INTRUSION DETECTION ? Objective 1: Determine why launching snort with /home/user1/snort.conf fails, ie 'sudo snort -c /home/user1/snort.conf', then fix the issue. Validate Snort starts correctly once you've found the issue. Objective 2: Add a snort rule to /etc/nsm/rules/local.rules ? to identify a SYN scan and trigger an alert. Use snort ID 1000 F Objective 3: Add a snort rule in /etc/nsm/rules/local.rules to identify and alert on a brute force attack against the SSH server on port 22. Use snort ID 1001 Objective 4: Add a snort rule in /etc/nsm/rules/local.rules to identify and alert on a large ICMP echo request (>1300 bytes). Use snort ID 1002 Objective 6: Add a snort rule in /etc/nsm/rules/local.rules to identify and alert on a FIN scan. Use snort ID 1004 Objective 7: Add a snort rule in /etc/nsm/rules/local.rules ? to identify and alert on an XMAS scan. Use snort ID 1005 Objective 8: Add a snort rule in /etc/nsm/rules/local.rules to identify and alert on any traffic originating from the 10.0.0.0/8 address space. Use snort ID 1006. Objective 9: Add a snort rule in /etc/nsm/rules/local.rules to identify and alert on any traffic destined to port 6667 with the SYN flag set. Use snort ID 1007. Objective 10: Add a snort rule in /etc/nsm/rules/local.rules to identify and alert on any Web traffic where the HTTP method is POST. Use snort ID 1008 ? Objective 11: Add a snort rule in /etc/nsm/rules/local.rules to identify and alert on any Web traffic with the word 'login' in the URI portion of the request. Use snort ID 1009 Objective 12: Add a snort rule in /etc/nsm/rules/local.rules to identify and alert on attempts to login as the user root to an FTP server. Use snort ID 1010 F Objective 13: Add a snort rule in /etc/nsm/rules/local.rules to identify and alert on any Web traffic with the HTTP request method HEAD. Use snort ID 1011 Objective 16: Use bro to read in the packet capture ⑦~/check.pcap and perform an analysis on it P Objective 17: Use wireshark to open the file ~/check.pcap and identify the one port that is open. Use submit --task portopen --answer # to submit the answer. Objective 18: Use wireshark to open the file ~/check.pcap and identify the IP address that was performing a port ? scan against the system where the capture was run. Use submit --task portscanner --answer # to submit the answer. Objective 20: Use wireshark to open the file traffic.pcap in your home directory and ? identify the first cdp packet. Use submit --task cdptraffic - -answer # to submit the answer. Objective 21: Use wireshark to open the file traffic.pcap in your home directory and ? identify the first arp packet. Use submit --task arptraffic - -answer # to submit the answer. Objective 22: Use wireshark to open the file traffic.pcap in your home directory and identify the first icmp packet. Use submit --task icmptraffic --answer # to submit the answer. Objective 23: Use wireshark to open the file traffic.pcap in your home directory and identify the first dhcp packet in the capture. Use submit -- task dhcptraffic --answer # to submit the answer. Objective 24: Use wireshark to open the file traffic.pcap in your home directory and ? identify the first dns packet in the capture. Use submit -- task dnstraffic --answer # to submit the answer. Objective 25: Use wireshark to open the file traffic.pcap in your home directory and ? identify the first http packet. Use submit --task httptraffic --answer # to submit the answer. Objective 26: Use wireshark to open the file traffic.pcap in your home directory and ? identify the first IPV6 packet. Use submit --task ipv6traffic --answer # to submit the answer. Objective 27: Use tcpdump or tshark to capture traffic on ? eth1, apply a BPF filter for TCP port 4444, and write the capture a pcap. HOST ANALYSIS Objective 14: Use tcpdump to > capture packets from the eth1 interface
INTRUSION DETECTION ? Objective 1: Determine why launching snort with /home/user1/snort.conf fails, ie 'sudo snort -c /home/user1/snort.conf', then fix the issue. Validate Snort starts correctly once you've found the issue. Objective 2: Add a snort rule to /etc/nsm/rules/local.rules ? to identify a SYN scan and trigger an alert. Use snort ID 1000 F Objective 3: Add a snort rule in /etc/nsm/rules/local.rules to identify and alert on a brute force attack against the SSH server on port 22. Use snort ID 1001 Objective 4: Add a snort rule in /etc/nsm/rules/local.rules to identify and alert on a large ICMP echo request (>1300 bytes). Use snort ID 1002 Objective 6: Add a snort rule in /etc/nsm/rules/local.rules to identify and alert on a FIN scan. Use snort ID 1004 Objective 7: Add a snort rule in /etc/nsm/rules/local.rules ? to identify and alert on an XMAS scan. Use snort ID 1005 Objective 8: Add a snort rule in /etc/nsm/rules/local.rules to identify and alert on any traffic originating from the 10.0.0.0/8 address space. Use snort ID 1006. Objective 9: Add a snort rule in /etc/nsm/rules/local.rules to identify and alert on any traffic destined to port 6667 with the SYN flag set. Use