Snort Rules Ep.10 Q7

Question

Stuck in Q7: Identify the suspicious domain that appears in both PCAP files. Create a Snort Rule to detect packets using this domain from the IP address in question 2.I've identified the domain used by the IP address in Q2. I've tried different ways but can't seem to narrow it down. Already spent so much time with this one question. I've answered 12 of 13. This is the only one left and I don't know what I'm missing. Am I misunderstanding the question?Here's my rule:alert tcp any any -&gt; any 80 (msg: "Testing Alert" ; sid:1000001; content:"7b2cdd48.ngrok.io";)I've tried modifiers, I tried narrowing filter to just GET methods, actually specifying the destination or source IP and ports, adding "http://" to content.Sometimes I would narrow it down to matching 4 packets which is still "too many", or down to two packets, which is "not enough"... which tells me I need to match three packets.&nbsp;Any hints would be much appreciated at this point. Thanks!

mgozum · Answer

Nevermind... got it 😀

Forum Discussion

Snort Rules Ep.10 Q7

1 Reply

Featured Places

Help

Related Content

Help with Snort Rules: Fake Tech Support Popup

Snort Rules: Ep.9 – Exploit Kits

Snort Rules: Ep.7 – Lokibot Infection Traffic

Snort Rules: Ep.5 – Fake Tech Support Popup

Linux CLI: Ep.10 - Using Sudo

Recent Discussions

Snort Rules Ep.10 Q7

Cross_site Scripting DOM-based XSS vulnerability

Building with AI: Claude Code – Claude Skills Task 3

Systems Manager: Introduction - Question 2

Create Teams for Students and assign tasks to be completed