Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the ultimate-blocks domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/margheri/public_html/wp-includes/functions.php on line 6121

Notice: _load_textdomain_just_in_time işlevi yanlış çağrıldı. Translation loading for the perfect-portfolio domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Ayrıntılı bilgi almak için lütfen WordPress hata ayıklama bölümüne bakın. (Bu ileti 6.7.0 sürümünde eklendi.) in /home/margheri/public_html/wp-includes/functions.php on line 6121
TryHackMe: Snort Writeup - Aleyna Doğan

TryHackMe: Snort Writeup

The room: “Learn how to use Snort to detect real-time threats, analyse recorded traffic files and identify anomalies.”

https://tryhackme.com/room/snort

Task 2: Interactive Material and VM

2.1. Navigate to the Task-Exercises folder and run the command “./.easy.sh” and write the output

Since the file is hidden, it is prefixed with ” . ” before the name.

sudo ./.easy.sh

Too Easy!

Task 3: Introduction to IDS/IPS

3.1. Which snort mode can help you stop the threats on a local machine?

HIPS

3.2. Which snort mode can help you detect threats on a local network?

NIDS

3.3. Which snort mode can help you detect the threats on a local machine?

HIDS

3.4. Which snort mode can help you stop the threats on a local network?

NIPS

3.5. Which snort mode works similar to NIPS mode?

NBA

3.6. According to the official description of the snort, what kind of NIPS is it?

full-blown

3.7. NBA training period is also known as …

baselining

Task 4: First Interaction with Snort

4.1. Run the Snort instance and check the build number.

149

4.2. Test the current instance with “/etc/snort/snort.conf” file and check how many rules are loaded with the current build.

snort -c /etc/snort/snort.conf -T

4151

4.3. Test the current instance with “/etc/snort/snortv2.conf” file and check how many rules are loaded with the current build.

snort -c /etc/snort/snortv2.conf -T

1

Task 6: Operation Mode 2: Packet Logger Mode

6.1. Now, you should have the logs in the current directory. Navigate to folder “145.254.160.237”. What is the source port used to connect port 53?

3009

6.2. Use snort.log.1640048004 

Read the snort.log file with Snort; what is the IP ID of the 10th packet?

cd Desktop/Task-Exercises/Exercise-Files/TASK-6
sudo snort -r snort.log.1640048004 -n 10

49313

6.3. Read the “snort.log.1640048004” file with Snort; what is the referer of the 4th packet?

sudo snort -r snort.log.1640048004 -X -n 10

http://www.ethereal.com/development.html

6.4. Read the “snort.log.1640048004” file with Snort; what is the Ack number of the 8th packet?

sudo snort -r snort.log.1640048004 -n 8

0x38AFFFF3

6.5.Read the “snort.log.1640048004” file with Snort; what is the number of the “TCP port 80” packets?

sudo snort -r snort.log.1640048004 'tcp and port 80'

41

Task 7: Operation Mode 3: IDS/IPS

7.1. What is the number of the detected HTTP GET methods?

2

Task 8: Operation Mode 4: PCAP Investigation

8.1. What is the number of the generated alerts?

cd Desktop/Task-Exercises/Exercise-Files/TASK-8/
sudo snort -c /etc/snort/snort.conf -A full -l . -r mx-1.pcap

170

8.2. Keep reading the output. How many TCP Segments are Queued?

18

8.3. Keep reading the output.How many “HTTP response headers” were extracted?

3

8.4. What is the number of the generated alerts?

sudo snort -c /etc/snort/snortv2.conf -A full -l . -r mx-1.pcap

68

8.5. What is the number of the generated alerts?

sudo snort -c /etc/snort/snort.conf -A full -l . -r mx-2.pcap

340

8.6. Keep reading the output. What is the number of the detected TCP packets?

82

8.7. What is the number of the generated alerts?

sudo snort -c /etc/snort/snort.conf -A full -l . --pcap-list="mx-2.pcap mx-3.pcap"

1020

Task 9: Snort Rule Structure

9.1. Write a rule to filter IP ID “35369” and run it against the given pcap file. What is the request name of the detected packet?

alert icmp any any <> any any (msg:"IP ID"; id:35369; sid:1000001; rev:1;)
sudo snort -c local.rules -A full -l . -r task9.pcap
sudo snort -r snort.log.1680681113

TIMESTAMP REQUEST

9.2. Create a rule to filter packets with Syn flag and run it against the given pcap file. What is the number of detected packets?

alert tcp any any <> any any (msg: "FLAG TEST"; flags:S; sid: 100001; rev:1;)

1

9.3. Write a rule to filter packets with Push-Ack flags and run it against the given pcap file. What is the number of detected packets?

sudo rm snort.log.1680681590 snort.log.1680681113
sudo rm alert
alert tcp any any <> any any (msg: "FLAG TEST"; flags:PA; sid: 100001; rev:1;)

216

9.4. Create a rule to filter packets with the same source and destination IP and run it against the given pcap file. What is the number of detected packets?

alert tcp any any <> any any (msg: "SAME-IP TEST"; sameip; sid: 100001; rev:1;)
alert udp any any <> any any (msg: "SAME-IP TEST"; sameip; sid: 100002; rev:1;)

10

9.5. Case Example – An analyst modified an existing rule successfully. Which rule option must the analyst change after the implementation?

rev

a

Bir yanıt yazın

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir