How do you justify it being SSH. It could be port 80 because its the same two ip addresses back and forth so where do you come to the conclusion its just browsing? Could be brute force on login page. Please can you explain more clearly. There are more packets from port 80 than port 22. If there are multiple ip addresses visiting that port you could class that as browsing because a lot of people visit that page.
Thank you so much brother!!! amazing explanation, please don't mind me asking, do you look at the malicious port regardless if its from our IP port or destination IP port?
In production, this is not a great rule. Yes, it gets you the flag (which is all that counts) but if there is a legit ssh server then blocking all traffic to it is effectively a DOS. better to write a more targetted rule for the source and desitnation.
or , further before using -A full to stop the attack you can use this command to check the rule in IPS mode, sudo snort -c -q -Q --daq afpacket -i eth0:eth1 -A console
Thank You Motasem!!
And yes, please do some more Snort walkthroughs. It's been hardest for me so far in SOC T1 path.
been watching the snort vids thanks for your help and guidance.
loving the vid's really helping me 🤙🏼
How do you justify it being SSH. It could be port 80 because its the same two ip addresses back and forth so where do you come to the conclusion its just browsing? Could be brute force on login page. Please can you explain more clearly. There are more packets from port 80 than port 22. If there are multiple ip addresses visiting that port you could class that as browsing because a lot of people visit that page.
I think you can just check both.
THIS IS GREAT THANK YOU
Wonderful video thanks!
Thank you so much brother!!! amazing explanation, please don't mind me asking, do you look at the malicious port regardless if its from our IP port or destination IP port?
May i ask if we can have a copy of your snort commands ? just the snort only hehe or maybe we can purchase? thanks.
Absolute legend
In production, this is not a great rule. Yes, it gets you the flag (which is all that counts) but if there is a legit ssh server then blocking all traffic to it is effectively a DOS. better to write a more targetted rule for the source and desitnation.
thats write ! like this rule maybe
drop tcp 10.10.245.36 any -> any 22 (msg: " Stop the attacker SSH " ; sid: 1000001; rev:1; )
Thanks for the support
I got the flag in first attempt. But I didn't read the whole logs. Seeing that many http requests on port 80 I thought its obviously tcp/80.
I dont understand the point of writing a local rule and then using the default config
I didn't either. I used /etc/snort/rules/local.rules instead of the default config and it worked.
hello, what app/document do you use to layout your notes like that?
Hello, Obsidian
thanks motaism , where I can find your note .. give me the name in your website , its in Special Courses Catalog or Cybersecurity Field Notes
what the name website when try looking for command ?
hey Motasem, where can I find the link for your notes ?
I can't find it on your channel
ua-cam.com/channels/NSdU_1ehXtGclimTVckHmQ.htmljoin
@@MotasemHamdan Can you please make it available in Azerbaijan as well?
How I can get access to your notes ?
Hello, notes are part of channel membership tier 2.
Details:
motasem-notes.net/cyber-security-field-notes/
Also, if you don't mid sharing your snort notes i will be very thankful!
or , further before using -A full to stop the attack you can use this command to check the rule in IPS mode, sudo snort -c -q -Q --daq afpacket -i eth0:eth1 -A console
ehre can we find out your note
Check below link out;
buymeacoffee.com/notescatalog/extras
انت عربي؟
صحيح