312-50V10 · Question #795
You are a Network Security Officer. You have two machines. The first machine (192.168.0.99) has snort installed, and the second machine (192.168.0.150) has kiwi syslog installed. You perfrom a syn sca
The correct answer is D. tcp.dstport= = 514 && ip.dst= = 192.168.0.150. To capture traffic sent FROM the Snort machine (192.168.0.99) TO the Kiwi Syslog machine (192.168.0.150) on the standard syslog port 514, the Wireshark filter must match the destination IP and destination port.
Question
You are a Network Security Officer. You have two machines. The first machine (192.168.0.99) has snort installed, and the second machine (192.168.0.150) has kiwi syslog installed. You perfrom a syn scan in your network, and you notice that kiwi syslog is not receiving the alert message from snort. You decide to run wireshark in the snort machine to check if the messages are going to the kiwi syslog machine. What Wireshark filter will show the connections from the snort machine to kiwi syslog machine?
Options
- Atcp.srcport= = 514 && ip.src= = 192.168.0.99
- Btcp.srcport= = 514 && ip.src= = 192.168.150
- Ctcp.dstport= = 514 && ip.dst= = 192.168.0.99
- Dtcp.dstport= = 514 && ip.dst= = 192.168.0.150
How the community answered
(29 responses)- A10% (3)
- B7% (2)
- C3% (1)
- D79% (23)
Why each option
To capture traffic sent FROM the Snort machine (192.168.0.99) TO the Kiwi Syslog machine (192.168.0.150) on the standard syslog port 514, the Wireshark filter must match the destination IP and destination port.
Filtering on tcp.srcport==514 and ip.src==192.168.0.99 looks for traffic originating FROM port 514 on the Snort machine, but Snort sends to port 514, it does not source from it.
In addition to using the wrong filter direction (srcport/src instead of dstport/dst), the IP address 192.168.150 is malformed and missing an octet.
Using ip.dst==192.168.0.99 filters for traffic destined back to the Snort machine itself, which is the reverse of what needs to be observed.
Syslog messages are sent TO port 514 on the receiving syslog server, so the correct filter targets the destination port (tcp.dstport==514) and the destination IP of the Kiwi Syslog machine (ip.dst==192.168.0.150). This filter, applied on the Snort machine, will display all packets that Snort is attempting to send to the Kiwi Syslog server, confirming whether the alerts are being transmitted at all.
Concept tested: Wireshark display filters for syslog traffic analysis
Source: https://www.wireshark.org/docs/wsug_html_chunked/ChWorkBuildDisplayFilterSection.html
Topics
Community Discussion
No community discussion yet for this question.