Snort TryHackMe Room Walkthrough

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] foreign which is really a big room I'm so excited so I like this is a free room uh like anyone who has a try hack me account yeah you don't have to be a VIP user to have access to this room so this is gonna be a big room please bear with me we go through all the tasks here together and what I'm not going to do I will not read everything you know I just came through it and then tried to answer the questions or show you how did I get the answers I've done this room before but I've just said here my answer so that you know could be like a quicker for me or like just to uh walk you through you know from the task one two task eleven so um the task one just about introduction you know they are trying to introduce this room and talk about what's it yeah what is it's not you know like if you're new to this room you know it's not is um an open source and the road based you know Network intrusion detection and prevention system here so uh here they're trying like uh they are telling us if you once you complete the uh you know are reading the above just go ahead and click complete and meanwhile I'll just go ahead and then start this machine because we'll be using yeah this machine here you know it has this not installed so I'll just go ahead and then start your machine mine will be up uh up running back in less than a minute yep so what you should expect from this video uh of course I will show you know I will like talk a bit about you know the interrelation detection system and also intuition and prevention system and also talk about the you know how you can interact with this not and talk about different modes you know of snot uh where you can use it as sniffer mode you know I mean in a sniffing mode or pocket logger or can also be used as the IDS or the IPS and other mod which is really very interesting is the pickup investigation also we talk about you know the most exciting task which is about this not rule and then uh in the end of this video I will talk about not two operational logic points to remember just some things really simple and then here comes the conclusion so yeah without any further delay oh let's get started all right so on my left side of the screen I've got this try hack me uh questions here where like I went on my right side here I've got the you know the machine or uh the yadillacs machine uh that we'll be using you know for like to perform uh these tasks here so if you're on try hack me platform you know and yeah you have already started your machine just click on show speed View and once you are there you can just click here you know to view in full screen so once you click there you should be able to see it on the you know as same as here the way I'm viewing this all right so cool now let's go ahead and go to our task two so for for the task two here they try to you know to like talk about you know yeah what to have here like for for our lab machines as you can see we are on desktop here where we've got this trash and also the task is uh yeah we've got the task exercises here so and so once we're there let's let's see what exit do we have they say interactive material and exercise yeah set up so uh they said yeah we've got two sub photos available so let's let's launch the terminal and then go ahead uh see we are what we have on our desktop so just change my directory to desktop and then go to the task exercises say yeah they said you've got two photos here and this folder one is the uh is the configuration sample you have just you know all the uh like uh you know it's not configuration things here and we've got the exercise files here they say that yeah the exercises here are like uh it has all the you know all the exercise files here that you're gonna need for all the tasks here we've got also the traffic generator you know yeah this script here will help us you know to generate some traffic because yeah currently this machine here is not connected to the internet which means is offline but it's not you know it needs you know yeah some traffic your data coming in or out you know to like uh like uh to perform you know uh you know something you know on the on those coming in yeah traffics also that's why we're gonna need this script here to generate you know the yeah the traffic all right so uh yeah that's it so navigate to the task sensor further and run the command this one so we're gonna run this command as they asked us to do then see what's in there easy dot Sage let's see us oh sorry there's a type for here is it a message oh too easy so too easy is the answer for this question here I forgot the experiment exclamation symbol here all right so task three uh on task three here they are you know they're introducing the intrusion and detection system and intrusion prevention system intrusion detection uh system you know like they could help you know I mean they help us you know to to detect the possible malicious activities while the prevention system you know it will detect and also prevent you know your dementia's activities here so there are like uh two like uh two different types you know of of the introduction detection system are one of the uh one of them is the network interesting detection system and the other is the host based intrusion protection system here uh so for the differences yeah between these two this one is used you know like uh if you have more than one uh like uh yeah one devices that are connected together and you are you know to detect you know something you know like summer shares activities that are having access you know on your network for those best one is this one got you know you can perform this on like on the on the single a device you know just yeah for the prevention system we've got four types and like like I said I'm just trying to go quick you know through this I'm not going to read everything I'm assuming that you know you've gone through everything here so I just want to focus on the questions you know so the yeah the detection prevention are your techniques here uh we've got signature based rules and