[SOLVED] Cs6262 project 4 network monitoring fall2025

This project introduces you to practical techniques for distinguishing between legitimate and malicious network traffic. Network operators frequently perform this task to ensure network security and detect potential threats.

In this project, you will analyze a pcap file (evaluation.pcap) that contains network traffic from multiple hosts. This file includes a mix of legitimate and malicious traffic. Your task is to investigate the traffic patterns using Wireshark and then create Snort rules to automatically differentiate between benign and malicious activity.

By completing this project, you will gain hands-on experience with:

Through this process, you will develop a deeper understanding of network security monitoring, intrusion detection systems (IDS), and the fundamentals of network forensics.

If you’re already familiar with the tools, you can skip to and focus on the following sections:

However, reading through the full document will give you a better understanding of what you’ll be working on. Before you post any questions on Ed, please read this document thoroughly.

This assignment includes four distinct attack scenarios. Each scenario is based on a predefined network topology, where the attack originates from one or more machines outside the target network.

The network is a standard LAN topology hosted on the AWS computing platform. All hosts are behind NAT, and their IP addresses fall within the 172.31.0.0/16 subnet. The figure below provides a visual representation of the network setup and how traffic is collected.

Figure 1: Network setup for traffic collection.

 

In a DDoS, attackers usually keep making full TCP/UDP connections to the remote server. They keep the connection open by sending valid HTTP requests to the server at regular intervals but also keep the sockets from closing. Since any given Web server has a finite ability to serve connections, it will only be a matter of time before all its sockets are used up and no other connections can be made.

 

Your need to identify which one of the following DDoS variants is present in the evaluation pcap:

 

We will not be providing a  sample pcap for ddos.

 

Tips:

 

An FTP/SSH attack is carried out by a Kali Linux machine (the attacker machine) against an Ubuntu 14.0 system (the victim machine). There is a large dictionary containing the 90 million words (potential passwords) used during the brute force attack.

 

You will need to identify whether the evaluation pcap includes an FTP or SSH brute-force attempt.

 

We will not be providing you with a sample pcap for SSH. However, we encourage you to do some research on the differences between FTP traffic and SSH traffic.

 

Tips: Here is a 4 minute video that has some useful tips for Bruteforce attack.  Similar to ddos, I recommend that you use 1 second as the time unit for this task if you use a detection filter.

 

 

These attacks exploit vulnerabilities in web applications.

 

Your need to identify which one of the following web attacks is present in your evaluation pcap:

 

Tips:

http_method; content “xxxxx”;

http_uri; content “xxxxx”

 

 

Botnets enable infected machines to communicate with command-and-control (C2) servers.

 

You need to identify which botnet is present in your evaluation pcap:

 

The sample pcaps we provided should be sufficient to guide you through this part of the project.

 

Tips:

 

 

 

 

For each type of traffic mentioned above, we provide a sample of that category/type of traffic. These samples are only for illustration purposes. These samples are only examples, and they are not the same as the actual traffic that is included in the evaluation pcap, which the students will need to label.

 

For this exercise,  we assume normal traffic to include HTTP, DNS. An example of normal (attack free) traffic can be found below:

The host generates this traffic explicitly to communicate with a C&C server. The host communicates with the C&C server to receive commands, updates, etc.

 

 

https://cs6262netsec.s3.us-east-1.amazonaws.com/CS6262-Ubuntu24.04-ARM.ova

https://www.dropbox.com/scl/fo/wrjzmz31239hjl89dqsyh/AM-Rm6ndzbNoVjfCb4QHGwY?rlkey=ca03dmmltse78zrr7moz0t2rl&st=r1q6c64j&dl=0

 

 

 

 

 

 

The goals:

 

Step by Step Instructions towards the goals:

 

 

 

It can take up to 10 mins to boot up sometimes, but once you login, it should be smooth.

 

Please follow the following instructions to set up snort: Project 4 VM instructions

 

Use the attack descriptions above to understand how these attacks appear in network traffic.

 

 

This is a graduate-level class, students are expected to research the documentation and learn filter-specific details on their own. We have some useful links at the end of the write up.

Example: If detecting an SSH brute-force attack, use:

Notes: Incorrect alert messages may result in point deductions.
We do not limit the amount of rules you use, but you should be able to complete the project with 4-8 rules.

 

Please see Project 4 VM instructions on how to run snort rules

 

Submit the following Two files on Gradescope

 

 

Your Snort rules file will be evaluated using an autograder based on four attack categories:

 

 

 

 

 

 

Statistics for each type of unique connections (Important!):

 

student@cs6262:~/Desktop$ python3 cal_unique_connection_2022.py alert_json.txt

Attack type: WebAttack, unique connections: 134

Attack type: Bruteforce, unique connections: 6975

Attack type: DdoS, unique connections: 625

Attack type: Botnet, unique connections: 47621

Comments:

set()

 

 

(The number might be a little different when you try to find it in Wireshark. Use the number that Snort gives you)

 

We consider a connection to be “src_ip:src_port:dest_ip:dest_port”.

