TryHackMe: Snort Writeup

The room: “Learn how to use Snort to detect real-time threats, analyse recorded traffic files and identify anomalies.”

https://tryhackme.com/room/snort

Task 2: Interactive Material and VM

2.1. Navigate to the Task-Exercises folder and run the command “./.easy.sh” and write the output

Since the file is hidden, it is prefixed with ” . ” before the name.

sudo ./.easy.sh

Too Easy!

Task 3: Introduction to IDS/IPS

3.1. Which snort mode can help you stop the threats on a local machine?

HIPS

3.2. Which snort mode can help you detect threats on a local network?

NIDS

3.3. Which snort mode can help you detect the threats on a local machine?

HIDS

3.4. Which snort mode can help you stop the threats on a local network?

NIPS

3.5. Which snort mode works similar to NIPS mode?

NBA

3.6. According to the official description of the snort, what kind of NIPS is it?

full-blown

3.7. NBA training period is also known as …

baselining

Task 4: First Interaction with Snort

4.1. Run the Snort instance and check the build number.

149

4.2. Test the current instance with “/etc/snort/snort.conf” file and check how many rules are loaded with the current build.

snort -c /etc/snort/snort.conf -T

4151

4.3. Test the current instance with “/etc/snort/snortv2.conf” file and check how many rules are loaded with the current build.

snort -c /etc/snort/snortv2.conf -T

1

Task 6: Operation Mode 2: Packet Logger Mode

6.1. Now, you should have the logs in the current directory. Navigate to folder “145.254.160.237”. What is the source port used to connect port 53?

3009

6.2. Use snort.log.1640048004 

Read the snort.log file with Snort; what is the IP ID of the 10th packet?

cd Desktop/Task-Exercises/Exercise-Files/TASK-6
sudo snort -r snort.log.1640048004 -n 10

49313

6.3. Read the “snort.log.1640048004” file with Snort; what is the referer of the 4th packet?

sudo snort -r snort.log.1640048004 -X -n 10

http://www.ethereal.com/development.html

6.4. Read the “snort.log.1640048004” file with Snort; what is the Ack number of the 8th packet?

sudo snort -r snort.log.1640048004 -n 8

0x38AFFFF3

6.5.Read the “snort.log.1640048004” file with Snort; what is the number of the “TCP port 80” packets?

sudo snort -r snort.log.1640048004 'tcp and port 80'

41

Task 7: Operation Mode 3: IDS/IPS

7.1. What is the number of the detected HTTP GET methods?

2

Task 8: Operation Mode 4: PCAP Investigation

8.1. What is the number of the generated alerts?

cd Desktop/Task-Exercises/Exercise-Files/TASK-8/
sudo snort -c /etc/snort/snort.conf -A full -l . -r mx-1.pcap

170

8.2. Keep reading the output. How many TCP Segments are Queued?

18

8.3. Keep reading the output.How many “HTTP response headers” were extracted?

3

8.4. What is the number of the generated alerts?

sudo snort -c /etc/snort/snortv2.conf -A full -l . -r mx-1.pcap

68

8.5. What is the number of the generated alerts?

sudo snort -c /etc/snort/snort.conf -A full -l . -r mx-2.pcap

340

8.6. Keep reading the output. What is the number of the detected TCP packets?

82

8.7. What is the number of the generated alerts?

sudo snort -c /etc/snort/snort.conf -A full -l . --pcap-list="mx-2.pcap mx-3.pcap"

1020

Task 9: Snort Rule Structure

9.1. Write a rule to filter IP ID “35369” and run it against the given pcap file. What is the request name of the detected packet?

alert icmp any any <> any any (msg:"IP ID"; id:35369; sid:1000001; rev:1;)
sudo snort -c local.rules -A full -l . -r task9.pcap
sudo snort -r snort.log.1680681113

TIMESTAMP REQUEST

9.2. Create a rule to filter packets with Syn flag and run it against the given pcap file. What is the number of detected packets?

alert tcp any any <> any any (msg: "FLAG TEST"; flags:S; sid: 100001; rev:1;)

1

9.3. Write a rule to filter packets with Push-Ack flags and run it against the given pcap file. What is the number of detected packets?

sudo rm snort.log.1680681590 snort.log.1680681113
sudo rm alert
alert tcp any any <> any any (msg: "FLAG TEST"; flags:PA; sid: 100001; rev:1;)

216

9.4. Create a rule to filter packets with the same source and destination IP and run it against the given pcap file. What is the number of detected packets?

alert tcp any any <> any any (msg: "SAME-IP TEST"; sameip; sid: 100001; rev:1;)
alert udp any any <> any any (msg: "SAME-IP TEST"; sameip; sid: 100002; rev:1;)

10

9.5. Case Example – An analyst modified an existing rule successfully. Which rule option must the analyst change after the implementation?

rev

a

Bir yanıt yazın

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir