Before you begin this assignment make sure you have read the appropriate chapters and viewed the lecture slides for this Unit.
In a Word document, answer the questions in a full paragraph, with complete sentences at the end of the lab assignment. Save your file with the name Yourname_CIS410_U2_LabAssignment.doc and submit it below.
As the new network administrator, your duties entail protecting the organization infrastructure against all vulnerabilities, exploits, and malware. You are subscribed to databases such as Cert, Sans, and Secureworks to get the latest information on threats. These databases provide you with signatures of the particular threat that makes it unique. It is your job to evaluate the signature and create Rules that include parts of the signature so the organization's Intrusion Detection System (IDS), Snort, can alert, if detected.
You have just received a threat about a new Trojan. You must evaluate the new threat signature.
PART 1
Review the Signature Analysis of the new threat from the database.
PART 2
You have created a Rule for Snort based on the Phatbot signature. You need to evaluate the Rule for effectiveness. Read the following Rule File.
PART 3
Answer the following questions (worth 25 point each) concerning the Rule File and turn in as your lab assignment:
1.Does the rule match content with the Phatbot Trojan? If so, what is the content match? If not, what should be included in order for the rule to content match?
2.Does the rule catch the threat? List the threat.
3.Does the rule list any particular oddities or protocol(s) or anything that makes it unique (such as messages)? If so, list these. If not, what should be included?
4.Now, write another version of a Phatbot Rule for Snort. Usually there are several versions for any one particular signature. It does not have to be elaborate, just effective. You may want to research writing rules in the Writing Good Rules document.
Before you begin the analysis, you may want to review how to create a Snort Rule in the Snort Rule Summary.
Also, you want to review a previous signature and the Snort signature in a threat called Danmec.
If you need additional research for this task use the Snort Manual.