2015-02-24 - TRAFFIC ANALYSIS EXERCISE

PCAP:

NOTE: ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

 

SCENARIO

It's another evening shift at your organization's Security Operations Center (SOC).  One of the analysts is looking through some traffic that occurred while your snort-based Intrusion Detection System (IDS) was off-line.  The traffic had triggered a non-specific alert of possible malicious activity from another IDS.

The analyst is relatively new and is not experienced with malicious traffic.  That analyst asks you for help.

You review the pcap and document the following:

  1. Date and time of the activity
  2. IP address of the associated desktop (or laptop) computer
  3. Host name of the associated desktop (or laptop) computer
  4. MAC address of the associated desktop (or laptop) computer
  5. Brief summary of the activity

 

You have Security Onion installed on a desktop at your workcenter, so you can replay the pcap and generate alerts.  Some of the other analysts have Snort installed on their computers, and they can read the pcap for you.

You might have enough experience that you don't even need to look at the alerts.  You might know what's going on just by reviewing the pcap.

 

FIRST BREAK POINT

 

Click here to return to the main page.