CSEC 640: Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing

Name: CSEC 640: Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
Brand: University of Maryland
Price: 2 USD
Availability: InStock
Author: Claire Mitchell

A revised lab manual for CSEC 640, focusing on monitoring, auditing, intrusion detection, and penetration testing in cybersecurity.

Claire Mitchell

Contributor

4.3

about 1 month ago

Preview (5 of 14)

CSEC 640: Monitoring, Auditing, Intrusion Detection, Intrusion
Prevention, and Penetration Testing
1. Using Snort and Wireshark, analyze a packet trace file to detect network intrusions. Write
six distinct Snort rules and explain each rule's functionality, including the alert generated
for each.
(Word count requirement: 300-350 words)
2. Discuss the purpose of the various flags used in the Snort command snort -r snort.out -P
5000 -c csec640.rules -e -X -v -k none -l log.
(Word count requirement: 150-200 words)
3. Review the Gimmiv.A exploit and discuss the vulnerabilities it targets and suggest
possible mitigation strategies.
(Word count requirement: 200-250 words)

Lab Exercise #2: Working with Snort & Wireshark for Intrusion
Detection
Abstract:
This lab is intended to provide experience with the Snort and Wireshark programs.
Snort is a simple and powerful network monitoring agent. We will provide you with a
packet trace and you will write snort rules to identify specific packet types.
I. Tools required for this lab:
Access to UMUC - VM machine with Snort and Wireshark installed.
The packet trace, “snort.out”, available from the UMUC - VM site.
II. Pre-lab Background:
Below is suggested background reading to help you complete the questions:
Wireshark homepage http://www.wireshark.org/
Specifically, the FAQ and the Documentation links:
http://www.wireshark.org/faq.html
http://www.wireshark.org/docs/
Snort homepage: http://www.snort.org
Snort FAQ: http://www.snort.org/snort/faq/
Snort Overview: https://www.procyonlabs.com/snort_manual/2.9/node2.html

(If the above link is broken, then google-search the following document:
Snort User Manual 2.9.0 by the Snort Project (published in Dec 2010) ).
How to Write Snort Rules and Keep Your Sanity:
http://biblio.l0t3k.net/ids/en/snort-users-manual/chap2.html
http://searchsecurity.techtarget.com/tip/Modifying-and-writing-custom-
Snort-IDS-rules
The “modifying and writing” snort rules document above is an especially helpful
reference for writing the snort rules needed for this lab.
Step1. Read the step-by-step instructions in
CyberlabVPNAccess640.doc to access VPN.
Step2. Read the step-by-step instruction in
CyberlabVMAccess640.docx to connect to VM.

III. Lab Exercises: snort
3.1 Please complete the following exercises. You are required to submit a
lab write up containing answers to questions asked for each task.
Snort is similar to tcpdump, but has cleaner output and a more versatile rule
language. Just like tcpdump, snort will listen to a particular interface, or read a
packet trace from a file.
You will be using a previously captured tracefile (snort.out). Commonly security
administrators are asked to look at a packet trace to analyze a recent attack. In this
lab, we are going to examine this trace file within Wireshark and learn how to use
Snort to read traces and to write new snort rules. The trace doesn't contain a
particular attack in progress, but instead several different distinct types of
questionable packets.
Start Wireshark on your virtual machine from the start menu.
Next, click on the “Open” option under the “Files” header in the middle of the
screen, and select “c:\snort\bin\snort.out” in the open dialog.
WireShark will display the packets in the trace file listed in rows in three panes. The
top pane contains an overview of the trace file. The middle pane shows details for

Preview Mode

100%

Study Now!

XY-Copilot AI

Unlimited Access

Secure Payment

Instant Access

24/7 Support

Document Chat

Document Details

University

University of Maryland

Subject

Information Technology

CSEC 640: Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing

Study Now!

Document Details

Related Documents

Practice Questions

Lab Create a Home Wireless Network

Network Configuration and Troubleshooting Practice

Post Test AntiTerrorism

Master Machine Learning Concepts

761541663-Wordly-Wise-Book-8-Answer-Key

Level 1 Anti-terrorism Awareness Training

Understanding Machine Instructions Elements, Types

MGBA-325QRWorkforceAssociation

DAT 375 Module 3-1 Assignment

Company

Explore

Study Tools