

<figure><img src="/files/PXuNsIJ2JHZBkx69SxiO" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/mNUBPOZV54vr8OLtiryD" alt=""><figcaption><p>Transfer Control Protocol (TCP)/4444</p></figcaption></figure>

***What is the used protocol/port in the attack?***

TCP/4444

***Which tool is highly associated with this specific port number?***

Metasploit

<figure><img src="/files/BW8JbcMbo2iY911KAY6B" alt=""><figcaption></figcaption></figure>

***Write an IPS rule and run Snort in IPS mode to stop the brute-force attack.***

<figure><img src="/files/oVwioyrIWhndsFFYedXI" alt=""><figcaption></figcaption></figure>

***Block the traffic at least for a minute and then the flag file will appear on your desktop.***

<figure><img src="/files/PbVrStHlWzsFWTb5SAGS" alt=""><figcaption></figcaption></figure>