behavior-based uh arrows and also policy based roles uh for the yeah I'll just go ahead into the questions you know because I'm assuming that you know I will provide the link in the description so that you can go ahead and then read yeah read everything and then I'll help you not answer the questions according to watching them so which is not more they can help you to stop the threat on the local machine so for the local machine we are going to use yeah those best one right and here you can see here we've got stopped so which means we're going to prevent right so this is going to be a host you know best intuition you know prevention system all right so which smooth mode can help you to detect threat on the local network see on the network you need to use you know your network based one but here I'm going to detect so which means you're going to use intrusion detection system social B and IDs all right so and which student mode can help you to detect the thread on the local machine local machine again you need to use you know host based one so it's h and then uh since it's detect so it means IDs or intuition detection system all right and also next question which is not more that can help you to stop stop which means prevent you know the threat on the local network here uh if it's the local network then it's n i p s cool uh which is not mod Works similar to an IPS mode if you really if you go through uh you know yeah the note that is provided to us here there is this one here this said Behavior based nutrition prevention system this one behavior-based mm works are same as you know as the yeah the network intrusion prevention system so the name is Network Behavior Analysis which is NBA so any ba is the answer to this question according to the official description of this note what kind of nips is it like oh so according to the description uh if you go through uh like you know the description here they said uh it can also be used they are talking about you know it's not you know it can also be used at full-blown Network intrusion prevention system so the answer to this question should be uh full blown all right any beer training period is also known as if you go through this uh you know they're not again you'll find that the answer to this question is baselining let's say uh NBA the training uh is also known as baselining easy uh base lining all right so task four uh for for the task for what they do they're trying to you know to tell us like oh you know how I can interact with this not so you can you know there are different you know different parameters here for example tag V of this one will provide information about it you know yeah the instant version where taxi just added to identify not the configuration five and 30 this one will you know help you to test the configuration file and queue just to try to avoid you know us not showing the banner when it's running all right so let's go to the questions then I run this note instead and check the build number all right so we're gonna use stack fee as like we said tax V you will give you the information about you know the instant version that you you were running all right let's see uh snot that V uh oh we need to use sudo sorry sudo or super easy to do permission this one and let's see uh my part sorry yeah as you can see uh DV has to be Capital One uh it's one four nine that's the build number one four nine all right so uh we're going to test the current instance without this one here so this is the current you know configuration and to test this uh we need to use a tacti because that is used you know to like to test you know the configure uh the smart configuration file I clear my terminal then go ahead and run sudo uh pseudos not uh t and then uh the configuration five which is this one then click enter let's see uh you see optional very well Commando oh yeah we need to or specify the oh yeah the configuration uh file by using taxi I'm sorry and then also just put you know 30 just for testing all right that's it and what's the question here they said uh how many rules so just go through the it's not output here scroll up a bit you should be able to see the number of rules that have been you know detected from this uh I was not really cr4151 b4151 is and and also uh test the current instance with this one or this is a different you know uh configuration five and just do the same thing they are asking us the same question or you know uh this should be it's not version two let's see here then scroll up through the output just uh we've got only one row here all right so and now let's move to task five where we're going to you know use uh uh choose a snot in sniffer mode so sniffing means you're trying to observe and detect you know something like for the traffic that is coming in so it's not going to be used you know as as a sniffing tool okay so let's see what do we need here they said that we could use you know yeah different parameters for our attack V which is our lowercase V display the TCP and IP output in the console we attack the display here the packet data let's say you're sniffing you know an HTTP traffic so if you just uh you know uh add detective at sorry tap D yeah you will be able to see here the packet payload and this could be maybe like in HEX or of course a format tack a with display you know the link layer for this DCP ipodp icmp headers attack X which is the capital x excuse me uh to display the full packet details in HEX mode Talk a very interesting you know it will like it tells it's not yeah which uh which which interface to use or to sniff at you know how to sniff from oh yep if your computer just has you know like uh just one yellow interface you don't have to use this one and if you don't put tacky to use you know probably yeah the eth0 which is yeah data face like um Zero by default all right so now let's go ahead or go to the question see I will answer the questions together uh you can practice the parameters combination by using the traffic generator script cool so going to use the traffic generator too and then let's see we go to task 6 here uh in task six task six uh