Writing Custom Rules

CompTIA Security+ (SY601) Domain:
Domain 1.0: Threats, Attacks, and Vulnerabilities

CompTIA Security+ (SY601) Objective Mapping:
Objective 1.7: Summarize the techniques used in security assessments

CEH Exam Domain
Domain 1: Background
Domain 2: Analysis/Assessments
Domain 4: Tools/Systems/Programs

CEH Objective Mapping
Objective 1.2 Information Security Threats and Attack Vectors
Objective 1.3 Information Security Technologies
Objective 2.2 Information Security Assessment Process
Objective 4.3 Information Security Tools

Overview

This lab is part of a series of lab exercises intended to support courseware for Ethical Hacker training. The development of this document is funded by the Department of Labor (DOL) Trade Adjustment Assistance Community College and Career Training (TAACCCT) Grant No. TC-22525-11-60-A-48. In this lab, you will do a basic penetration using nmap and bruter. Then, you will configure a snort rule to alert for a specific user and malicious file. You will use tcpdump to capture the network traffic to a file to be used by snort to find malicious traffic throug alerts.

OUTCOMES:

In this lab, you will learn to:

Penetrate a network.
Write rules to protect the network.
Generate traffic trigger alerts.

Courses

Network Security Fundamentals - Skill Labs

College Pro - Core Cyber Defense

Key terms and descriptions

Wireshark

A protocol analyzer that read binary capture files. Wireshark will also allow you to capture network traffic and runs on Windows, Linux, and on Mac OS X.

Snort

An Intrusion Detection System, or an IDS, that can be used to analyze and capture traffic. By using signatures, snort can provide information about activity within a capture file. Snort can be downloaded from www.snort.org and is a free and commercial tool. Sourcefire, a Columbia, Maryland–based company, maintains and develops snort.

tcpdump

A Linux/UNIX program that allows you to capture network traffic. The tcpdump program comes installed on many Linux distributions by default.

Sniffer

A Sniffer is used to capture network traffic on a network. Software programs like tcpdump, Wireshark, and Network Miner can be used to sniff traffic.

PCAP File

Programs that can sniff network traffic like tcpdump, Wireshark, and Network Miner allow you to save the network capture to a PCAP file format. In order to read the PCAP format, you need a tool like Wireshark or Network Miner.