To access material, start machines and answer questions login.
The Alert That Never Fired
In the first room of the Advanced Traffic Analysis Module, Traffic Analysis Pitfalls, we ended on a detection gap we could not close. The Nexus Financial Group watched 847 MB of Q4 finance data walk out over QUIC, and the sensors showed nothing. There was also another miss. For 48 hours before the exfiltration, WKST-FINANCE-04 was beaconing to 194.165.16.56 every 60 seconds. It was the same destination, the same interval, and a handful of bytes each time. A rule written for that pattern would have fired on day one, but nobody wrote it.
This room is about writing that rule, along with the rest of the rules we should have had in place.
Detection Engineering With Snort
The Snort room covered the basics of running Snort, including loading a config, reading a PCAP, and writing rule syntax. That is the starting point, and this room builds on it.
Detection engineering is the work that begins after the tool is running. We write rules that fire on what matters, keep them silent on what does not, tune them as the network changes, and validate that they still work next week. This is what separates a SOC that runs a downloaded ruleset from one that defends its own network on purpose.
Learning Objectives
In this room, we walk the intrusion chain phase by phase and write a detection rule for each one. By the end, our ruleset covers the following:
- A behaviour-based C2 beacon rule
- A DNS tunnelling rule that works on encrypted payloads
- Thresholds and suppression to keep the ruleset quiet
- A reputation blocklist loaded with Operation SILENT TRANSFER IOCs
- A tested
local.rulesfile ready to ship
Prerequisites
Before starting, we assume familiarity with the following rooms and topics:
- Snort room: CLI modes, rule header syntax, and basic rule options (
msg,sid,content,nocase,rev) - Traffic Analysis Pitfalls
- Basic network protocols: TCP, UDP, TLS, DNS, and HTTP
- Wireshark basics
A note on versions: the Snort room teaches Snort 2.9, whereas this room uses Snort 3. The rule syntax carries over. The config file is now snort.lua instead of snort.conf, and preprocessors are called inspectors. Task 2 covers the differences where it matters.
Lab Setup
The VM comes with Snort 3 installed, the config already in place, and the per-task lab files staged under /home/ubuntu/lab/. Each task adds a rule to the detection pack we are building, and by the end, we have a complete ruleset for the incident.
Set up your virtual environment
Deploy the , give it a minute to initialise, and we are ready to start.
I have deployed the VM, and I am ready to engineer detections.
Ready to learn Cyber Security?
The Detection Engineering With Snort room is only available for Premium or Max subscribers. Signup now to access more than 500 free rooms and learn cyber security through a fun, interactive learning environment.
Already have an account? Log in