let's see they are telling telling us you know how how can use uh snot you know as a packet logger like after sniffing you know after sniffing the traffic you can also log the traffic or save or store the traffic that is coming in so and that's what called you know yeah logging all all the logo mode and it's not so what you're going to do we're going to see how can you use snot you know uh you know like in logging mode or just to save the you know yeah the traffic that is coming in Okay cool so here we've got this uh yeah this parameters tack L that's the logger mod you're telling it's not that you know you need like to save these logs and also if you just put oh yeah that's it and attack K ASCII you know the load packets you know yeah we come in in the ASCII format attack are you reading the option let's say yeah you wanna read you know some like some logs probably from you know uh the yeah from the Wireshark and also you want to read you know yeah those logs you can just use tack R and you specify the number of packets that we process let's say we've got like a traffic really too much traffic coming in in our system and we just want to you know like to review like oh just to to have a look at you know at five uh five traffics we could use Stack n you know to try you know just uh like to make you have to make our job to make our job easier just use pack and and then you know add five on it okay cool so now let's see and I think that's it we're going to go ahead and then jump to the questions all right let's go down a bit and then there we go again I'm assuming that you have going through you know everything up here because this I mean this room is really big I can't read everything I apologize for that but like the purpose is just show you how you know I got the questions and also try to try to to explain you know my understandings you know about how to approach these questions here all right so they said uh investigating the traffic with the default configuration with he had asking mod here and then extruded the traffic uh script generator for this one all right so let's see we're going to uh let me see uh exercise uh sudo snot so does not depth mode we're trying to test now that we're going you know to perform some uh yeah to perform small uh like twist two is not in the logo mode and okay we need the output and you know ASCII format and also save the logs in the current directory here Okay cool so once I run this note it's gonna start you know sniffing what's in there and also because you don't have any incoming traffic that's when you're gonna use you know this traffic generator you know to run like you know this in the background so that's not good you know sniff or I mean sniff you know the traffic that is coming in right so go ahead and click enter launch a new terminal here and then let's see then we're going to run uh the traffic generator and then choose task six because you're on task six with the bits of the traffics are being generated here and they shouldn't take long all right so now let's go back to Arsenal they're just uh Ctrl C to cancel you know the process and then C uh let's see what's the question here they said okay let's see or now you should have uh Deluxe in in your current directory let's see let's check all right yeah as you can see it's not has you know uh stored you know or you know like help us you know to get these logs you know from different like yeah uh I'd say IP addresses here depending on the traffic that is being generated so now let's see what's the question here now you should have our login account directory navigate to this folder here so we're going to navigate to which further City uh went forever one four five we don't have permission so we can since we have uh you know our pseudo super user permission we're going to change you know the like the you know you can change the honor or just change you know the yeah demand for this file you can use sudo change mode and then add you know 77 which stands for right trade and that's good you know uh permission to this folder here all right so now we should be able to oh navigate you know to this further to see what's in there let's see our TCP this one TCP whatever okay all right so what is the source Port used to connect to Port 53 so we're going to uh see which Port used do not connect to Port 53 so we're going to to read this you know yeah this look here you can just use cut you know then UDP or whatever then let's say uh permission denied nice sudo card uh PDP all right let's see as you can see we've got this uh IP address you know used that is mapped to this 53 port let me see what's the source Port used to connect to away I misunderstood the the question let's see I should be able to login your director further here what's the source parts used to connect out to 53 so this is the destination Port here and this this is the source board as you can see so the source uh Source spot is uh three zero zero nine all right so and let's see we're going to use not log uh this file here took me forever you know to find it by uh when I uh yeah when I went back you know to the exercise here I checked yeah what you have here I've seen that we've got uh give me a sec let me see let's see all right so we are yeah we are required you know to for the next uh for the next question we are required to use this log file here so once you go to exercise files yeah you should be able to find this various CD exercise are fine then they see tasks task 6 city which task is that task six as we can see here we do have this file here so what we are going to do they said our rate is not log file with this and then they're asking the IP ID you know for the 10th packet all right so just type here this command here which uh does not attack R Used you know to read uh to read the logs then it's not uh uh this the name of the log file and then tuck and then put 10 since we are once you know what's in uh 10th packet here so they asked for the IP ID for this one scroll up you just to see oh so these are 10 packets here so since we are interested in the in the last package which is the tenth one here