Put your snort skills into practice and write snort rules to analyse live capture network traffic. A TryHackMe room created by ujohn.
I did a couple of CTF challenges and usually struggle when I come to using snort so I figured I would brush up on my skills and take the basic room and learn a bit.
TASK 1: Introduction
Read through the information and click Submit.
TASK2: Writing IDS Rules (HTTP)
Q1: Write rules to detect “all TCP port 80 traffic” packets in the given pcap file.
What is the number of detected packets?
Note: You must answer this question correctly before answering the rest of the questions in this task.
I created the following two rules inside of local.rules to identify any packets inbound our outbound.
alert TCP any any <> any 80 (msg:”Task found”; sid:10000002; rev:1;)
alert TCP any 80 <> any any (msg:”Task found”; sid:10000003; rev:1;)snort -c local.rules -A Full -l . -r mx-3.pcap
Once the rule is created in our local.rules file we can execute snort against the pcap. You will be able to find the answer under Action Stats: in the output.
Q2: What is the destination address of packet 63?
If we run snort with the -n option we can specify the packet count we want to process.
snort -c local.rules -n63 -A Full -l . -r mx-3.pcap; tail alertThe above command will run execute snort and then show the last lines of the alert file.
Q3: What is the ACK number of packet 64?
snort -c local.rules -n64 -A Full -l . -r mx-3.pcap; tail alert
Q4: what is the SEQ packet number of packet 62?
This is an error in the room; the correct answer it the ACK number for packet 62 not the SEQ number.
snort -c local.rules -n62 -A Full -l . -r mx-3.pcap; tail alert
Q5: What is the TTL of packet 65?
I couldn’t find this with snort so I had to use tcpdump to find it. Maybe I still need to brush up on my snort skillz.
tcpdump --absolute-tcp-sequence-numbers -nvttlr mx-3.pcap |
grep ttl | tail -n65
Q6: What is the source IP of packet 65?
snort -c local.rules -n65 -A Full -l . -r mx-3.pcap; tail alert 
Q7: What is the source port of packet 65?
Using the same command as above it will just be to the right of the src address.
TASK 3: Writing IDS Rules (FTP)
Q1: Write rules to detect “all TCP port 21” traffic in the given pcap.
First we need to edit the local.rules file in the TAKS-3 (FTP) directory.
alert TCP any 21 <> any any (msg:"FTP traffic Detected"; sid:10000002; rev:1;)
alert TCP any any <> any 21 (msg:"FTP traffic Detected"; sid:10000003; rev:1;)Note: make sure your SID’s are unique for your rules or you will not get the correct results.
Q2: What is the FTP service name?
Knowing how FTP servers work and the return codes they have we can use the following command to detect the service name.
strings snort.log.1676937372 | grep 220 | tail
Q3: Write a rule to detect failed FTP login attempts in the given pcap.
Lets use the FTP return codes to help with this again.
alert TCP any any <> any 21 (msg:"FTP Failed Login"; content:"530 User"; sid:10000003; rev:1;)Q4: Write a rule to detect successful FTP logins in the given pcap.
Again the FTP return codes can help us with this again.
alert TCP any any <> any 21 (msg:"FTP Success Login"; content:"230 User"; sid:10000003; rev:1;)Q5: Write a rule to detect failed FTP login attempts with a valid username but a bad password or no password.
I had to play around with this one to find out what to look for. Used the following to get the content to search for.
strings snort.log.1676938910 | sort | uniq -c
alert TCP any any <> any 21 (msg:"FTP Bad Password"; content:"User"; sid:10000003; rev:1;)Q6: Write a rule to detect failed FTP login attempts with “Administrator” username but a bad password or no password.
Using the same strings command as before I can see that the number is 6. But for some reason the room didn’t like the answer of 6. But I think the rule below is the correct snort rule
alert TCP any any <> any 21 (msg:"FTP Bad Administrator Password"; content:"530 User Administrator cannot log"; sid:10000003; rev:1;)TASK 4: Writing IDS Rules (PNG)
Q1: Write a rule to detect the PNG file in the given pcap.
For this if you go to Wikipedia and get the List of File Signatures it will make this a little easier.
alert TCP any any <> any any (msg:"PNG File"; content:"|89 50 4E 47 0D 0A 1A 0A|"; sid:10000003; rev:1;)Then lets investigate the snort.log file with snort and dump the contents .
sudo snort snort.log.1676939975 -X
Q2: Write a rule to detect the GIF file in the given pcap.
For this if you go to Wikipedia and get the List of File Signatures and notice that there are actually two different MIME Types for two different formats of GIF.
47 49 46 38 37 61GIF87a47 49 46 38 39 61GIF89a
alert TCP any any <> any any (msg:"GIF87a detected"; content:"|47 49 46 38 37 61|"; sid:10000003; rev:1;)
alert TCP any any <> any any (msg:"GIF89A detected"; content:"|47 49 46 38 39 61|"; sid:10000004; rev:1;)Now we can just look at the alert file and it will tell us which alert triggered.
TASK 5 Writing IDS Rules (Torrent Metafile)
Q1: Write a rule to detect the torrent metafile in the given pcap.
alert TCP any any <> any any (msg:"Torrent Detected"; content:".torrent"; sid:10000003; rev:1;)Q2: What is the name of the torrent application?
