SOC LEVEL 1
  • Path 1
    • Cyber Defense Framework
      • Security Analyst Intro
      • Pyramid of Pain
      • Cyber Kill Chain
      • Unified Kill Chain
      • Diamond Model
      • MITRE
  • PATH 2
    • Cyber Threat Intelligence
      • Intro to Cyber Threat Intel
      • Threat Intelligence Tools
      • Yara
      • OpenCTI
      • MISP
  • PATH 3
    • Network Security and Traffic Analysis
      • Traffic Analysis Essentials
      • Snort
      • Snort Challenge - The Basics
      • Snort Challenge - Live Attacks
      • NetworkMiner
      • Zeek
      • Zeek Exercises
      • Brim
      • Wireshark: The Basics
      • Wireshark: Packet Operations
      • Wireshark: Traffic Analysis
  • PATH 4
    • Endpoint Security Monitoring
      • Intro to Endpoint Security
      • Core Windows Processes
      • Sysinternals
      • Windows Event Logs
      • Sysmon
      • Osquery: The basics
      • Wazuh
  • PATH 5
    • Security Information and Event Management
      • Introduction to SIEM
      • Investigating with ELK 101
      • ItsyBitsy
      • Splunk: Basics
      • Incident Handling with Splunk
      • Investigating with Splunk
      • Benign
  • PATH 6
    • Digital Forensics and Incident Response
      • DFIR: An Introduction
      • Windows Forensics 1
      • Windows Forensics 2
      • Linux Forensics
      • Autopsy
      • Redline
      • Kape
      • Volatility
      • Velociraptor
      • TheHive Project
      • Intro to Malware Analysis
  • PATH 7
    • Phishing
      • Phishing Analysis Fundamentals
      • Phishing Emails in Action
      • Phishing Analysis Tools
      • Phishing Prevention
      • The Greenholt Phish
Powered by GitBook
On this page
  • Scenario 1 | Brute Force
  • IPS mode and dropping packets
  • IDS/IPS mode with parameter "-A full"
  • Scenario 2 | Reverse-Shell
  1. PATH 3
  2. Network Security and Traffic Analysis

Snort Challenge - Live Attacks

Put your snort skills into practice and defend against a live attack

PreviousSnort Challenge - The BasicsNextNetworkMiner

Last updated 2 years ago

Scenario 1 | Brute Force

Start Snort in sniffer mode and try to figure out the attack source, service and port.

Write an IPS rule and run Snort in IPS mode to stop the brute-force attack.

IPS mode and dropping packets

Full alert mode provides all possible information about the alert. There is no console output in this mode. Start the Snort instance in full alert mode (-A full ) with the following command sudo snort -c /etc/snort/snort.conf -A full

IDS/IPS mode with parameter "-A full"

Snort IPS mode activated with -Q --daq afpacket parameters. This mode can also be activated by editing snort.conf file.

Activate the Data Acquisition (DAQ) modules and use the afpacket module to use snort as an IPS: -i eth0:eth1

Block the traffic at least for a minute and then the flag file will appear on your desktop.

What is the name of the service under attack?

SSH

What is the used protocol/port in the attack?

TCP/22

Scenario 2 | Reverse-Shell

Start Snort in sniffer mode and try to figure out the attack source, service and port.

What is the used protocol/port in the attack?

TCP/4444

Which tool is highly associated with this specific port number?

Metasploit

Write an IPS rule and run Snort in IPS mode to stop the brute-force attack.

Block the traffic at least for a minute and then the flag file will appear on your desktop.

sudo snort -v -i eth0:eth1
drop tcp any 22 -> any any would be more direct
TCP/22
Transfer Control Protocol (TCP)/4444