so the IP ID for this one should be somewhere around here let's take our time check uh P or whatever this design cool so it looks like we don't have you know more information about the uh oh it's here yeah sorry my bad yep uh it's just here four nine should be uh four nine three one three uh read the smoke log files no what is the referral of the fourth packet here so the referral to this one for the fourth packet so let's see since we need to know I mean we need to have more information about this packet so that you can know the referral for this one so we need to use if you remember in this note uh sniffing mode it said we could use you know like uh something like attack uh Tak D you know to you know if you are not like have information about the packet uh the packet the packet data payload or just use tack action to give all the information about the packet and also here we are interested about uh the the fourth packet so just run this sorry into the space there cool now let's see let's see the fourth packet here as you can see we've got all the information about this packet we've got the payload and everything that we need so here they asking for the uh the referral of the fourth packet so let's see according to this format here I'll just go through the output here fresh will be uh this one here HTTP uh colon slash slash whatever this thing here let me just type it http uh www .3 .com should be this one uh way let me see what's the format .com we need to add this development uh sorry okay if you know main.html oh nice so now again we're going to read the same log file then they say read slot log file um with this note so what is the the acknowledge number of the uh of the F packet so same thing could uh we could just run this you know uh since we inters in the F uh packet and also you could just use you know X or V you know because you just need uh to know some basic information you know but I always you know prefer using eggs so that I can have all the information about the packet oh so let's see they are asking for the acknowledge number should be able to sit in the header you know in the TCP header let's see uh where is it scroll up [Music] come on yeah this is the packet payload excuse me the acknowledge number we are that you're asking to provide because this is the packet number eight in this technology remember this is the sequence number all right then reads not this wi-fi what is the number of the TCP Port air distribut a 80 packet so with this one when you're reading the logs you know you can use uh like like if you're looking for some specific information you can just you know uh you know add this one at the end I will show you it's here like they said let's say if you want to get you know audp and maybe uh like adp.53 you could just use UDP and Port 53 so for this one for our answer I mean for the for this question you can just type TCP and Port 80. so they're asking you know what is the number of uh this number here let's see um just try to read this we don't need this also this one here but just put a PCP and port 80. all right so ah let's see scroll up a bit to see what is the number of the packet that have been detected from here uh packet number is 41. so the packet number with you know or like TCP packet number Port 80 is 50 41. all right so task number seven so number seven we're just going to talk about how you can use us not let's see let's see the title aha house note can be used you know as the intrusion detection system or you know intrusion prevention system we are halfway there guys uh bear with me you know we can do this I know this is really a long room and yeah but it's it's a very usable yeah very useful room especially for some people you know who are you know beginners like in this our cyber security field all right so let's see for the ideas here they provided a just go through the the commands and say ID base mod with uh here like the city fund to use you know the yeah the IDS or the IPS mode you need to use you know the attack a so the A stand for the alert you know so you could uh like if if you want to see the outlet may be on the console you can just you know tap tap tack a and then yeah type console or if you wanna see full you know for like full alert mode you're providing all possible information about the alert you can just you know type attack out and therefore I prefer using this one here all right so red uh let's see it like uh for the fast and also the uh fast uh we've got fast and none so fast mod shows the alert message timestamp source and destination I'd be along with the port numbers we are not in our uh if you if you put like attack a and then and then nine so you're disabling you know the a lot for this one cool so now let's go to the questions then try to answer that's easiest way to under to understand things they said uh investigate the traffic we are with a default configuration this one here let's see I'll come back or let's see no here you can still do it from here so does not uh c c which stands for you know like uh we need to provide the you know uh the configuration file then that's why you start C and then uh snot uh this is the configuration file that we are going on to check like and then track a full attack elephant for the logs and also put points so that you can you know yeah get the output in this in this current uh in this current working directory here press enter and then you'll see what you are asking here uh what is the number of the HTTP method so from uh or we need uh we need first to generate uh sorry yeah my bad we need to generate the traffic you know first note otherwise there is no yes what is not going to give us any any a lot about this munching your terminal then let's see go to task seven and then uh look for the task seven whereas in this this one also are we need to use the the traffic generator right sorry soothing effect generator but before that let's get this note ready and then they said here I use the http this HTTP uh let's just use the HTTP traffic then C oh sorry my bad yeah we need to use uh we need to use task seven exercise you know are from the