Skip to main content
← Back to lab
SEC401 - Data Security Technologies | Printable command sheet
Lab 4.3 - Intrusion Detection and Network Security Monitoring with Snort3 and Zeek

Lab 4.3 - Intrusion Detection and Network Security Monitoring with Snort3 and Zeek

Intrusion Detection | SEC401 | Apr 2026

Validated Snort 3.1.73 config, tightened HOME_NET to 10.130.0.0/16, ran the community ruleset against investigate.pcap, and surfaced an SSH CRC32 overflow shellcode pattern (294 alerts from 20.106.124.93 → 10.130.8.94:22). Re-ran Snort with a BPF filter pinned to the attacker IP, then processed the same PCAP with Zeek's extract-all-files policy and confirmed log output.

Tools: Snort 3.1.73.0, Zeek, snort3-community.rules, BPF, sed, tshark-style workflow on PCAP

Commands

1. Validate the Snort3 config

Ran Snort in test mode to confirm the lab's snort.lua loads cleanly. The output shows Snort 3.1.73.0 enumerating every compiled-in inspector: HTTP, HTTP2, TLS/SSL, SMTP, SSH, FTP, DCE-RPC variants, DNS, IEC104, Modbus, NetFlow, port_scan, the wizard (protocol auto-id), and stream reassembly for TCP/UDP/ICMP. Good baseline view of what Snort3 actually inspects out of the box.

snort -T -c /sec401/labs/4.3/etc/snort.lua
-T: test configuration and exit -c: path to snort.lua

2. Scope HOME_NET to the lab /16

Replaced HOME_NET = 'any' with HOME_NET = '[10.130.0.0/16]' via sed. HOME_NET = any is the default but defeats most rules that pivot on direction ($HOME_NET vs. $EXTERNAL_NET). Setting a real CIDR makes rules meaningful.

sed -i 's/HOME_NET = \'any\'/HOME_NET = \'[10.130.0.0/16]\'/' /sec401/labs/4.3/etc/snort.lua

3. Quiet re-validation

Re-ran config test with -q to suppress startup noise. Clean exit means the HOME_NET edit is syntactically valid.

snort -T -c /sec401/labs/4.3/etc/snort.lua -q
-q: quiet mode (suppress banners)

4. PCAP replay with community rules: summary view

Replayed investigate.pcap through Snort with the community rules and alert_talos output. The summary groups alerts by SID and signature: SERVER-WEBAPP robots.txt access (14), backup access (15), POLICY-OTHER Microsoft Windows Terminal server request attempt (218), INDICATOR-SHELLCODE ssh CRC32 overflow filler (294), PROTOCOL-ICMP Unusual PING (15). The 294-alert ssh CRC32 row is the obvious thing to pivot on — that's a classic 2001-era exploit signature.

snort -c etc/snort.lua -q -r investigate.pcap -A alert_talos -R rules/snort3-community.rules
-r: read from PCAP -A alert_talos: Talos-style summary (grouped) -R: ruleset to load

5. Per-alert detail with alert_fast

Switched output mode to alert_fast for one-line-per-alert detail. Clearly shows [1:1325:14] INDICATOR-SHELLCODE ssh CRC32 overflow filler — Classification: Executable code was detected, Priority 1 — TCP 20.106.124.93 → 10.130.8.94:22. Every alert traces to the same source IP hammering the same host's SSH port with what Snort identifies as exploit shellcode fillers.

snort -c etc/snort.lua -q -r investigate.pcap -A alert_fast -R rules/snort3-community.rules
-A alert_fast: one alert per line (best for piping to grep/awk)

6. BPF filter to focus the attacker

Re-ran with --bpf 'host 20.106.124.93' to scope the analysis to one attacker IP. In a real PCAP triage, --bpf is how you drop the haystack size by 99% so the analyst can work on a specific host/port/flow without the ruleset processing noise.

snort -c etc/snort.lua -q -r investigate.pcap -A alert_fast -R rules/snort3-community.rules --bpf 'host 20.106.124.93'
--bpf: Berkeley Packet Filter expression; same syntax as tcpdump

7. Zeek: protocol-aware log + file extraction

Switched to Zeek on the same PCAP with the extract-all-files policy. Zeek produces per-protocol logs (conn.log, http.log, ssh.log, files.log) and can reconstruct files out of flows. The directory listing shows packet_filter.log as the first artifact; after a longer run Zeek emits the full protocol-log set.

zeek -C -r ../investigate.pcap -f 'host 20.206.124.93' /opt/zeek/share/zeek/policy/frameworks/files/extract-all-files.zeek
-C: skip checksum validation (PCAP checksums often broken) -r: read from PCAP -f: BPF filter extract-all-files.zeek: reconstruct files from HTTP/FTP/SMB flows

8. Inspect Zeek log schema

Pulled the field list from packet_filter.log using sed. The #fields header lists ts, node, filter, init, success, failure_reason — Zeek's self-describing tab-separated format. Every Zeek log carries this header, which makes downstream parsing (zeek-cut, awk, Splunk) trivial.

sed -n 7p packet_filter.log | sed 's/\t/\n/g'
sed -n 7p: print line 7 (the #fields header) sed 's/\t/\n/g': convert tabs to newlines for readability

Key Findings

  • 294 INDICATOR-SHELLCODE ssh CRC32 overflow alerts concentrated on 20.106.124.93 → 10.130.8.94:22
  • 218 POLICY-OTHER Windows Terminal Server request attempts in the same PCAP
  • Multiple low-severity SERVER-WEBAPP access rules firing (robots.txt, backup, root access)
  • Zeek packet_filter.log confirms the BPF was applied successfully
  • Zeek extract-all-files policy loaded, ready to reconstruct any HTTP/SMB payloads

Security Controls

  • Network IDS (Snort, Suricata)
  • Network security monitoring (Zeek)
  • Alert tuning and HOME_NET scoping
  • SOC playbooks for Priority-1 exploit signatures
  • Retention of PCAP + Zeek logs for retrospective hunting
  • File extraction + sandbox detonation pipelines