The room: “Learn how to use Snort to detect real-time threats, analyse recorded traffic files and identify anomalies.”
https://tryhackme.com/room/snort
Task 2: Interactive Material and VM
2.1. Navigate to the Task-Exercises folder and run the command “./.easy.sh” and write the output
Since the file is hidden, it is prefixed with ” . ” before the name.
sudo ./.easy.sh
Too Easy!
Task 3: Introduction to IDS/IPS
3.1. Which snort mode can help you stop the threats on a local machine?
HIPS
3.2. Which snort mode can help you detect threats on a local network?
NIDS
3.3. Which snort mode can help you detect the threats on a local machine?
HIDS
3.4. Which snort mode can help you stop the threats on a local network?
NIPS
3.5. Which snort mode works similar to NIPS mode?
NBA
3.6. According to the official description of the snort, what kind of NIPS is it?
full-blown
3.7. NBA training period is also known as …
baselining
Task 4: First Interaction with Snort
4.1. Run the Snort instance and check the build number.
149
4.2. Test the current instance with “/etc/snort/snort.conf” file and check how many rules are loaded with the current build.
snort -c /etc/snort/snort.conf -T
4151
4.3. Test the current instance with “/etc/snort/snortv2.conf” file and check how many rules are loaded with the current build.
snort -c /etc/snort/snortv2.conf -T
1
Task 6: Operation Mode 2: Packet Logger Mode
6.1. Now, you should have the logs in the current directory. Navigate to folder “145.254.160.237”. What is the source port used to connect port 53?
3009
6.2. Use snort.log.1640048004
Read the snort.log file with Snort; what is the IP ID of the 10th packet?
cd Desktop/Task-Exercises/Exercise-Files/TASK-6
sudo snort -r snort.log.1640048004 -n 10
49313
6.3. Read the “snort.log.1640048004” file with Snort; what is the referer of the 4th packet?
sudo snort -r snort.log.1640048004 -X -n 10
http://www.ethereal.com/development.html
6.4. Read the “snort.log.1640048004” file with Snort; what is the Ack number of the 8th packet?
sudo snort -r snort.log.1640048004 -n 8
0x38AFFFF3
6.5.Read the “snort.log.1640048004” file with Snort; what is the number of the “TCP port 80” packets?
sudo snort -r snort.log.1640048004 'tcp and port 80'
41
Task 7: Operation Mode 3: IDS/IPS
7.1. What is the number of the detected HTTP GET methods?
2
Task 8: Operation Mode 4: PCAP Investigation
8.1. What is the number of the generated alerts?
cd Desktop/Task-Exercises/Exercise-Files/TASK-8/
sudo snort -c /etc/snort/snort.conf -A full -l . -r mx-1.pcap
170
8.2. Keep reading the output. How many TCP Segments are Queued?
18
8.3. Keep reading the output.How many “HTTP response headers” were extracted?
3
8.4. What is the number of the generated alerts?
sudo snort -c /etc/snort/snortv2.conf -A full -l . -r mx-1.pcap
68
8.5. What is the number of the generated alerts?
sudo snort -c /etc/snort/snort.conf -A full -l . -r mx-2.pcap
340
8.6. Keep reading the output. What is the number of the detected TCP packets?
82
8.7. What is the number of the generated alerts?
sudo snort -c /etc/snort/snort.conf -A full -l . --pcap-list="mx-2.pcap mx-3.pcap"
1020
Task 9: Snort Rule Structure
9.1. Write a rule to filter IP ID “35369” and run it against the given pcap file. What is the request name of the detected packet?
alert icmp any any <> any any (msg:"IP ID"; id:35369; sid:1000001; rev:1;)
sudo snort -c local.rules -A full -l . -r task9.pcap
sudo snort -r snort.log.1680681113
TIMESTAMP REQUEST
9.2. Create a rule to filter packets with Syn flag and run it against the given pcap file. What is the number of detected packets?
alert tcp any any <> any any (msg: "FLAG TEST"; flags:S; sid: 100001; rev:1;)
1
9.3. Write a rule to filter packets with Push-Ack flags and run it against the given pcap file. What is the number of detected packets?
sudo rm snort.log.1680681590 snort.log.1680681113
sudo rm alert
alert tcp any any <> any any (msg: "FLAG TEST"; flags:PA; sid: 100001; rev:1;)
216
9.4. Create a rule to filter packets with the same source and destination IP and run it against the given pcap file. What is the number of detected packets?
alert tcp any any <> any any (msg: "SAME-IP TEST"; sameip; sid: 100001; rev:1;)
alert udp any any <> any any (msg: "SAME-IP TEST"; sameip; sid: 100002; rev:1;)
10
9.5. Case Example – An analyst modified an existing rule successfully. Which rule option must the analyst change after the implementation?
rev
a