Snort Intrusion Detection Rule Writing And Pcap Analysis

  1. Home
  2. Network-security
  3. Snort Intrusion Detection Rule Writing And Pcap Analysis

Tags: Network Security

Learn how to write Snort rules from a real cybersecurity professional with lectures and hands-on lab exercises.

Last updated 2022-01-10 | 4.4

- Write Snort Rules
- Analyze PCAPS using Wireshark and Tcpdump
- Create Virtual Machines using VirtualBox

What you'll learn

Write Snort Rules
Analyze PCAPS using Wireshark and Tcpdump
Create Virtual Machines using VirtualBox
Configure Security Onion
Test Snort rules using automated scripts
Analyze Snort NIDS alerts using Squert
Configure Kali Linux
Test exploits and analyze resulting network traffic

* Requirements

* Basic networking knowledge
* Basic Linux command line interface knowledge
* Basic knowledge about operating systems and virtualization.

Description

Hello everybody. My name is Jesse Kurrus, and I’ll be your professor for the duration of the Snort Intrusion Detection, Rule Writing, and PCAP Analysis course. This course will consist of written material to go over on your own pace, and labs to reinforce the concepts from the provided resources. To follow along with these labs, you'll need a VirtualBox, Security Onion, Kali Linux, and Windows 7 VMs. These are all free and open source, including the Windows 7 VM which is available free for development purposes.

This course is 100% hands-on, save for the initial introduction. Please be prepared to follow along with these labs.

The following are the hands-on labs. Please refer to the course for full descriptions:

  • Lab 1: Setting up Security Onion with VirtualBox
  • Lab 2: Boleto Malware Snort Rule Writing and PCAP Analysis
  • Lab 3: Vetting Snort Rule Quality with Dumbpig
  • Lab 4: Utilizing Offset and Depth in a Snort Rule
  • Lab 5: Kali Linux Setup with VirtualBox
  • Lab 6: Snort Rule Writing (SSH and FTP)
  • Lab 7: Windows 7 Eternalblue Vulnerable VM VirtualBox Setup
  • Lab 8: Windows 7 Eternalblue Exploitation and Snort/PCAP Analysis
  • Lab 9: Eternalblue PCAP Analysis and Snort Rule Writing
  • Lab 10: Ubuntu Server 12.04 Vulnerable VM VirtualBox Setup
  • Lab 11: Ubuntu Server 12.04 Heartbleed Exploitation and Snort/PCAP Analysis
  • Lab 12: Heartbleed PCAP Analysis and Snort Rule Writing

Who this course is for:

  • Cybersecurity Professionals
  • Information Security Analysts
  • Network Security Analysts
  • SOC Analysts
  • Cybersecurity Students

Course content

2 sections • 14 lectures

Lectures 1 lectures

Course Introduction and Overview Preview 02:38

This video will cover the primary aspects of this course, and what is to be expected from you as a student.

Hands-on Labs 13 lectures

Lab 1: Setting up Security Onion with VirtualBox Preview 23:13

Lab 1 will provide a step-by-step demonstration of how to set up a Security Onion virtual machine using VirtualBox as a software hypervisor. 

Lab 2: Boleto Malware Snort Rule Writing and PCAP Analysis Preview 22:16

Lab 2 will show you how to write effective Snort rules for indicators derived from a packet capture. Please refer to the attached "Boleto Snort Rules" file for all of the rules written within this lab. There may be issues with copying and pasting them due to formatting, so it's recommended that you type it in yourself. Tcpreplay will be used to test the Snort rules by replaying the PCAP through the sniffing interface. If there's any issues completing this lab, please let me know in the questions section.

Download PCAP:

https://www.malware-traffic-analysis.net/2016/12/17/index.html

Lab 3: Vetting Snort Rule Quality With Dumbpig Preview 04:11

Lab 3 will expose you to an effective automated Snort rule checking script.

Lab 4: Utilizing Offset and Depth in a Snort Rule Preview 05:26

This video will show you how to implement offset and depth into one of the previously written Snort rules.

Lab 5: Snort Rule Writing (SSH and FTP) Preview 12:29

*IMPORTANT* You must use the command sudo rule-update after every change to the local.rules file for it to be active.

This bonus lab was not originally included in the curriculum, and will cover the writing and testing of two custom Snort rules which includes SSH and FTP. The first rule will cover the detection of  internal SSH brute force, and the second rule will cover the detection of SSNs in a plaintext file transfer. There will also be a break down of Snort rule requirements and options. This lab will be performed using Security Onion, Kali Linux, and Metasploitable.

Bonus Lab - Kali Linux 2020 Preview 02:58

This lecture will show you how and where to download and configure the latest version of Kali Linux, 2020, which is tailor made for my Udemy course Hands-on Penetration Testing Labs 4.0. It's also being made available for all other courses, as the newest version has some slight differences which may make an impact.

Lab 6: Kali Linux Setup with VirtualBox Preview 04:39

This video will show you how to download and configure Kali Linux within VirtualBox.

Lab 7: Windows 7 Eternalblue Vulnerable VM VirtualBox Setup Preview 05:03

This video will cover how to set up a Windows 7 Enterprise 32-bit virtual machine that is intentionally vulnerable to the eternalblue exploit. VirtualBox will be used as a software hypervisor to set it up.  

Lab 8: Windows 7 Eternalblue Exploitation and Snort/PCAP Analysis Preview 19:42

This video will cover the exploitation of Windows 7 with Kali Linux, using an Eternalblue Python standalone exploit. To follow along with this tutorial, you'll need Security Onion, Windows 7 Enterprise 32-bit, and Kali Linux VM's set up to communicate with one another with host-only interfaces. After the exploitation, analysis will be conducted on the Snort alerts and associated rules, and PCAP to identify the network evidence of the successful compromise. These are real-world skills that are crucial for cyber security analysts.

Lab 9: Eternalblue PCAP Analysis and Snort Rule Writing Preview 08:56

This video will show you how to analyze the PCAP derived from the previous labs, and create two custom Snort rules. One Snort rule will focus upon detection of the Eternablue exploit attack, and the other one will detect the subsequent reverse shell. This will all be done within a Security Onion VM using VirtualBox.

Lab 10: Ubuntu Server 12.04 Vulnerable VM VirtualBox Setup Preview 11:06

This video will show you how to install and configure Ubuntu Server 12.04 to be vulnerable to Heartbleed. VirtualBox will be used as a software hypervisor for this process.

Lab 11: Ubuntu Server 12.04 Heartbleed Exploitation and Snort/PCAP Analysis Preview 11:47

This video will cover the exploitation of Ubuntu Server 12.04 using a Heartbleed Metasploit auxiliary module. To follow along with this tutorial, you'll need Security Onion, Ubuntu Server 12.04, and Kali Linux VM's set up to communicate with one another with host-only interfaces. After the exploitation, analysis will be conducted within Security Onion on the Snort alerts and associated rules, and PCAP to identify the network evidence of the successful compromise. These are real-world skills that are crucial for cybersecurity analysts.

Lab 12: Heartbleed PCAP Analysis and Snort Rule Writing Preview 05:50

This video will show you how to analyze the PCAP heartbleed.pcap which was saved from the previous lab, and write a Snort rule based on the network traffic.