from from The Edge uh like from the traffic uh generator file so I'm gonna restart over again like outside this is not again because you wanna we are using smart you know in our ideas or IPS you know or mod that's why we use the attack a which is signed for the alert and then here I'm just going to generate you know the HTTP traffic uh I'm gonna use task 7 here and the question is how what is the number of detected HTTP get method so once you come here I just cancel this one say it should be about so let's see uh this is the number of the HTTP get method here uh yeah that have been detected just put two and then you can practice the rest of the parameters using the traffic generator script I'll leave this for you because uh if you really like want to understand it how can use as not as the IPS or the IDS it is really useful but it's not really that hard just stuck and then you can change this form either to fast or none or maybe control depending on how you want to see you know or how like yeah how how you want to save uh your you know yeah the alert all right so now let's move to task eight so task eight be a bit longer so for the task 8 we're going to use you know pick up you know yeah we'll be investigating you know the pickup so here they said that like some parameters here to use can use attack ER you know or just when you're trying to read a single pickup and also I'll tag pickup list if you're trying to read you know a pickup like provided uh let's say it's a pickups list you know let's say we've got like five you know pick up uh you know like yeah five pickup files and also pick up show you know if you want to show yeah the pickup name on the console during yeah the processing here so let's see uh let's see and then so I'm just gonna again leave this to you and then just go ahead try to answer the questions answer uh they said uh investigate at the max of Attack One Dot pickup file with the default configuration file all right so where is this where are we going to find this one I guess this should be in task 8. let's check since we are task eight now task eight all right so there we go and uh what's the number of regenerated so we're going to run this and then try like you know we we're going to run as not and then uh taxi just to specify the configuration file of it's not that you yeah that you'll be using and this configuration that's where the rules are and also attack a just for the alert you know and also full you know uh because you want like uh like I said yeah you can make it full or if you want to just see it in a console mode or maybe fast depending on how much information you want to get you know from the alert and also attack L just to store this you know yeah this logs in the our current year directory and then attack are we reading this pickup file here all right so now let's see we're going to investigate uh this file here which is uh Max MX attack a DOT pickup file I'm sudos not a taxi just use the default configuration the file of snot and then I'll type a stand for the you know IPS or the IDS more than for the L for uh because you want to try this in the current directory then track Air for reading you know yeah the pickup file or the alert or the logs you just use stack R and then and Max are one pick a five here cool now let's see waiting let's see what's the question what is the number of generated generated uh a lot here so as you can see from the output here I just scroll up a bit you should be able to see how many numbers be generated alerts for this one as you can see the all that have been generated this 170. also if you want to view these ones you can do it because you said that yeah once not like to generate this uh for us if you go through the alert you can just open this either by cut or Nano and then here I should be able to see how many number number number of of of alas that have been generated so this one is 170. I keep reading the output how many TCP segments are curing all right let me see how many TCP sessions that I cured if you come here to stream statistics you will see the TCP sessions too then TCP whatever uh TCP session that are cured you see the participate segment data code is 18. I keep reading uh the output how many https response headers were extracted HTTP response that have been extracted let's just uh scroll down a bit SC they send HTTP responses should be here responses that have been extracted should be three and then uh we're going to investigate another you know uh same packet but we're going to use the different configuration so the one is is the default configuration but uh at this time we're going to use as not uh version 2 configuration so I'll clear my terminal here and then just run this come on here taxi just to specify you know the which configuration file we're going to use and then I'll specify a because you investigate in this packet you know like we telling snot please run you know as the ideas or IPS mod and then just give some information about all the outlet here then store the logs please for us I mean in this current directory then read I mean attack out for reading you know the the package that you're trying to uh to investigate our actual diseases for packet MX3 a this one then right enter press enter uh let's see uh what's the question what is the number of the generated generated alerts just scroll up a bit when you scroll it up you should be able to see number of generating out here all right because as you can see it's 68. 68 and then they are asking us to investigate yeah the second uh pickup file with the default configuration here so we could just since we learned single command just for real let's see should be this one just going to change you know the uh yeah the pickup file the only we are investigating if you go through this you should be able let's see what is the number of outlets that have been generated I can go through you know the output here scroll up a bit you should be able to see the number of you know generated alert which is 340. 