Task Description
This week you have three pcaps: Week 6 - Snort Signatures.zip (sha256: b11684e30f61669c9f6a77656194cf5ba18d5aa6b1785bb240ad8581c41dae3c)
PCAP1: In this pcap, there are two different "streams" of ICMP packets (and a few other layer 2 packets). One of the streams appears perfectly normal. The other has some unusual characteristics. Create a rule to detect the odd ECHO packets. At a minimum, your rule should limit hits to this specific protocol. In your writeup, describe the various characteristics you looked at for signature components. Which characteristics did you settle on for your final rule and why?
PCAP2: This capture includes a file in the payload. Create a rule to detect the transfer of any file of this type using the same protocols exhibited in the capture. Explain how your signature works, and why you chose each parameter.
PCAP3: This capture has a protocol running on a non-standard port. Write a Snort rule to detect this specific behavior. Explain how you constructed your rule and any limitations it might have.
Put each rule in this file on SecurityOnion:
/etc/nsm/rules/local.rules
You can test your rule against a pcap by running Snort from the command line:
snort -A full -N -l . -c /etc/nsm/rules/local.rules -r icmpmsg.pcap