UMUC CSEC 640 CSEC/640 CSEC640 Lab 2 Solution


Category: Tag:


Question 1. What does each of the flags in this snort command line do? Answer one by one clearly in a list or table format. Document the source of your information as well.


Question 2. There are several distinct packet signatures in the packet trace file. In the trace file, there are 30 packets total. Your task is to create 6 new snort rules that will uniquely identify 6 different packet signatures. One Snort rule is already shown as an example (i.e., alert icmp any any -> any (msg:”ping detected”; itype:8; sid:999;)). Since you were already provided with the example snort rule, you need to “comment out” that the example rule in the csec640.rules file by putting the “#” at the beginning of the line in front of the word “alert”. Look though the packet trace to identify the other rules. Look for more general signatures where you can, however, be careful not to write signatures that are too general (e.g., no 3 “any”s in a single rule). Part of the intent of the lab is to learn how to write effective rules. It is easy to write a rule that matches all TCP or IP datagrams regardless of content, but this would be a very ineffective rule at detecting anomalous or malicious activity.

Include in your answer the 6 additional rules you have created and c:\snort\bin\log\alert.ids output (include the screenshots of the alert output for each rule in your answer). The alert output file is appended each time snort has output, so you want to erase the alert file by typing del C:\snort\bin\log\alert.ids before each snort run while experimenting with different rules. Be sure to include a descriptive message (“msg” and “sid:xxx”) with each alert. In addition, briefly explain each rule you write.

Question 3. The threat expert links above describes Gimmiv.a as:


Question 4. You learned a covert channel in Week 6. Do you think IDS like Snort can easily detect a covert channel? For example, can you write an effective set of Snort rules to prevent any information leak through a covert channel? Explain your answer in detail and support your answer with research and documentation.