Follow the instructions we provided and run python3 to check the unique connections of your alert_json.txt and generate the results in `connections.txt`. If your alert JSON file is generated in the home directory, you might need to add sudo in front of your command.

 

 

 

 

 

–      No, we don’t, since similar projects run across semesters.

 

–      You can ignore ICMP & IP

 

–      Yes. If the VM is too slow for you, I would recommend you install pcap reading tools on your local machine and use the VM only for Snort. ‘evaluation.pcap’ is a very large file so it can take some time to load. You may need to increase the amount of RAM available to the system to get it to display properly.

 

–      Correct, you can complete without the VM but make sure your snort file works with the version installed in the given VM. (Snort 3)

–      A “Connection” is identified by its Source Address, Destination Address, Source Port, and Destination Port.

 

–      You may want to look at packets within a certain time frame.

 

–      It can be from any number of machines. The exact number is not relevant.

 

–      Only IPV4

–      No, you just need to submit the two files separately: rules.py and connections.txt.

 

–      We can’t confirm or deny. 🙂

The sample pcaps are there to give you a good idea, but we don’t claim they’re representative. You should learn the pattern in the sample pcap and try to find related or similar patterns in the evaluation pcap. Always manually verify that what you find is correct.

 

–      Yes that means your json file is too big and maybe you need to put more constraints on your snort rule to generate a smaller json file.

 

 

 

 

 

Readings on botnets behavior: Please read through the following papers, to get an understanding of what a bot is, and how botnets behave. Please note that we are not asking you to implement the proposed methodologies, e.g. a machine learning method to detect bots.

 

Snort resources: Here you can find some examples of Snort rules, and some resources so that you get familiar with Snort rules. The purpose of these resources is only to get you familiar with how Snort rules look like. You are expected to write your own Snort rules.

When you google snort syntax, you should be aware that we are using snort 3 not snort 2. There are some subtle differences between Snort 2 and Snort 3 syntax. Snort 2 syntax might result in errors when you run your rules locally.

 

Example: Writing Snort rules to detect DDoS traffic: This is an example to give you an idea about how we can use our understanding of an attack, and write Snort rules with potentially long shelf life, to detect this attack. Intro reading for dos: https://en.wikipedia.org/wiki/Denial-of-service_attack. Snort for DDoS: Please read this to get a general idea about how Snort can be used for this purpose. Please focus on sections 3 and 4. After reading the above, one way to detect dos traffic is to monitor the rate of incoming traffic. Here is an example Snort rule based on traffic rate: http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node35.html

(Notice that this link is actually the snort 2 manual. However, the syntax for detection_filter is the same in snort 2 and 3. The Snort 2 manual in this case provides a better example to illustrate this filter. For other filters, especially the URL content filters, you should double check the snort 3 manual   and other resources online)

 

 

Useful tools/commands:

We do recommend you to install Wireshark on your own machine for evaluation pcap analysis because the pcap file is big and your VM might be significantly slower than your laptop.

 

 

(optional reading) Subnet:

 

Because it uses CIDR notation. CIDR and subnetting are virtually the same thing.

CIDR is Classless inter-domain routing. It is the /number representation.  In this case, we have /16

/16 represents the subnet mask of 255.255.0.0

 

If you convert 255.255.0.0 into binary, you will see 16   1’s and that’s where the number 16 comes from.

Of course, I can’t remember all those conversions for all netmask. There is a cheat sheet:

Wait, what’s a subnet mask?

Feel free to read this link if you want to know more:

https://avinetworks.com/glossary/subnet-mask/

The experimental data in this project were generated using the CSE-CIC-IDS2018 dataset, available via the AWS Open Data Registry (https://registry.opendata.aws/cse-cic-ids2018/).

 

Disclaimer for background traffic. Please note that the traffic that is found in the evaluation pcap, and/or at the Sample pcaps is not generated by us. The dataset closely resembles realist traffic. Part of this traffic might contain inappropriate content or language. We have taken extra measures and we have performed considerable effort to filter all traffic, based on commonly used inappropriate words. We have filtered the http payload and URIs. Nevertheless, it might still be possible that some inappropriate content or words might have not been filtered entirely. In case you locate such content, we are letting you know that it is not intentional, and we are not responsible for it. Also, to complete this assignment, you do not need (nor do we ask you) to click on URLs found inside http payloads.

 

Additional tools are not allowed. For the assignment, you are not allowed to use any available tools, related to Snort or others. For example, you are not allowed to use Snort preprocessors that may be publicly available, pre-compiled Snort rules, detection tools. etc. You are expected to write your own Snort rules.

 

Limited support for running snort locally. We have the env set up for you inside the VM. Setting up the snort 3 env on your own could be troublesome. We strongly recommend you to run snort rules inside the VM we provide (you can analyze(use wireshark) the pcap outside the VM but run the rules inside the VM).