I struggled with this… Not sure you can actually detect the “application” so I just did the following to find me a 10 character word that contained “bit” or “Torrent” and got the correct answer.
strings torrent.pcap | sort | uniq | tr ' ' '\n' | sort | uniq | egrep -o '[[:alpha:]]{10}' | sort | uniq | egrep 'torrent|bit'Q3: What is the MIME (Multipurpose Internet Mail Extensions) type of the torrent metafile?
We should be able to get this from the snort log file but running the following
snort -r snort.log.1676941092 -X
Q4: What is the hostname of the torrent metafile?
This can be found on the same screen from the previous command.
TASK 6: Troubleshooting Rule Syntax Errors
Q1: Fix the syntax error in local-1.rules file and make it work smoothly.
The rule is missing a space after the “any any” and the “(msg”.
alert tcp any 3372 -> any any (msg: "Troubleshooting 1"; sid:1000001; rev:1;)Q2: Fix the syntax error in local-2.rules file and make it work smoothly.
The rule is missing an any in the src portion.
alert icmp any any -> any any (msg: "Troubleshooting 2"; sid:1000001; rev:1;)Q3: Fix the syntax error in local-3.rules file and make it work smoothly.
This one always gets me…. look at the sid: id they need to be unique for all rules.
alert icmp any any -> any any (msg: "ICMP Packet Found"; sid:1000001; rev:1;)
alert tcp any any -> any 80,443 (msg: "HTTPX Packet Found"; sid:1000002; rev:1;)Q4: Fix the syntax error in local-4.rules file and make it work smoothly.
Look closely on these, there is two errors, one you have seen already… the other has to do with a colon.
alert icmp any any -> any any (msg: "ICMP Packet Found"; sid:1000001; rev:1;)
alert tcp any 80,443 -> any any (msg: "HTTPX Packet Found"; sid:1000002; rev:1;)Q5: Fix the syntax error in local-5.rules file and make it work smoothly.
I think there are 3 errors in this one …but I forgot what I fixed ;)
alert icmp any any <> any any (msg: "ICMP Packet Found"; sid:1000001; rev:1;)
alert icmp any any <> any any (msg: "Inbound ICMP Packet Found"; sid:1000002; rev:1;)
alert tcp any any -> any 80,443 (msg: "HTTPX Packet Found"; sid:1000003; rev:1;)Q6: Fix the logical error in local-6.rules file and make it work smoothly to create alerts.
For this one you will need an ASCII chart…
alert tcp any any <> any 80 (msg: "GET Request Found"; content:"|47 45 54|"; sid:100001; rev:1;)Q7: Fix the logical error in local-7.rules file and make it work smoothly to create alerts.
There is something missing in the rule that should be included in the rule.
alert tcp any any <> any 80 (msg:"Missing"; content:"|2E 68 74 6D 6C|"; sid:100001; rev:1;)TASK 7: Using External Rules (MS17–010)
Q1: Use the given rule file (local.rules) to investigate the ms1710 exploitation.
Just run run snort with the local.rules
sudo snort -c local.rules -A full -l . -r ms-17-010.pcapQ2: Use local-1.rules empty file to write a new rule to detect payloads containing the “\IPC$” keyword.
alert tcp any any -> any 445 (msg: "Exploit Detected!"; flow: to_server, established; content: "IPC$"; sid:2094285; rev: 3;)Q3: Investigate the log/alarm files.
sudo snort -r snort.log.1676944707 -X
Q4: What is the CVSS v2 score of the MS17–010 vulnerability?
You can find this with a google search or from someone like tenable just use the “Base Score”.
TASK8: Using External Rules (Log4j)
Use the given rule file (local.rules) to investigate the log4j exploitation.
Q1: What is the number of detected packets?
You can get this by using the local.rules file
sudo snort -c local.rules -A console -r log4j.pcap
Q2: How many rules were triggered?.
This can be found from the same command and output from the previous question.
Q3: What are the first six digits of the triggered rule sids?
To get this one we will need to have some logging enabled.
sudo snort -c local.rules -A Full -l . -r log4j.pcap
Q4: Use local-1.rules empty file to write a new rule to detect packet payloads between 770 and 855 bytes.
What is the number of detected packets?
I looked at the hint and it mentioned dsize and with that and the sort docs you can whip up the rule below.
alert tcp any any -> any any (msg:"Payload between 770 and 855 bytes"; dsize:770<>855; sid:1021003726; rev:1;)Q5: Investigate the log/alarm files. What is the name of the used encoding algorithm?
snort -eX -r snort.log.1677110079 | vi -Now you can use vi and look around until you find it.
Q6: What is the IP ID of the corresponding packet?
You will find this on the same screen as the previous answer.
Q7: What is the attacker’s command?
Once you know what you are doing you can extract this out of the log file and decode it in a single command like below.
strings snort.log.1677110079 | grep -i Base64 | tail -n1 | egrep -o 'KGN.*=' | base64 -d;echoQ8: What is the CVSS v2 score of the Log4j vulnerability?
If you re-run snort over the pcap you can look at the alerts and find a reference to the article and obtain the score from there.
Outstanding room ujohn, thank you for creating such a great room; I learned a lot and plan on trying your second room Snort2 challenge 2.
