MIS 5213 Summer 2016

Intrusion Detection and Response

Weekly Notes and Presentations

Here’s a list of all our presentations thus far:

Class # Date  of Class Powerpoint Additional Items
1 Monday, May 9th Lecture #1 Review Videos on Wireshark
2 Wednesday, May 11th Lecture #2 Templates for IRPs
3 Monday, May 16th Lecture #3 Quiz #1
4 Wednesday, May 18th Lecture #4 Directions to Configure Snort
5 Monday, May 23rd Class Cancelled Submit Wireshark JPEG Assn
6 Wednesday, May 25th Installing Snort Deval’s: snort

Steven Tang’s: Snort

7 Monday, May 30th No Class No Class
8 Wednesday, June 1st Lecture #5 Quiz #2
9 Monday, June 6th Splunk-6.2.3-PivotTutorial Splunk Book
10 Wednesday, June 8th Lecture #6 Quiz Retake Opportunity* 
11 Monday, June 13th Lecture #7
12 Wednesday, June 15th Final Exam IRP Paper Due 

*After class, students will have the opportunity to take “Quiz #3.” Questions will be from any previous material. Of the THREE (3) Quizzes taken, Professor Deval will take the highest TWO (2) Quiz grades. 

Participation Notes :

Full participation credit is contingent on the completion of the following:

  • Wireshark Assignment (Extracting Images)
  • 3 Weekly Participation Submissions

IRP – Final Paper Notes:

Due: Saturday June 18th 2016 by 12pm

Students are tasked with creating an Incident Response Plan (IRP) template with a maximum of 4 team members. There is no page minimum or maximum. Assume any industry. Paper submissions should be sent by each individual student (regardless of a group submission)

Final Exam Notes:

Date: Wednesday, June 15th

Students will select NINE (9) of the TWELVE (12) Questions to answer. Students will be not rewarded for answering any more questions.

Time: 90 Minutes

Style: Open-Ended and Open-Note

Final Grade Distribution:

Final grades is broken into four components each worth 25%:

  • Participation (See above)
  • Quiz Averages (Average of the highest two quiz grades)
  • IRP Final Paper
  • Course Final Exam


Install and configure Snort

Hi guys,

I finally got my snort working. We have to use the Registered version of snort rules from Snort website. If you are using latest version of Snort then you will need to download  snortrules-snapshot-2982.tar.gz  rules


Snort Setup Instructions:

1. Download and install Snort version exe

2. Sign in to Snort website and download rules ( snortrules-snapshot-2982.tar.gz ) under Rules -> Registered section

3. Extract the rules file ( snortrules-snapshot-2982.tar.gz ) using Winrar or 7-Zip

4. Copy all files from the extracted snortrules-snapshot-2982 folder to your Snort installation folder C:\Snort\  

                       NOTE: Overwrite any existing files

5. Edit your snort.conf file located in c:\snort\etc\ to your windows path

                      Here is my modified: snort.conf

6. Find your wireless/Ethernet interface # by typing: route print at the command prompt

7. Open a command prompt (cmd.exe) and navigate to folder “C:\Snort\bin” folder. ( at the Prompt, type cd c:\snort\bin )

8. To run snort enter the following command:

          snort -c c:\snort\etc\snort.conf -l c:\snort\log -i 4

Note:  My wireless interface # is 4





Hi All –

I have a question which I would like your input on; what are some of the ways that organizations forensics teams use to correspond with their computer incident response teams if they notice collusion between an insider and an external attacker?

Thanks for your input.


Welcome to class

Hello All,

Welcome to Intrusion Detection and Response class.  I look forward to getting to meeting all of you next week.  You will be able to find the syllabus and a rough schedule at MIS Community site.  I like the course to be fluid so that we can make it effective for the class.  If  you have any questions prior to the class, please feel free to either post a question or send me an email.

If you don’t mind please take a moment to introduce yourself, so that I get familiar with your expectations for this class.