Skip to main content
HashnodeSOC Analyst LabsSOC Analyst Labs

Command Palette

Search for a command to run...

Snort | Tryhackme Write-up

Learn how to use Snort to detect real-time threats, analyse recorded traffic files and identify anomalies.

Updated
10 min read
U
Umamaheswari B
👋Hi, I’m Umamaheswari Through this blog, I share visual walkthroughs and hands-on investigations on PCAP, phishing, Splunk, ELK, malware, and digital forensics—based on labs from TryHackMe, HackTheBox and CyberDefenders. Feel free to connect or ask questions — I am more happy to help.
Part of seriesNetwork Traffic Analysis

Task 1: Introduction

SNORT is an open-source, rule-based Network Intrusion Detection and Prevention System (NIDS/NIPS) . It was developed and still maintained by Martin Roesch, open-source contributors, and the Cisco Talos team.

Snort IPS uses a series of rules that help define malicious network activity and uses those rules to find packets that match against them and generate alerts for users."

Task 3: Introduction to IDS/IPS

Learned: difference between IDS vs IPS, and its types, Use cases of Snort, and its modes:

Which IDS or IPS type can help you stop the threats on a local machine?

HIPS

Which IDS or IPS type can help you detect threats on a local network?

NIDS

Which IDS or IPS type can help you detect the threats on a local machine?

HIDS

Which IDS or IPS type can help you stop the threats on a local network?

NIPS

Which described solution works by detecting anomalies in the network?

Ans: NBA

its one of the type of IPS, Behaviour-based IPS, it learns what normal traffic is.. then can easily find abnormal traffic(which can be malicious)

According to the official description of the snort, what kind of NIPS is it?

Here is official description of snort

NBA training period is also known as ...

Ans: baselining

Behaviour based IPS systems require a training period (also known as "baselining") to learn the normal traffic and differentiate the malicious traffic and threats.

Task 4: First Interaction with Snort

snort - - version / -V to check installed snort version

snort -c /etc/snort/snort.conf -T

"-T" is used for testing configuration file with snort , and -c  tells Snort which config file to use

  1. Run the Snort instance and check the build number.

Ans: 149

  1. Test the current instance with "/etc/snort/snort.conf" file and check how many rules are loaded with the current build.

Ans:4151

sudo snort -c /etc/snort/snort.conf -T

scroll down to the bottom

We can see how many rules Snort has loaded and can detect using this configuration file.

  1. Test the current instance with "/etc/snort/snortv2.conf" file and check how many rules are loaded with the current build.
sudo snort -c /etc/snort/snortv2.conf -T

Task 5: Sniffer mode:

-i interface to sniff on a specific interface (if required)
-v Verbose Prints packet headers (source IP, destination IP, ports, protocol, etc.) in a tcpdump-like format.
-q quiet mode don’t display the default banner and initial information about your setup.
-d Dump data Shows the payload (packet data) in ASCII/hex
-e Ethernet headers Also shows the link-layer (MAC) headers along with IP headers.
-X Full dump Shows complete packet content in both hex + ASCII format, plus all headers (Ethernet, IP, TCP/UDP, etc.)

sudo snort -vq

sudo snort -vqd

sudo snort-vqde

sudo snort -qX (similar to -d BUT offset numeber at the beginning to hexdecimal is added)

Task6: Logger mode

  1. when you sniff the traffic using sudo snortlogs also saved with root privileges, to open and analyse you need root privileges again

sol: use sudo when opening log files

sudo su (switch to root user)

change the ownership of Directory/file

  1. save traffic while sniffing — as logs, default directory, current directory or desired directory

    -l . = save log file in the current directory

  1. Saving the results in ASCII format — You can read with text editor Only — create directories with IP’s, not a log file

sudo snort -dev -K ASCII -l .

  1. Without ASCII, it generates log file which can be read by snort/tcpdump/wireshark too - all can process this log file

sudo snort -dev -l .

open the log files with snort, tcpdump and wireshark

Specify how many packets you wanted it to process now using -n

filter protocols or ports

"-r" parameter also allows users to filter the binary log files. You can filter the processed log to see specific packets with the "-r" parameter and Berkeley Packet Filters (BPF).

  • sudo snort -r logname.log -X

  • sudo snort -r logname.log icmp

  • sudo snort -r logname.log tcp

  • sudo snort -r logname.log 'udp and port 53'

Investigate the traffic with the default configuration file with ASCII mode.

sudo snort -dev -K ASCII -l . —creates only IP’s no log file (we can read with text editor not with snort -r log)

Execute the traffic generator script and choose "TASK-6 Exercise". Wait until the traffic ends, then stop the Snort instance. Now analyse the output summary and answer the question.

sudo ./traffic-generator.sh

  1. Now, you should have the logs in the current directory. Navigate to folder "145.254.160.237". What is the source port used to connect port 53?

