Procedure

Step 1: Observe the Real-Time Traffic View

Step 2: Identifying Normal Traffic

Observe normal traffic patterns, such as HTTP requests, DNS queries. You can also use the filter option to view specific types of traffic based on protocol.

Step 3 :Save the Logs

Click on the Save Log button to save the captured logs from the network traffic view, ensuring that the file is saved with a .pcap extension for proper analysis.

Lets start to setup snort

Follow the commands to analyze the network traffic

Click on the snort command , it will be copied to the clipboard , paste the command into the terminal

Step 4: To set up Snort, navigate to /etc/snort/snort.conf

Step 5: after configuring Snort, start the Snort service to begin monitoring network traffic.

Step 6: use the following command to create a rule.

Step 7: List the File Content to Ensure the Rule Has Been Saved Correctly

Step 8: Analyzing the PCAP File

Step 9: View the Generated Alerts After Analyzing with Snort

Observe the malicious logs , scroll down the logs to identify the continous alerts.

cat alert.txt is used to view the alerts that Snort has recorded in the alert.txt file.

Step 10: Investigating Malicious Activity

Click on any highlighted log to investigate the malicious actor's IP address and gather more information, such assource and destination IPs, protocol,Payload,Flag,Severity

In conclusion, you effectively utilized Snort to analyze network traffic and identify malicious SSH brute force attacks amidst normal activity. By carefully examining traffic patterns and applying targeted Snort commands, you were able to successfully differentiate between benign and malicious logs.