Dude, lifesaver. Thank you for this comment.

I found this to be correct. The origianl snort room did only use the bidirectional operators so that makes sense too. Thank you

but why the double single arrow doesnt work? and also do you get the same number number using only one rule with bidirectional arrow? from what i do understand the first rule you used with bidirectional arrow should match the same packets as the second one, and it should be also the same as two rules with single arrows where you put the port number in the source for one rule and in the dest for the other rule

Answers?

Dude... Thank you!

lifesaver

thanks dude i tried to find but i stuck for a hour

Josh is correct, making it bi-directional, got all the answers.

@@null.ru.1337 Yes Bi-directional seems to capturing all of the packets.

yep seems like making it one way only gave you half

I didn't know they made changes on the room. I will check them out. Thank you !

@@MotasemHamdan You called it out correctly about THM needing to be more specific. They later addressed this by updating the ask. I learned some work arounds thanks to you.

hey bro.I used these rues but still I'm getting wrong answers...can u please send me the correct answers for HTTP rules

@@korabkanwar6784 I don't know where you got stuck so I'll try to coach as best as I can from here. More importantly, try using AI to breakdown the commands and ask to explain each piece of the command(s). It helped me put things together along with videos like this. 1) Drill into TASK-2 (HTTP) command --> cd Desktop/Exercise-Files/'TASK-2 (HTTP)' 2) ls and you'll see local.rules and mx-3.pcap, so use command --> nano local.rules 3) Set this rule save and exit. Rule --> alert tcp any 80 any any ( msg:"Detect all TCP port 80 traffic"; sid:100005; rev:1; ) 4) Run this command --> sudo snort -c local.rules -r mx-3.pcap -l . 5) You'll get your first answer just like Mr. Hamdan shows. 6) Use command ls and you'll see the snort.log.(numbers) thanks to the earlier command by adding" -l . " That said, since the task is only asking questions of the first 65 packets we can use this command --> sudo snort -r snort.log.######## -n 65 this will show you only 65 packets instead of the 164. 7) The answer to question 2 is in the video. For question 3, I had the same Ack that Mr. Hamdan had when I paused the video regarding Ack# for package 64, and the answer was accepted on my end, he must've had a typo. If you get questions 1, 2, and 3 correct, then you only need to read the remaining questions carefully. No further commands are necessary after answering question 3. You can use commands if you want, but they are not required. Good luck! Remember, read to get an understanding of each piece of the commands. This will help future tasks.

@@wabisabi84 thanks a lot! I got it done correctly yesterday but I forgot to delete the commmet. Thanks for helping!!

idk either

This helped thanks

Can you explain why the single arrow fails, even with two rules being written that indicate the source and destination? Is it because the traffic has to go both ways for it to be recognized? I'm still learning and need help understanding why the ->isn't effective

​​@@JAWbreaker316I wish I knew specifically why creating 2 rules with each screening for inbound vs outbound was wrong. I dont think it would be wrong in the context of writing rules for effectiveness however its the specific nature of the exercise that makes it different.

​@jeehill9592 thats why I'm confused too. At first I thought it had something to do with TCP 3 way handshake, and for it to work due to the protocol, data has to pass sync, syn+ack and ack for the packet data to be detected? I'm still learning so I may be wrong but because it's TCP.....then again, all the data is coming from a pre existing .pcap file so that shouldn't matter since it's basically using Snort to do an archive review.....idk.

@@JAWbreaker316 the TCP 3 way handshake should be captured by 2 rules using inbound/outbound flags since the packets are still only capable of going 1 way per packet. I think its like you said since its a pcap review it has some oddities

It rejects the answer 328 and it drives me insane.

@@nelsoncorreia7293 me too, did you find whats wrong?

Answer is 614.

Hello, notes are part of channel membership below kzbin.info/door/NSdU_1ehXtGclimTVckHmQjoin

the answer I found online for ACK 64 packet is "0x38AFFFF3" but in my snort log packet 64 ACK is "0x2E6B5384"

OKAY now I realize that what you shoudl do is delete the old logs. Edit your rules to use the bidirectional operator and make sure when you run snort that your reading the new log! Then all the answers shsould be easily found.

Glad you made it on your own :)

​@@fallondavenport2448 can you tell what's the seq number of packet 62 in this case.. I'm struggling a lot

@@fallondavenport2448 hi bro can u write for me the seq number of packet 62?

Tried this as well and were getting the same number: 164

​@@MotasemHamdan Something in your rule is not set to scan both ways. You have 164 with is only one direction. When I add to both rules as in your case, it works fine.

@@MotasemHamdan : Hello brother....set up the rule bidirectionally such that you have msg, sid and rev number only....check if you get the answer