You have been investigating an apparent internal attack against your company’s Windows Server 2008 file servers. Suspicious packets have been captured during routine audits. You need to configure Snort to log these suspicious files. Your internal network address is 172.20.0.0 with a subnet mask of 255.240.0.0. Your file servers’ addresses are 172.20.0.12 and 172.20.0.13. Each of these file servers is running Snort as an HIDPS.
The suspicious packets have the following characteristics:
- ? They have come from different systems inside your network.
- ? The packets all include the word release between the 1000th and 1100th bytes.
- ? The packets use TCP as their Transport layer protocol.
- ? The packets appear to be trying to exploit vulnerabilities in the Windows implementation of SMB over IP.
You need to write a rule to be included in the rules directory of each server’s Snort installa- tion. These two rules must be as specific as possible so that the system logs only the packets that meet the signature of the suspicious network activity. The logged packets should be labeled as “Possible Internal SMB over IP Attack.” You must perform research beyond the scope of this chapter to find the needed information and create the rules.
ScholarMatic: Explanation & Answer
Your ready answer from a verified tutor is just a click away for as little as $14.99
Click Order Now to get 100% Original Answer Customized to your instructions!
