Stopping a Brute-Force Attack with Snort
Installing Snort on Ubuntu 22.04.1
You can find the Ubuntu 22.04.1 iso here:
One important note: To use IPS mode on Snort, you must have two network adapters. So, I have a network adapter connected to my Tech Subnet and a Network Adapter connected to NAT.
After setting up a virtual machine and getting it up and running. You can do a?sudo apt-get update?and?a sudo apt-get upgrade
Side note: I found out that ifconfig isn't installed on the bootup of Ubuntu 22.04.1, so what we have to do is?sudo apt install net-tools
After that, you should be able to use ifconfig.
Now, let's install snort. It is pretty straightforward.
sudo apt install snort
You can do?the snort --version?to ensure it is installed.
All right, let's add our rules to the local.rules in /etc/snort/rules
sudo nano /etc/snort/rules/local.rules
drop tcp any any -> 172.20.25.16 80 (msg: "Hacker tool found ALERT ALERT"; content:"(Hydra)"; offset: 12; sid: 1000001; rev: 2;)
Make sure you change the IP to your DVWA IP
You can find more information about writing snort rules here:
or here
Save it by pressing CTRL + S.
Let's start snort in IPS mode.
领英推荐
sudo snort -c /etc/snort/snort.conf -q -Q --daq afpacket -i ens33:ens37 -A console
Don't worry if you don't see any output on the screen. It will appear once we launch our attack.
Speaking of attack, let's launch our attack.
We will not cover the instructions to launch in complete detail; I'll provide the command. Remember to change your PHPSESSID to the current session id you currently have.
If you need the refresher for steps, you can look?here
Command:
hydra -V -L username.txt -P password.txt 172.20.25.16 http-get-form "/DVWA/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:F=Username and/or password incorrect.:H=Cookie\: PHPSESSID=82nglh6dnikvej5j8fmka7b92l;security=low"
This is the output from Hydra:
As you can see, the request using admin/password was dropped since the attacker was using Hydra. That means our rule works!
This is what it would look like if we didn't have the rule set in place:
This is what it looks like from snort:
Additionally, this rule doesn't prohibit regular valid users from login in.
I will log in using a regular browser (firefox)
As you can see, it works. That is all I have for now. Next is Command Injection
[Click-Here] for Command Injection
System Engineer | CND | ECIH
1 年Thank you for sharing this insightful article! It's been incredibly helpful in my IDS/IPS study. Grateful for the valuable information you've provided. ??