In this section you will examine the traffic from the sniffer.

Return to the Security Onion box and stop capturing packets. Note how many packets were captured, and verify the capture file was saved with those packets. If the capture file has not yet been saved, save it now to the desktop as Capture.cap.

Switch to Security Onion

Next, analyze the capture file with Snort. Also, make sure to output the resulting alert file to the /home/student directory and use the correct snort.conf file.

Switch to Security Onion

After snort finishes its analysis, review the file generated by Snort for any suspicious events. Do you see any to note?

Switch to Security Onion

Next, continue your analysis and open the capture file with Wireshark to browse the captured packets. Play around with the filters to analyze the captured traffic. For instance, apply a filter to view all TCP reset packets.

Do you see anything indicating a network scan was run against boxes on your network?

Switch to Security Onion

Lastly, log into the Metasploitable box and view the web server logs. Specifically, use the command to view the most recent web server logs.

Notice what breadcrumbs are leftover from the network scan.

The snort.conf file is located at /etc/nsm/onion-dmz-eth0/snort.conf.