# Snort Challenge - Live Attacks
## Scenario 1 | Brute Force
***Start Snort in sniffer mode and try to figure out the attack source, service and port.***
sudo snort -v -i eth0:eth1
***Write an IPS rule and run Snort in IPS mode to stop the brute-force attack.***
drop tcp any 22 -> any any would be more direct
### IPS mode and dropping packets
Full alert mode provides all possible information about the alert. There is no console output in this mode. Start the Snort instance in full alert mode (-A full ) with the following command `sudo snort -c /etc/snort/snort.conf -A full`
### IDS/IPS mode with parameter "-A full"
Snort IPS mode activated with `-Q --daq afpacket` parameters. This mode can also be activated by editing snort.conf file.
Activate the Data Acquisition (DAQ) modules and use the afpacket module to use snort as an IPS: `-i eth0:eth1`
***Block the traffic at least for a minute and then the flag file will appear on your desktop.***
***What is the name of the service under attack?***
SSH
***What is the used protocol/port in the attack?***
TCP/22
TCP/22
### Scenario 2 | Reverse-Shell
***Start Snort in sniffer mode and try to figure out the attack source, service and port.***
Transfer Control Protocol (TCP)/4444
***What is the used protocol/port in the attack?***
TCP/4444
***Which tool is highly associated with this specific port number?***
Metasploit
***Write an IPS rule and run Snort in IPS mode to stop the brute-force attack.***
***Block the traffic at least for a minute and then the flag file will appear on your desktop.***
