This article is a tutorial on using Snort, an intrusion detection and prevention system (IDS/IPS), to identify and stop live cyber attacks within the TryHackMe “Snort Challenge – Live Attacks” room. The article demonstrates a methodical approach to handling two attack scenarios: a brute-force attack and a reverse shell connection.
Snort Definition
SNORT is an open-source, rule-based Network Intrusion Detection and Prevention System (NIDS/NIPS). It was developed and still maintained by Martin Roesch, open-source contributors, and the Cisco Talos team. Capabilities of Snort
- Live traffic analysis
- Attack and probe detection
- Packet logging
- Protocol analysis
- Real-time alerting
- Modules & plugins
- Pre-processors
- Cross-platform support! (Linux & Windows)
Snort Operating Modes
Sniffer Mode
– Read IP packets and prompt them in the console application.Packet Logger Mode
– Log all IP packets (inbound and outbound) that visit the network.NIDS and NIPS Modes
: Log/drop the packets that are deemed as malicious according to the user-defined rules.
Using Snort:
- Sniff & Capture: Initiate Snort in sniffer mode. This allows the system to passively monitor network traffic and log all activity to a file for later inspection. Timestamps:
- Analyze & Identify: Meticulously examine the captured log files. The goal is to pinpoint suspicious patterns, identify the specific ports and protocols being exploited, and understand the nature of the attack. Timestamps:
- Rule & Define: Based on the analysis, craft precise Snort rules. These rules define the characteristics of the malicious traffic that Snort should look for. Timestamps:
- Block & Protect: Switch Snort to Intrusion Prevention System (IPS) mode. With the custom rules activated, Snort will now actively inspect traffic and drop any packets that match the defined malicious signatures, effectively neutralizing the attack. Timestamps:
Scenario one | Investigating Brute Force Attacks with Snort
Objective: Detect and block an ongoing brute-force attack targeting an endpoint, then retrieve the confirmation flag.
- Initial Observation: The scenario begins with an active brute-force attack, indicated by an on-screen alert.
- Traffic Capture: Snort is launched in logger mode (
sudo snort -dev -l . -K ascii
) to capture all network packets. - Log Investigation: The captured log file is read using
sudo snort -r <logfile>
. Analysis focuses on inbound traffic to the target machine’s IP (10.10.11.123). A high volume of repeated connection attempts from a specific external IP to port 22 (SSH) strongly indicates a brute-force attempt.- Port & Protocol Identified: Port 22, Protocol TCP.
- Crafting the Snort Rule: A rule is added to
/etc/snort/rules/local.rules
. The aim is to drop TCP packets from any external source to any internal IP on port 22.alert tcp any any -> $HOME_NET 22 (msg:"SSH Brute Force Attempt"; sid:1000001; rev:1;)
is an example of an alert rule. For blocking, the action would bedrop
.- The rule directionality, initially set as
any -> [internal_network_IP]/22
, was adjusted to be bidirectional (<>
) for more effective blocking in some contexts, or a clearany -> $HOME_NET 22
(where$HOME_NET
is the target network).
- Engaging IPS Mode: Snort is restarted in full IPS mode, applying the new rule to actively block the attack. A common command structure involves specifying the configuration file (
-c /etc/snort/snort.conf
) and enabling inline packet processing (-Q
). - Success & Flag Retrieval: With the brute-force attempts effectively blocked by Snort, the flag appears on the target machine’s desktop.
Steps Taken:
- Start Snort in Sniffer Mode: Logs all incoming packets and saves them for analysis.
- Packet Analysis: The analyst inspects packets, identifies the IP addresses involved, and notes the protocol (SSH) and port (22).
- Rule Creation: A Snort rule is written to drop SSH packets from the attacker to block further brute force attempts. After testing, the rule is activated in IPS mode to block the attacker effectively.
[+] J.A.V.A.
Welcome, sir. I am sorry for the interruption. It is an emergency. Somebody is knocking on the door!
[+] YOU
Knocking on the door? What do you mean by “knocking on the door”?
[+] J.A.V.A.
We have a brute-force attack, sir.
[+] THE NARRATOR
This is not a comic book! Would you mind going and checking what’s going on! Please…
[+] J.A.V.A.
Sir, you need to observe the traffic with Snort and identify the anomaly first. Then you can create a rule to stop the brute-force attack. GOOD LUCK!
Scenario 2: Neutralizing a Reverse Shell Connection
Objective: Discover and block a reverse shell connection originating from a compromised machine within the internal network, then retrieve the flag.
Success & Flag Retrieval: Once Snort blocks the reverse shell communication, the flag is displayed on the target machine.
Initial Situation: This scenario presumes an internal machine has been compromised and is attempting to establish an outbound reverse shell to an attacker’s machine.
Traffic Capture: Snort is again started in logger mode to capture ongoing network activity.
Log Investigation: Analysis of the log file focuses on outbound traffic patterns. The instructor identifies persistent TCP communication from an internal IP (e.g., ending in .156) to a specific external IP (e.g., ending in .55) on port 4444.
The consistent bidirectional traffic on this non-standard port is a strong indicator. Port 4444 is commonly associated with tools like Metasploit for establishing reverse shells.
Port & Protocol Identified: Port 4444, Protocol TCP.
Crafting the Snort Rule: A new rule is added to /etc/snort/rules/local.rules
to drop outbound TCP packets from any internal IP using port 4444 to any external IP and port.
Example structure: drop tcp $HOME_NET any -> $EXTERNAL_NET 4444 (msg:"Potential Reverse Shell Outbound on Port 4444"; sid:1000002; rev:1;)
The direction is outbound (->
).
Engaging IPS Mode: Snort is restarted in IPS mode with the newly created rule.
[+] THE NARRATORGood Job! Glad to have you in the team!
[+] J.A.V.A.
Congratulations sir. It is inspiring watching you work.
[+] You
Thanks team. J.A.V.A. can you do a quick scan for me? We haven’t investigated the outbound traffic yet.
[+] J.A.V.A.
Yes, sir. Outbound traffic investigation has begun.
[+] THE NARRATOR
The outbound traffic? Why?
[+] YOU
We have stopped some inbound access attempts, so we didn’t let the bad guys get in. How about the bad guys who are already inside? Also, no need to mention the insider risks, huh? The dwell time is still around 1-3 months, and I am quite new here, so it is worth checking the outgoing traffic as well.
[+] J.A.V.A.
Sir, persistent outbound traffic is detected. Possibly a reverse shell…
[+] YOU
You got it!
[+] J.A.V.A.
Sir, you need to observe the traffic with Snort and identify the anomaly first. Then you can create a rule to stop the reverse shell. GOOD LUCK!
Steps Taken:
- Traffic Capture in Sniffer Mode: Snort is used to log outgoing (outbound) packets for inspection.
- Traffic Analysis: Identifies the pattern of communication that could indicate a reverse shell.
- Preventative Rule Creation: A rule is written to block outbound traffic to the attacker’s IP, preventing further exploitation, though further incident response would be required to secure the compromised machine.
Room Answers | TryHackMe Snort Challenge – Live Attacks
Stop the attack and get the flag (which will appear on your Desktop)
THM{81b7fef657f8aaa6e4e200d616738254}
What is the name of the service under attack?
ssh
What is the used protocol/port in the attack?
tcp/22
Stop the attack and get the flag (which will appear on your Desktop)
THM{0ead8c494861079b1b74ec2380d2cd24}
What is the used protocol/port in the attack?
tcp/4444
Which tool is highly associated with this specific port number?
Metasploit