Hey man, great video! I was able to follow along but I have a question regarding the brute force one (task 2): the ip address of our machine (in the video at least) is 10[.]10.198.162 and the victim IP address, to which the ssh connection is happening, is 10[.]10.140.29. How is snort on our machine (10[.]10.198.162) sniffing the packets directed to 10[.]10.140.29 and coming from the attacker (10[.]10.245.36) and stopping that traffic once we write the rule?
Great question! And I can definitely understand how it can be confusing. In the scenario for the Brute Force exercise, it explains that the recipe is stored on their digital cafe (implying that it's stored on a web server). Even though the IP address of the machine that I was using was the 198.162 IP, the IP address of the web server was the 140.29 IP. The attack was being done against the 140.29 address and the reason why we were able to see it is because our machine was connected to the web server and monitoring it. Excellent catch and great question! (Also, thank you for your patience for this response. Your comment was flagged by UA-cam and I didn't see it right away).
Hey Hank another great walkthough!! I have a question regarding the local rule for the 1st attack. @21:36 drop TCP any 22 any any are we dropping packets from any source IP with source port 22? should it be packets that are destined to the server port 22 instead? -> drop any any any 22 are we trying to prevent traffic from attacker to destination 22 port. or stopping the server from sending traffic from port 22? Hope my question isn't confusing. Thanks in advance!!!!
@@Ashterisk7 it’s actually a combination… yes we’ve declared the source port to be 22 but the two arrows imply that the traffic could be going in any direction. We don’t want any traffic to be going to another source on port 22 because that usually implies that they are trying to get a shell connection to us. Hopefully that made sense
Really enjoyed this Hank. You explained it very well at a good pace. Many thanks.
It's my pleasure, David. I'm very glad you enjoyed it and got something out of it.
Hey man, great video! I was able to follow along but I have a question regarding the brute force one (task 2): the ip address of our machine (in the video at least) is 10[.]10.198.162 and the victim IP address, to which the ssh connection is happening, is 10[.]10.140.29. How is snort on our machine (10[.]10.198.162) sniffing the packets directed to 10[.]10.140.29 and coming from the attacker (10[.]10.245.36) and stopping that traffic once we write the rule?
Great question! And I can definitely understand how it can be confusing.
In the scenario for the Brute Force exercise, it explains that the recipe is stored on their digital cafe (implying that it's stored on a web server). Even though the IP address of the machine that I was using was the 198.162 IP, the IP address of the web server was the 140.29 IP. The attack was being done against the 140.29 address and the reason why we were able to see it is because our machine was connected to the web server and monitoring it.
Excellent catch and great question!
(Also, thank you for your patience for this response. Your comment was flagged by UA-cam and I didn't see it right away).
Hey Hank another great walkthough!!
I have a question regarding the local rule for the 1st attack. @21:36
drop TCP any 22 any any
are we dropping packets from any source IP with source port 22?
should it be packets that are destined to the server port 22 instead? -> drop any any any 22
are we trying to prevent traffic from attacker to destination 22 port. or stopping the server from sending traffic from port 22?
Hope my question isn't confusing.
Thanks in advance!!!!
@@Ashterisk7 it’s actually a combination… yes we’ve declared the source port to be 22 but the two arrows imply that the traffic could be going in any direction. We don’t want any traffic to be going to another source on port 22 because that usually implies that they are trying to get a shell connection to us. Hopefully that made sense