We covered using Snort to investigate and stop cyber attacks. This was part of the online lab room TryHackMe Snort Challenge – Live Attacks room.

Snort Study Notes

Splunk SIEM Full Course with Practical Scenarios

Snort Definition

SNORT is an open-source, rule-based Network Intrusion Detection and Prevention System (NIDS/NIPS). It was developed and still maintained by Martin Roesch, open-source contributors, and the Cisco Talos team. 
Capabilities of Snort

  • Live traffic analysis
  • Attack and probe detection
  • Packet logging
  • Protocol analysis
  • Real-time alerting
  • Modules & plugins
  • Pre-processors
  • Cross-platform support! (Linux & Windows)

Snort Operating Modes

  • Sniffer Mode – Read IP packets and prompt them in the console application.
  • Packet Logger Mode – Log all IP packets (inbound and outbound) that visit the network.
  • NIDS and NIPS Modes: Log/drop the packets that are deemed as malicious according to the user-defined rules

Scenario one | Investigating Brute Force Attacks with Snort

[+] THE NARRATOR

J&Y Enterprise is one of the top coffee retails in the world. They are known as tech-coffee shops and serve millions of coffee lover tech geeks and IT specialists every day. 

They are famous for specific coffee recipes for the IT community and unique names for these products. Their top five recipe names are;

WannaWhiteZeroSleepMacDownBerryKeep and CryptoY.

J&Y’s latest recipe, “Shot4J“, attracted great attention at the global coffee festival. J&Y officials promised that the product will hit the stores in the coming months. 

The super-secret of this recipe is hidden in a digital safe. Attackers are after this recipe, and J&Y enterprises are having difficulties protecting their digital assets.

Last week, they received multiple attacks and decided to work with you to help them improve their security level and protect their recipe secrets.  

This is your assistant J.A.V.A. (Just Another Virtual Assistant). She is an AI-driven virtual assistant and will help you notice possible anomalies. Hey, wait, something is happening…

Steps Taken:

  1. Start Snort in Sniffer Mode: Logs all incoming packets and saves them for analysis.
  2. Packet Analysis: The analyst inspects packets, identifies the IP addresses involved, and notes the protocol (SSH) and port (22).
  3. Rule Creation: A Snort rule is written to drop SSH packets from the attacker to block further brute force attempts. After testing, the rule is activated in IPS mode to block the attacker effectively.

[+] J.A.V.A.

Welcome, sir. I am sorry for the interruption. It is an emergency. Somebody is knocking on the door!

[+] YOU

Knocking on the door? What do you mean by “knocking on the door”?

[+] J.A.V.A.

We have a brute-force attack, sir.

[+] THE NARRATOR

This is not a comic book! Would you mind going and checking what’s going on! Please… 

[+] J.A.V.A.

Sir, you need to observe the traffic with Snort and identify the anomaly first. Then you can create a rule to stop the brute-force attack. GOOD LUCK!

Scneario Two | Reverse Shells

[+] THE NARRATOR

Good Job! Glad to have you in the team!

[+] J.A.V.A.

Congratulations sir. It is inspiring watching you work.

[+] You

Thanks team. J.A.V.A. can you do a quick scan for me? We haven’t investigated the outbound traffic yet. 

[+] J.A.V.A.

Yes, sir. Outbound traffic investigation has begun. 

[+] THE NARRATOR

The outbound traffic? Why?

[+] YOU

We have stopped some inbound access attempts, so we didn’t let the bad guys get in. How about the bad guys who are already inside? Also, no need to mention the insider risks, huh? The dwell time is still around 1-3 months, and I am quite new here, so it is worth checking the outgoing traffic as well.

[+] J.A.V.A.

Sir, persistent outbound traffic is detected. Possibly a reverse shell…

[+] YOU

You got it!

[+] J.A.V.A.

Sir, you need to observe the traffic with Snort and identify the anomaly first. Then you can create a rule to stop the reverse shell. GOOD LUCK!

Steps Taken:

  1. Traffic Capture in Sniffer Mode: Snort is used to log outgoing (outbound) packets for inspection.
  2. Traffic Analysis: Identifies the pattern of communication that could indicate a reverse shell.
  3. Preventative Rule Creation: A rule is written to block outbound traffic to the attacker’s IP, preventing further exploitation, though further incident response would be required to secure the compromised machine.

Room Answers | TryHackMe Snort Challenge – Live Attacks

Stop the attack and get the flag (which will appear on your Desktop)

THM{81b7fef657f8aaa6e4e200d616738254}

What is the name of the service under attack?

ssh

What is the used protocol/port in the attack?

tcp/22

Stop the attack and get the flag (which will appear on your Desktop)

THM{0ead8c494861079b1b74ec2380d2cd24}

What is the used protocol/port in the attack?

tcp/4444

Which tool is highly associated with this specific port number?

Metasploit

Video Walkthrough | TryHackMe Snort Challenge – Live Attacks

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles