The first part of this article series set out to create an environment that allowed readers to examine a public exploit as it was sent across the network. The purpose of this exercise is to help the reader understand the complex world of intrusion detection and low-level packet analysis, so that he can better secure his network. . . .
The first part of this article series set out to create an environment that allowed readers to examine a public exploit as it was sent across the network. The purpose of this exercise is to help the reader understand the complex world of intrusion detection and low-level packet analysis, so that he can better secure his network.

In part one we setup a lab environment using two machines and a set of tools which included Snort, Snortsnarf, Tcpdump, and libpcap (or windump and winpcap for Windows environments). Once the lab was setup, we built an exploit using publicly available source code, and then sent this binary from one test machine to the other. This action triggered an alert with our IDS, Snort, and prompted us to do some low level packet analysis to see what was going on.

With the necessary tools and machines in place, and with our exploit having triggered numerous alerts as shown below, there was only time to discuss the first alert, which turned out to be a false positive (a false alarm). Now we will continue our analysis and analyze the final four alerts that were generated in Snort.

Readers are encouraged to review part one of this article series, to understand how this was generated with snortsnarf, before continuing on.

The link for this article located at securityfocus.com is no longer available.