340 uh keep reading through the what is the number of detected TCP packet then now what is the number of detected TCP packet so let's go through uh the statistics here see our TCP packet all right so if you add like I've gone through this and then if you add all of like all the TCP packets that have been generated and then add them here you should be able to see the uh that they are equal to 8 2 just add those ones then you'll be able to find you know uh actually it's here yeah the total number is like the for the if you go to the stream statistics and stream statistics come to the tract here so uh the tsp packet that have been detected you see that is eight two all right so now let's go to the last question of task eight and we're going to investigate this uh pick up five the second pickup file and also the third pickup file we're going to use the uh you know the uh the default configuration here all right so uh we are not going to use uh you know the attack are we because you stack are just to read only one pickup file instead you're gonna use you know uh dash dash pickup you know or Dash list and then you know could investigate these two packets you know I mean these two pick up files together at the same time easy so now let's do it uh sudo it's not use the default configuration fire UPS not and then tag a for like l I pick up pick up list go to and then just okay here to just type that name picker and also MX 3 pick up think something's wrong with my I just copy this command here copy it you know to the terminal here not this all right so what's the question what's the number of generated oh well so just uh scroll up a bit then look for the number of generated alerts here uh 1020 that's the number of generated 1010 all right so now let's go ahead and then go to our task uh nine we are almost there so task nine uh we're just going to talk about the rules really interesting uh room here I mean interesting tasks here because everything that I've been doing you know you're generating engineering the hours you know those are based you know on the rules so instead of using this note you know yeah default configuration file we'll be writing our own rules and then test not hey could you please try to investigate this packet for us and then you know I mean according to the rules that have given you very interesting so for the rules here again I'm not going to go through everything here but as you can see this is the action like this is this is like you know uh this is the format yeah this is the format of the rows the first one is the action of course could be the alert or drop or reject you're just telling that's not Health could you please do this alert me if you are detecting something some something like this or just drop or just reject this one here and then yeah you have to specify the protocol if it's either TCP or UDP or or the icmp then Source IP so spot and then the direction destination IP destination port and option the options could be like the message you know and also uh we need to uh like you know uh give the you know like the the Sid which you stand from you know could be like 1 million and one because uh the others like I mean before that like uh like the numbers just before that is already configured you know for the like you know for the for the other like I just said other rules that comes you know with Aya with snot all right so let's go to essay uh just oh these are like these are like uh for the IP and the port numbers just go through this they show you how to you know to perform some roles really very easy so let's I'll just go ahead to the questions here then try to answer the question then and that would be easier for us you know to to understand so they say use tasks are nine pickup file all right so I've been using use uh using task uh nine pickup file and then write a rule to filter the IP ID this one and run it against the given pickup file what is the requested are of the detected packet here okay nice so uh so we're going to change our director to the uh task nine and then what do we have there are we we've got the local rules here so we're going to change these rules then just try to modify them so that you could you know try to filter the packet uh you know with the IP ID this one so just I'll just type the hello TCP uh any any like coming from any port and I mean coming from any IP and any port bi-directional any any and then uh just put the message and this one could be uh uh uh whatever uh IP id35 uh 369 has been found has been found all right and then if you go through uh like the format for the rules if you are trying to you know to filter the IP ID you could just use you know uh like uh this one just I just put the ID of that packet put it here it's ID uh What uh three five three six nine and then put yeah the Sid like Sid root like I told you just start from uh zero zero zero zero again one from here and put the Rev this one so this this is gonna be the rule you know two like to alert you know uh I mean there's no to alert us you know wants to detect the packet you know yeah with the IP P id35369 so we're going to run this and then see what uh yeah what's the output go back to the question they said uh rather and run against a given pickup file cool so I'm gonna write sudog and then taxi which stands for the you're going to specify which configuration file to use gonna use our our our local rules oh sorry I missed sudo suit ah but on me it's not Taxi local rules and then we're gonna use since we're using this to investigate the packet could either use as detection or prevention here and then in full mode please generate some logs for us in the current directory and then use R you know to read which uh pickup file to reduce task online dot pickup so now let's see and then they ask us uh what is the request name of detected packet the request name of detective packet so oh interesting so let's see what you have here now once I open the cart you know I mean once I opened alert area with the cut command because how come there's nothing here two three did they detect anything let's see if we have detected any any alert I'll load zero rooms where is that our TCP or anticipate any any any any message IP ID has been found three five