Ans: 3009

nano UDP:3009-53

  1. Use snort.log.1640048004 Read the snort.log file with Snort; what is the IP ID of the 10th packet?

snort -r snort.log.1640048004 -n 10

Ans: 49313

  1. Read the "snort.log.1640048004" file with Snort; what is the referer of the 4th packet?

Ans: http://www.ethereal.com/development.html

use -d or -X to view ASCII text

use -n 4 to filter first 4 packets

  1. Read the "snort.log.1640048004" file with Snort; what is the Ack number of the 8th packet?

Ans: 0x38AFFFF3

  1. Read the "snort.log.1640048004" file with Snort; what is the number of the "TCP port 80" packets?

Ans: 41

snort -r snort.log.1640048004 tcp port 80

Task 7: Operation Mode 3: IDS/IPS

-N = don’t save logs

-D = run snort in background

Alert Modes:

Mode Description Where Alerts Go
-A console Shows alerts directly in terminal Console
-A cmg shows only alerts in terminal + basic packet details Console
-A fast Short summary (timestamp, message, src/dst IP and port) Saved in /var/log/snort/alert
-A full Full detailed alert (with payload & header info) Saved in /var/log/snort/alert
-A none No alert output at all Nothing written

console: Provides fast style alerts on the console screen.

sudo snort -c /etc/snort/snort.conf -A console

cmg: Alert + Provides basic header details with payload in hex and text format.

sudo snort -c /etc/snort/snort.conf -A cmg

full: Full alert mode, providing all possible information about the alert.

sudo snort -c /etc/snort/snort.conf -A full

When we use Full mode, no alerts shown on console — saves alerts and log in /var/log/snort directory by default. If we don’t mention the specified location

fast: Fast mode, shows the alert message, timestamp, source and destination ıp

alert file — when used alert fast mode

none: Disabling alerting.

sudo snort -c /etc/snort/snort.conf -A none

As you can see in the picture below, there is no alert file. Snort only generated the log file.

Using rule file without configuration file"

It is possible to run the Snort only with rules without a configuration file. Running the Snort in this mode will help you test the user-created rules. However, this mode will provide less performance.

sudo snort -c /etc/snort/rules/local.rules -A console

run sudo ./traffic.generator.sh — chose ICMP traffic. Wait until the traffic stops, then stop the Snort instance.

IPS mode and dropping packets

Snort IPS mode activated with -Q --daq afpacket parameters. You can also activate this mode by editing snort.conf file. However, you don't need to edit snort.conf file in the scope of this room. Review the bonus task or snort manual for further information on daq and advanced configuration settings: -Q --daq afpacket

Activate the Data Acquisition (DAQ) modules and use the afpacket module to use snort as an IPS:

 -i eth0:eth1

Investigate the traffic with the default configuration file.

sudo snort -c /etc/snort/snort.conf -A full -l .

Execute the traffic generator script and choose "TASK-7 Exercise". Wait until the traffic stops, then stop the Snort instance. Now analyse the output summary and answer the question.

sudo ./traffic-generator.sh

  1. What is the number of the detected HTTP GET methods?

Ans: 2

Task 8 : PCAP Investigation

Investigate the mx-1.pcap file with the default configuration file.

sudo snort -c /etc/snort/snort.conf -A full -l . -r mx-1.pcap

What is the number of the generated alerts?

Ans: 170

Keep reading the output. How many TCP Segments are Queued?

Ans: 18

Keep reading the output. How many "HTTP response headers" were extracted?

Ans:3

Investigate the mx-1.pcap file with the second configuration file.

sudo snort -c /etc/snort/snortv2.conf -A full -l . -r mx-1.pcap

What is the number of the generated alerts?

Ans: 68

Investigate the mx-2.pcap file with the default configuration file.

sudo snort -c /etc/snort/snort.conf -A full -l . -r mx-2.pcap

What is the number of the generated alerts?

Ans: 340

Keep reading the output. What is the number of the detected TCP packets?

Ans: 82

Investigate the   mx-2.pcap and mx-3.pcap    files with the default configuration file.

sudo snort -c /etc/snort/snort.conf -A full -l . --pcap-list="mx-2.pcap mx-3.pcap"

What is the number of the generated alerts?

Ans: 1020

Task 9 : Snort Rule Structure

PROCESS :

create a rule in local.rules

check the rule with snort, before using, making sure it has no syntax errors, modify accordingly

Snort successfully validated the configuration!

then now use IDS mode of Snort

example: snort -c local.rules -A full -l . -r task9.pcap

we will get alert and log files, check alerts

Use "task9.pcap". Write a rule to filter IP ID "35369" and run it against the given pcap file. What is the request name of the detected packet? You may use this command: "snort -c local.rules -A full -l . -r task9.pcap"

Ans: TIMESTAMP REQUEST

hint: Try to filter different protocols like TCP/UDP/ICMP. id:35369;

Clear the previous alert file and comment out the old rules. Create a rule to filter packets with Syn flag and run it against the given pcap file. What is the number of detected packets?

Ans: 1

Clear the previous alert file and comment out the old rules. Write a rule to filter packets with Push-Ack flags and run it against the given pcap file. What is the number of detected packets?

Ans: 216

Clear the previous alert file and comment out the old rules. Create a rule to filter UDP packets with the same source and destination IP and run it against the given pcap file. What is the number of packets that show the same source and destination address?

Ans: 7

Case Example - An analyst modified an existing rule successfully. Which rule option must the analyst change after the implementation?

Ans: rev

Keep Hunting!

#snort-basics-tryhackme-soc101-networksecurity

Comments

Join the discussion

No comments yet. Be the first to comment.

Network Traffic Analysis

Part 6 of 9
Up next

Snort Challenge - The Basics | Tryhackme write-up

Task 2: Writing IDS Rules (HTTP) Let's create IDS Rules for HTTP traffic! Navigate to the task folder and use the given pcap file.Write a rule to detect all TCP packets from or to port 80.What is the

More from this blog

S

SOC Analyst Labs

39 posts

Hands-on blue team journey covering phishing analysis, threat detection, threat intelligence, network and endpoint log analysis, web traffic analysis, and SIEM monitoring on TryHackMe and Let’s Defend