snort ID 1007. Objective 10: Add a snort rule in /etc/nsm/rules/local.rules to identify and alert on any Web traffic where the HTTP method is POST. Use snort ID 1008 ? Objective 11: Add a snort rule in /etc/nsm/rules/local.rules to identify and alert on any Web traffic with the word 'login' in the URI portion of the request. Use snort ID 1009 Objective 12: Add a snort rule in /etc/nsm/rules/local.rules to identify and alert on attempts to login as the user root to an FTP server. Use snort ID 1010 F Objective 13: Add a snort rule in /etc/nsm/rules/local.rules to identify and alert on any Web traffic with the HTTP request method HEAD. Use snort ID 1011 Objective 16: Use bro to read in the packet capture ⑦~/check.pcap and perform an analysis on it P Objective 17: Use wireshark to open the file ~/check.pcap and identify the one port that is open. Use submit --task portopen --answer # to submit the answer. Objective 18: Use wireshark to open the file ~/check.pcap and identify the IP address that was performing a port ? scan against the system where the capture was run. Use submit --task portscanner --answer # to submit the answer. Objective 20: Use wireshark to open the file traffic.pcap in your home directory and ? identify the first cdp packet. Use submit --task cdptraffic - -answer # to submit the answer. Objective 21: Use wireshark to open the file traffic.pcap in your home directory and ? identify the first arp packet. Use submit --task arptraffic - -answer # to submit the answer. Objective 22: Use wireshark to open the file traffic.pcap in your home directory and identify the first icmp packet. Use submit --task icmptraffic --answer # to submit the answer. Objective 23: Use wireshark to open the file traffic.pcap in your home directory and identify the first dhcp packet in the capture. Use submit -- task dhcptraffic --answer # to submit the answer. Objective 24: Use wireshark to open the file traffic.pcap in your home directory and ? identify the first dns packet in the capture. Use submit -- task dnstraffic --answer # to submit the answer. Objective 25: Use wireshark to open the file traffic.pcap in your home directory and ? identify the first http packet. Use submit --task httptraffic --answer # to submit the answer. Objective 26: Use wireshark to open the file traffic.pcap in your home directory and ? identify the first IPV6 packet. Use submit --task ipv6traffic --answer # to submit the answer. Objective 27: Use tcpdump or tshark to capture traffic on ? eth1, apply a BPF filter for TCP port 4444, and write the capture a pcap. HOST ANALYSIS Objective 14: Use tcpdump to > capture packets from the eth1 interface
Chapter12: Network Configuration
Section: Chapter Questions
Problem 10RQ
Related questions
Question
This battle room is focused on entry level tasks for a network analyst where you will be given trials and reconnaissance, sensor tuning, log aggregation, SIEM queries, and network analysis.
For this week’s project, complete the following tasks:
From your Project Ares portal, LOG IN
Click on LAUNCH GAME.
Select the region NORTH AMERICA
Click on Battle School
Under the BATTLE SCHOOL pop-up window, click on START TRAINING.
Under the BATTLE ROOMS tile, click on ENTER.
Under the NETWORK ANALYST tile, click on PLAY.
Wait for the Battle Room to load. While loading, the BATTLE ROOM button will display red. Once the Battle Room is loaded, the BATTLE ROOM button will turn yellow and the center of the disk display will indicate CONNECTED. Click on the BATTLE ROOM button to enter the Battle Room.
Below the TASKS folder, make sure you click on INSTRUCTIONS to download the Network Analyst Fundamentals material.
In the Battle Room, under the TASKS menu select task INTRUSION DETECTION.
Complete the INTRUSION DETECTION tasks (id:1-13, id:16-18, id:20-27). Make sure to save screen captures of your results.
Next, select task HOST ANALYSIS.
Complete the HOST ANALYSIS task (id:14). Make sure to save screen captures of your results.
Transcribed Image Text:INTRUSION DETECTION
?
Objective 1: Determine why
launching snort with
/home/user1/snort.conf fails,
ie 'sudo snort -c
/home/user1/snort.conf', then
fix the issue. Validate Snort
starts correctly once you've
found the issue.
Objective 2: Add a snort rule
to /etc/nsm/rules/local.rules
? to identify a SYN scan and
trigger an alert. Use snort ID
1000
F
Objective 3: Add a snort rule
in /etc/nsm/rules/local.rules
to identify and alert on a
brute force attack against the
SSH server on port 22. Use
snort ID 1001
Objective 4: Add a snort rule
in /etc/nsm/rules/local.rules
to identify and alert on a
large ICMP echo request
(>1300 bytes). Use snort ID
1002
Objective 6: Add a snort rule
in /etc/nsm/rules/local.rules
to identify and alert on a FIN
scan. Use snort ID 1004
Objective 7: Add a snort rule
in /etc/nsm/rules/local.rules
? to identify and alert on an
XMAS scan. Use snort ID
1005
Objective 8: Add a snort rule
in /etc/nsm/rules/local.rules
to identify and alert on any
traffic originating from the
10.0.0.0/8 address space.
