Course: NET-101, Week 11
Time: ~45 minutes (paired with lab-11-1 for one 90-minute session)
Tools: Handouts (no network access required)
Reading: handouts/cve-snort3-rules-reference-wireshark-quartet-2026-05.md and handouts/cve-suricata-rules-reference-wireshark-quartet-2026-05.md
Overview
This lab maps four Snort 3 rules and their Suricata equivalents to the four Wireshark CVEs you studied in lab-10-2. The goal is to read rule syntax, understand what each option tests, and explain why the rule is shaped the way it is. You are NOT deploying or running these rules; this is a reading comprehension exercise.
Both rule references are available at:
- Snort 3:
https://virtuscyberacademy.org/handouts/cve-snort3-rules-reference-wireshark-quartet-2026-05.html - Suricata:
https://virtuscyberacademy.org/handouts/cve-suricata-rules-reference-wireshark-quartet-2026-05.html
Part 1: Snort 3 rule anatomy (~15 minutes)
Open the Snort 3 rules reference. Read the rule for CVE-2026-5402.
Exercise 1.1 -- Dissect the rule:
Write out the rule for CVE-2026-5402 exactly as it appears in the reference. Then answer:
- What is the
action(the first word)? What does this action tell the IDS to do when the rule matches? - What is the protocol field? Why is this protocol used for TLS traffic?
- What are the source and destination IP addresses/ports? What does
any -> any 443mean? - What is the
flowoption value? What doesestablished,to_servermean? - What is the first
contentmatch? Write the hex bytes it matches and explain what they represent in TLS terms. - What is the second
contentmatch? What doeswithin:512do? - What does the
thresholdoption do? Why does it includetrack by_src? - What is the
classtype? What doesattempted-usermean? - What is the
referenceoption value? Where would an analyst look to read the full CVE description?
Part 2: Suricata syntax comparison (~10 minutes)
Open the Suricata rules reference. Find the rule for CVE-2026-5402.
- Is the basic structure the same as the Snort 3 rule? (action, protocol, addresses, options)?
- List two Suricata-specific syntax elements that are different from the Snort 3 version (if any). If the rules are structurally identical, state that.
- The Suricata reference mentions
tls.snias a possible matching field. What is SNI, and what does matching on it allow a SOC analyst to do?
Part 3: Map all four CVEs to their rules (~15 minutes)
Read the remaining three CVE rules (CVE-2026-5403, CVE-2026-5405, CVE-2026-5656) from either handout.
Fill in the table:
| CVE | Protocol in rule | Content match pattern | Why this pattern? | False positive risk |
|---|---|---|---|---|
| CVE-2026-5402 | TCP/443 | \x16\x03 + \xfe\x0d |
TLS record header + ECH extension type | |
| CVE-2026-5403 | ||||
| CVE-2026-5405 | ||||
| CVE-2026-5656 |
Questions:
- CVE-2026-5656 is a ZIP archive vulnerability, not a network-layer attack. How does the rule detect it? What does the rule match on?
- The rules reference says these are "teaching shapes" and not production drop-ins. What would a SOC analyst need to add or change before deploying one of these in a production IPS?
- Look at the
sidvalues. Are they in a real production SID range? (Wireshark CVE SIDs typically start with 90000+ for community rules.) What range are these in?
Part 4: Rule writing exercise (~5 minutes)
Write a Snort 3 rule (or Suricata rule) that would detect DNS queries for names ending in .onion (Tor hidden service addresses). These are sometimes used for malware C2 communication over Tor.
You do not need to be syntactically perfect. Focus on:
- The correct protocol and port
- A meaningful content match
- An appropriate
msgfield - An appropriate
classtype
Write your rule and explain each option in one sentence.
Artifact
Create lab-11-2.md in your net-101/ Git repo with:
- Answers to all exercises
- The CVE-to-rule mapping table
- Your custom rule from Part 4
Commit with a meaningful commit message (can be combined with the lab-11-1 commit).