For the first lab exercise.

1. Go to the /usr directory and create a log directory in /usr directory, run 
sniffer mode of snort on Machine B i.e. H3 (the machine which has snort installed) by typing:

snort -edv -l ./log 

Ping machine B, i.e. H3, from machine A, which is named Router or H4  
(the machine which has Netpoke installed), stop snort after you finish ping.
Open the log file and take a look at what you get.

Repeat the above operations but with -v, -dv options instead of -edv, and
see what's the difference among these options.


2. Run NIDS mode of snort on Machine B by typing:

snort -c ./rules/snort.conf -l ./log 

On machine A, go to netpoke's directory /usr/NetPoke/, and use netpoke to send 
the 4 DARPA datasets (e.g. LLS_DDOS_2.0.2-inside.dump) to Machine B by type in:

./netpoke -d eth1 dumpfilename

The dumpfilename is the name of the dataset file.

Stop the netpoke session on Machine A after 2 minutes for each dataset. Backup 
the alert files as alert.1dmz, alert.1inside, alert.2dmz, alert.2inside  in the log directory at Machine B for each dataset. Show TA 
your four alert log files.

3. Type "./netpoke -d eth1 -T dumpfilename" to see when packets are sent out.

4. Type "./netpoke -d eth1 -s 3 filename" and run snort in sniffer mode, which is mentioned in exercise 1,
on the other machine, see what's the difference from the run with normal speed, i.e. with '-s 1' option.


For the second lab exercise.

1.
Use "-r" "-c" and "-A fast" option in snort, using the default rules, analyze the 4
datasets.  In /usr directory, type in:

snort -r ./dumpfilename -c ./rules/snort.conf -A fast -l ./log

Backup the /usr/log/alert file after each run, and write down the number of
alerts detected in each dataset.

Backup the files as: alert1dmz, alert1inside,alert2dmz,alert2inside.
Edit the 4 alert log files to add the number of alerts at the first line of the log information.

You may need to use the "-N" option to disable the function of packet logging to
increase the analyzing speed for the 2 inside datasets because they will take much
more time to analyze than the 2 dmz datasets. 

2.
Backup the snort.conf file to snort.conf.bak.
Edit the snort.conf file, remove all the rule files by adding "#" before the
"include ..." lines at the end of snort.conf file except for the "include telnet.rules". 

Repeat step 1 and save the 4 alert log files together with the number of alerts
detected.
Save the files as: alert1dmzmod, alert1insidemod, alert2dmzmod, alert2insidemod

You can change the rules in snort.conf file in some other way and see what will
happen.

3.
Submit your 8 alert log files via wolfware (Ask the TA for the PC with outside access).

4.*IMPORTANT*:
Clear the log directory, restore the snort.conf.bak to snort.conf, and clear all the alert
log files you generated.