2016-01-07 - TRAFFIC ANALYSIS EXERCISE - ALERTS ON 3 DIFFERENT HOSTS

ASSOCIATED FILES:

• TXT file of Snort events:  2016-01-07-traffic-analysis-exercise-snort-events.txt   24.0 kB (24,009 bytes)
• TXT file of Suricata events:  2016-01-07-traffic-analysis-exercise-suricata-events.txt   529.8 kB (529,780 bytes)

• ZIP archive of the PCAP only:  2016-01-07-traffic-analysis-exercise.pcap.zip   12.1 MB (12,055,896 bytes)
• ZIP archive of the PCAP and TXT files:  2016-01-07-traffic-analysis-exercise-all-files.zip   12.1 MB (12,136,075 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

 

SCENARIO

You are working as an analyst reviewing suspcious network events at your organization's Security Operations Center (SOC).  Things have been quiet for a while.  However, you notice several alerts occur within minutes of each other on 3 separate hosts.

Said one analyst to another:  A lot of these alerts contain the word "evil."

 

THE REPORT

Your were able to retrieve a pcap of network traffic, and you have a list of Snort and Suricata events from the activity.  You'll need to write a report.  Your report should include:

• Date and time range of the traffic you're reviewing.
• IP address, MAC address, and host name for each of the 3 computers in the pcap.
• Description of the activity for each of the 3 computers (what happened, if the host became infected, any details, etc.).
• A conclusion with recommendations for any follow-up actions.

 

And by "write" we mean type...  Get it together, Dave!

 

ANSWERS

• Click here for the answers.

 

Click here to return to the main page.