Attention: All the exercises are run in the machines named H3 
and Router in each pod. In order to login to the machines, please ask 
TA to help you login to the machines with root account.


1.  Get familar with NetPoke

NetPoke is a tool to replay tcpdump file to a network.
You will find 4 tcpdump files in your home directory 
(LLS_DDOS_?.0_dmz.dump LLS_DDOS_?.0_inside.dump), you can
send out the packets in any of the dump files by typing in:

 ./netpoke -d eth1 filename

Here 'filename' is the name of dump files in the directory /usr/NetPoke/.

If you want to see when each packet is sent, you can use the 
"-T" option:

./netpoke -d eth1 -T filename

or if you want to send the packets faster than the actural
speed, you can use "-s" option together with the number of times
you would like.  For example, 3 times faster is:

./netpoke -d eth1 -s 3 filename

Above are the most frequently used options in netpoke.

What you need to do in the first lab session, is to read the manual
of netpoke (man netpoke), and try the commands above on the machine which has 
NetPoke installed.  For each dump file, stop the netpoke after 5 
minutes and read the snort alert log on the other machine.

It's possible that you will meet problem sending out packets when 
using the -s option, don't worry about that.


2.  Get familar with Snort

Snort is a free IDS tool.  What you need to do is to get familar with
the basic options of snort.

a) Sniffer Mode

./snort -v			view tcp/ip packet headers
./snort -vd			view detailed packet info
./snort -vde			view very detailed packet info

b) Packet Logger

-l can log the packets to a directory
-h specifies that logging relative to the home network, we don't need 
this option in our particular enviroment.

First create a directory named "log" in the /usr directory then:
./snort -dev -l ./log
This will generate a tcpdump file.

to log a binary file, use -b option after the directory name.
./snort -l ./log -b

c) NIDS mode

Use the -c option to apply the rules file.

./snort -dev -l ./log -c snort.conf

Here file 'snort.conf' is a configuration file for snort in the directory 
/usr/rules/. Make sure you input the right path for snort.conf and right network address.
You can use "-A fast" option for a simple format of alert log.

d) Analyze tcpdump file

Use the -r option to read a binary tcpdump file and use -c to apply rules.

./snort -r filename.dump -c snort.conf -l ./log

It will be your second lab session's job to analyze all the 4 DARPA dump files.