so guys uh if I use this one as you can see I didn't get any you know packet that was detected from here and from the question here they said just they gave us some in the silicone they use TCP UDP or ICM pin so I'm gonna change the rule a bit you know just to yeah play with you just to see if I will be able to you know to detect any any packet here like with the IP IDR 35369 just use the protocol here put icmp for now and then we'll see let's go back then run I was not here oh beautiful so as you can see we've got one a lot for this one so once we up let's see what uh files we've got here just cut a world here see what's in there or here they they ask you know what's um what's the request name of detective packet so the request name I came to know you know find figure out that this is the request name once you read yeah the logs here this timestamp request that's the request name the request name should be timestamp request and next create the rule to filter packet with the same flag so like any packet we're going now to create a role with any packet you know in the pack that has seen flag you know and run it against the given pickup file so if you go screw up here if you just wanna like detect the packet with the same flag you know just you know type CR you can see at the rtcp any any anything on the flag just the flags and then Supply capital S as they you know as the value for this one cool and this package since they have since you know since there is a same flag I mean it is a TCP packet now let's go back to our rules we change a bit and you know just see if we be able to to detect the you know the ICM uh the same flag packet just a TCP um let's see here just we need to modify this also I could just write any rule it's going to be quicker like that sorry I'll let TCP any from any uh destination IP and destination port to any IP any part then by the message as you know uh same packet has been found and then Supply Flags Flags scene and then Sid which is the road number could be one zero zero zero zero and just put one anyway then Rev okay surprise one as well so we're gonna run the same command here just to detect this of go one alert has been detected here so let's see what's the question create a rules an option so they say what is the number of detective packet uh only one has been detected but a lot has been generated maybe if you scroll up you can see or like you know this smart has received 3 uh thousand and 900 packets but only one has been detected based on the rules that have you know supplied so that's up to this one is one and then they say clear the previous log and alarm files here let's see what you have here uh just sudo remove allele and sudo remove those uh it's not logs two one worry about I hope we have cleared all the alarms and log files there they sit right arrow to filter the packet with push acknowledge Flags so with push with acknowledge you know could just uh use a quite similar row just need to change it from uh you know s to a but since since it's a push you need to put B at the front all right uh let's see we just go back to our our rules just place it to type Nano local rules go to Flags here change to PHP stand for push and then uh a since we need the acknowledge one okay you should do and come back around the same command again it's not comma to detect you know the packet let's see oh so many alerts here 216. so right uh uh this one save about to detect 216 Supply distance the answer to this one and then they say do the same thing just gonna clear the logs you know and the alarms everything answer the remove alerts so do I remove smart logs all right we're good to go a great pack of the same sauce they said uh create a row to filter the packet with the same source and destination so with this one if you go up here see you can just gonna use you know same uh semi PR like field you know of file here I should be easy we're just going to go back to our rules and then gonna Supply our same same ID here and then show let's go back just to double check uh same IP sorry it's no same IP send I uh so it should be same IP all right so now let's go back to command for detecting this packet so we've got three until this one should be three oh wait crater YouTube person or same source and destination and run it against giving pick what's the number of detected packets oh you need to filter TCP and UDP also the root the one you the one we wrote that one is for only TCP so let's just check uh UDP as well see what's in there you know but just oh could just add another rule for this one UDP any any any should have copy pasted this you know same packet oh no we are not the exposing pocket like uh same IP sample has been detected and then just use surprise MIP field Sid this Arrow just add two since one was already created for that one uh rev one should be able to find the correct answer so number is 10. uh 10 for this one beautiful also case ayaki's example an analysis will define an existing role is out successfully so which option must uh the analyst change after the implementation there should be uh Sid oh wait example for download for existing role oh what's it once once you modified the existing Row one of course you have to change the Rev number for this one not bad um and the next task is Task 10 it's not operation logic of points to remember here so they're just trying to go through everything that you know uh they talked about just I'm assuming that you're gonna read by yourself and yeah uh for the conclusion uh it's just summer of everything you know we've gone through in this video and thank you guys for watching tell us a really long video and please I encourage you like I mean need your support just subscribe to my channel if you think the video is is useful you could you could you could also share to your friend as well thank you so much and I will see you in the next video about it's not challenge the basics foreign [Music]

Info

Channel: CyberSec With Desire

Views: 7,145

Rating: undefined out of 5

Keywords:

Id: vlskdNnqVSU

Channel Id: undefined

Length: 63min 29sec (3809 seconds)

Published: Thu Jan 05 2023