Process

The lab is broken down into $4$ distinct parts. In part $1,$ you locate and start the SNORT IDS. In

part $2,$ you will locate and examine the SNORT configuration options. You will create inbound

traffic to your VM that is running SNORT and load the resulting traffic capture into WireShark

for a basic analysis of the captured packets in part $3.$ To conclude the lab, you will write two

custom SNORT rules based on two CVEs.

Part $1$: Locating and starting SNORT

In this section of the lab, you will be locating the SNORT IDS on a Windows VM in SimSpace. The

core functionality of SNORT is based on the traffic analysis rules. When running in a production

environment, custom rules are typically used to tailor SNORT to the environment in which it is

running. Incorrectly written rules will prevent SNORT from starting, which means that validating

the analysis rules is a required. Using the reference materials available with in the lab module

and any others you deem necessary, you will demonstrate that you have successfully started

SNORT

Breakpoint $1$

Describe the importance of determining the correct network interface that SNORT will use.

Provide a screenshot showing the network interface configuration. Although it is not

configured this way in SimSpace, SNORT can also be run in$-$line to change its operation and

enable IPS functions. Describe how the network interface configuration be different when

configured to run in$-$line. Provide a screenshot showing that you have tested and validated the

SNORT configuration file. Finally, provide a screenshot showing that you have successfully

started SNORT