Last Day to Save $400 on 4-6 Day Courses at SANS Cyber Defense Initiative 2017!

Boston 2016

Boston, MA | Mon, Aug 1 - Sat, Aug 6, 2016
This event is over,
but there are more training opportunities.

PCAP Puzzle #3

A third and final puzzle has been created by Judy Novak. Puzzles like this and the previous two Boston puzzles use skills that are taught in the SEC503: Intrusion Detection In-Depth course. This six day course has many hands-on exercises/puzzles, some similar to those presented. If you enjoy this or have enjoyed any of the previous puzzles and would like to learn more visit: SEC503: Intrusion Detection In-Depth to learn more.

The course is taught many times a year and teaches you extra skills, such as Scapy, that Judy used to create this and other puzzles. Scapy is a Python library that allows novices to skilled experts to easily craft, alter, read, and write packets.

Your puzzle challenge is to examine the files that are supplied to look for any forensic clues of an incident on a site's network. You must create a detailed incident report for the activity. The tar file puzzle3.tar contains the three pcap files, a file with an excerpt of syslog file, and a document puzzle3-README.docx that contains a network diagram and other helpful details.

Solutions to this puzzle will be judged again by the mighty triumvirate of Patrick, Mooney, Sally Vandeven, and Andy Laman, who have earned SANS' highest certification, the GSE, along with many other SANS certifications. The correct solution that is judged to be the best will be the winner.

Download the ZIP .
Please send your solutions to

Once again, good luck and remember "pcap or it didn't happen!"