2015-02-24 - TRAFFIC ANALYSIS EXERCISE: HELPING OUT AN INEXPERIENCED ANALYST
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
PCAP:
- 2015-02-24-traffic-analysis-exercise.pcap.zip 5.6 MB (5,624,704 bytes)
SCENARIO
It's another evening shift at your organization's Security Operations Center (SOC). One of the analysts is looking through some traffic that occurred while your snort-based Intrusion Detection System (IDS) was off-line. The traffic had triggered a non-specific alert of possible malicious activity from another IDS.
The analyst is relatively new and is not experienced with malicious traffic. That analyst asks you for help.
You review the pcap and document the following:
- Date and time of the activity
- IP address of the associated desktop (or laptop) computer
- Host name of the associated desktop (or laptop) computer
- MAC address of the associated desktop (or laptop) computer
- Brief summary of the activity
You have Security Onion installed on a desktop at your workcenter, so you can replay the pcap and generate alerts. Some of the other analysts have Snort installed on their computers, and they can read the pcap for you.
You might have enough experience that you don't even need to look at the alerts. You might know what's going on just by reviewing the pcap.
FIRST BREAK POINT
- Document the above 5 items. Click here to see if your answers are accurate.
Click here to return to the main page.