CTF: SNORT Basics Pt. 1

Today I will be running through a blue team CTF focused on using the IDS/IPS Snort. Snort can be used both passively for packet analysis and in line with written rules to deny ports, IP ranges, etc. This is a CTF from TryHackMe and there are a ton of questions with this particular challenge, so I'm going to break it up into a "part 1" and "part 2".

Task 2 Writing IDS Rules (HTTP) Questions:?

1. Write rules to detect "all?TCP?port 80 traffic" packets in the given pcap file.?What is the number of detected packets??

Rules:

alert tcp any any <> any 80 (msg:"TCP Port 80"; sid:1000001; rev:1;)?

alert tcp any 80 <> any any (msg:"TCP Port 80"; sid:1000002; rev:1;)?

Command: sudo snort -c local.rules -A full -l . -r mx-3.pca

2. What is the destination address of packet 63?

Command: sudo snort –r snort.log.1683210946 -n 63?

** By using the –n flag, we can limit the number of packets to quickly find the information needed.

The next 5 questions are about packets 62, 64 and 65. I’m going to run one command and take one screenshot to answer the following questions.?

Command: sudo snort -r snort.log.1683210946 -n 65?

3. What is the ACK number of packet 64??

4. What is the SEQ number of packet 62??

5. What is the TTL of packet number 65??

6. What is the source IP of packet number 65??

7. What is the source port of packet 65??

Task 3 Writing IDS Rules (FTP) Questions:?

1. Write rules to detect "all TCP port 21"?traffic in the given pcap.?

What is the number of detected packets??

Rules:

alert tcp any 21 <> any any (msg:"Who left FTP open?"; sid:1000001; rev:1;)?

alert tcp any any <> any 21 (msg:"Who left FTP open?"; sid:1000002; rev:1;)?

Command: sudo snort -c local.rules -A full -l . -r ftp-png-gif.pcap

2. What is the FTP service name? ?

*For the next few questions, this website has the FTP response codes that will be added to your rules.?

3. Write a rule to detect failed?FTP?login attempts in the given pcap.?

What is the number of detected packets??

Rule:

alert tcp any any <> any 21 (msg:”Failed FTP Login”; content:”530 User”; sid:1000003; rev:1;)?

4. Write a rule to detect successful?FTP?logins in the given pcap.?

What is the number of detected packets??

Rule:

alert tcp any any <> any 21 (msg:”Successful FTP Login”; content:”230 User”; sid:1000004; rev:1;)?

5. Write a rule to detect failed?FTP?login attempts with a valid username?but a bad password or no password.?

?What is the number of detected packets??

Rule:

alert tcp any any <> any 21 (msg:”FTP User OK Password Bad”; content:”331 Password”; sid:1000005; rev:1;)?

6. Write a rule to detect failed?FTP?login attempts with "Administrator" username but a bad password or no password.?

?What is the number of detected packets??

Rule:

alert tcp any any <> any 21 (msg:"FTP Failed Admin Login"; content:"Administrator"; content:"331 Password"; sid:1000006; rev:1;)?

Task 4 Writing IDS Ruels (PNG):

1. Write a rule to detect the PNG file in the given pcap.?

Investigate the logs and identify the software name embedded in the packet?

Rule:

alert tcp any any <> any any (msg:"Ping File Found"; content:"|89 50 4E 47 0D 0A 1A 0A|"; sid:100001; rev:1;)

Commands: sudo snort -c local.rules -A full -l . -r ftp-png-gif.pcap?

sudo snort -r snort.log.1683227953 -X?

2. Write a rule to detect the GIF file in the given pcap.?

Investigate the logs and identify the image format embedded in the packet??

Rule:

alert tcp any any <> any any (msg:"GIF File Found"; content:"GIF89a"; sid:100002; rev:1;)?

Command: sudo snort -r snort.log.1683228823 -X

Task 5 Writing IDS Rules (Torrent Metafile):

1. Write a rule to detect the torrent metafile in the given pcap.?

?What is the number of detected packets??

Rule:

alert tcp any any <> any any (msg:"Torrent File Detected"; content:".torrent"; sid:1000001; rev:1;)

Command: sudo snort -c local.rules -A full -l . -r torrent.pcap?

2. What is the name of the torrent application??

Command: sudo snort –r snort.log.1683231897?-X?

3. What is the?MIME?(Multipurpose Internet Mail Extensions) type of the torrent metafile?