Use snort ID 1006.
Objective 9: Add a snort rule
in /etc/nsm/rules/local.rules
to identify and alert on any
traffic destined to port 6667
with the SYN flag set. Use
snort ID 1007.
Objective 10: Add a snort rule
in /etc/nsm/rules/local.rules
to identify and alert on any
Web traffic where the HTTP
method is POST. Use snort ID
1008
?
Objective 11: Add a snort rule
in /etc/nsm/rules/local.rules
to identify and alert on any
Web traffic with the word
'login' in the URI portion of
the request. Use snort ID
1009
Objective 12: Add a snort rule
in /etc/nsm/rules/local.rules
to identify and alert on
attempts to login as the user
root to an FTP server. Use
snort ID 1010
F
Objective 13: Add a snort rule
in /etc/nsm/rules/local.rules
to identify and alert on any
Web traffic with the HTTP
request method HEAD. Use
snort ID 1011
Objective 16: Use bro to read
in the packet capture
⑦~/check.pcap and perform an
analysis on it
P
Objective 17: Use wireshark
to open the file ~/check.pcap
and identify the one port that
is open. Use submit --task
portopen --answer # to
submit the answer.
Objective 18: Use wireshark
to open the file ~/check.pcap
and identify the IP address
that was performing a port
? scan against the system
where the capture was run.
Use submit --task
portscanner --answer # to
submit the answer.
Objective 20: Use wireshark
to open the file traffic.pcap in
your home directory and
? identify the first cdp packet.
Use submit --task cdptraffic -
-answer # to submit the
answer.
Objective 21: Use wireshark
to open the file traffic.pcap in
your home directory and
? identify the first arp packet.
Use submit --task arptraffic -
-answer # to submit the
answer.
Objective 22: Use wireshark
to open the file traffic.pcap in
your home directory and
identify the first icmp packet.
Use submit --task icmptraffic
--answer # to submit the
answer.
Objective 23: Use wireshark
to open the file traffic.pcap in
your home directory and
identify the first dhcp packet
in the capture. Use submit --
task dhcptraffic --answer #
to submit the answer.
Objective 24: Use wireshark
to open the file traffic.pcap in
your home directory and
? identify the first dns packet in
the capture. Use submit --
task dnstraffic --answer # to
submit the answer.
Objective 25: Use wireshark
to open the file traffic.pcap in
your home directory and
? identify the first http packet.
Use submit --task httptraffic
--answer # to submit the
answer.
Objective 26: Use wireshark
to open the file traffic.pcap in
your home directory and
? identify the first IPV6 packet.
Use submit --task ipv6traffic
--answer # to submit the
answer.
Objective 27: Use tcpdump or
tshark to capture traffic on
? eth1, apply a BPF filter for
TCP port 4444, and write the
capture a pcap.
HOST ANALYSIS
Objective 14: Use tcpdump to
> capture packets from the
eth1 interface
Expert Solution
This question has been solved!
Explore an expertly crafted, step-by-step solution for a thorough understanding of key concepts.
Step by step
Solved in 2 steps
Recommended textbooks for you
LINUX+ AND LPIC-1 GDE.TO LINUX CERTIF.
Computer Science
ISBN:
9781337569798
Author:
ECKERT
Publisher:
CENGAGE L
A+ Guide To It Technical Support
Computer Science
ISBN:
9780357108291
Author:
ANDREWS, Jean.
Publisher:
Cengage,
Principles of Information Security (MindTap Cours…
Computer Science
ISBN:
9781337102063
Author:
Michael E. Whitman, Herbert J. Mattord
Publisher:
Cengage Learning
LINUX+ AND LPIC-1 GDE.TO LINUX CERTIF.
Computer Science
ISBN:
9781337569798
Author:
ECKERT
Publisher:
CENGAGE L
A+ Guide To It Technical Support
Computer Science
ISBN:
9780357108291
Author:
ANDREWS, Jean.
Publisher:
Cengage,
Principles of Information Security (MindTap Cours…
Computer Science
ISBN:
9781337102063
Author:
Michael E. Whitman, Herbert J. Mattord
Publisher:
Cengage Learning
Management Of Information Security
Computer Science
ISBN:
9781337405713
Author:
WHITMAN, Michael.
Publisher:
Cengage Learning,
Fundamentals of Information Systems
Computer Science
ISBN:
9781305082168
Author:
Ralph Stair, George Reynolds
Publisher:
Cengage Learning