Snort - Live Attacks

Analyze network traffic to identify attacker patterns and write Snort rules for detecting known attack vectors (Brute-Force and Reverse Shell).

By Ren Sie
Posted on September 16, 2024

Refer to Live Attacks for the challenge room on TryHackMe

Scenario #1, Brute-force

The company is under the brute-force attack, observe the traffic with Snort and identify the anomaly first. Then creating a rule to stop the attack.

  • Start Snort in sniffer mode and figure out the attack source, service and port.
  • Write an IPS rule and run Snort in IPS mode to stop the brute-force attack. Once you stop the attack properly, you will have the flag on the desktop!

A few points to remember:

  • Create the rule and test it with "-A console" mode.
  • Use "-A full" mode and the default log path to stop the attack.
  • Write the correct rule and run the Snort in IPS "-A full" mode.
  • Block the traffic for a minute and then the flag file will appear on the desktop.

Capture the Traffic

By using option -A console, traffic will be displayed at console. Stop the capture (CRTL+C) in 30 seconds, examine the traffic from the console for the challenge questions.

sudo snort -c /etc/snort/snort.conf -v -A console

Analyze the Traffic

After executing the recommended command, I observed continuous traffic originating from and directed towards two distinct end devices, which suggests a possible brute force attack. The figure below illustrates that the attack is targeting our web server.

I then wrote summary note with Mousepad.

The figure below shows that the attack is targeting the SSH service.

I then wrote summary note with Mousepad.

Create the Rule to Block Malicious Traffic

Based on the findings from the previous section, I created two rules to address the source address and service port on the victim. Add the customized rule to the local rule file located at /etc/snort/rules/local.rules.

Rule #1: alert tcp 10.10.245.36 any -> 10.10.140.29 22 (msg:"Malicious SSH Connection!"; sid:100001; rev:1;)
Rule #2: alert tcp 10.100.2.28 any -> 10.10.74.169 80 (msg:"Malicious HTTP Connection!"; sid:100002; rev:1;)

Test the New Rule

Before capturing and blocking the target traffic, we should ensure that the customized rule is configured correctly by running a test.

sudo snort -c /etc/snort/snort.conf -T -A console

Implement the Rule in IPS Mode

To run IPS mode, we need to add some options to the command;

  • “-q” makes Snort less verbose, showing fewer informational messages.
  • “-Q” enables Inline mode, so Snort will actively block or drop suspicious traffic.
  • “--daq afpacket” afpacket module, which supports Inline mode.
  • “-i eth0:eth1” specifies the network interfaces eth0 and eth1 to monitor.
  • “-A full” means Snort will provide complete details about any detected issues.
  • “-l /var/log/snort/” specifies Snort should store its logs to default log path.

sudo snort -c /etc/snort/snort.conf -q -Q --daq afpacket -i eth0:eth1 -A full -l /var/log/snort/

Capture the Flag

After allowing the IPS to run for a minute, a flag.txt file will appear on the desktop.

Scenario #2, Reverse-Shell

We have stopped some inbound access attempts. However, there’s attacker who’s already inside of our network, As well as the insider risks. The dwell time is still around 1-3 months, so it is worth checking the outgoing traffic. We’ve notice there’s persistent outbound traffic is detected. Possibly a reverse shell.

Capture the Traffic

By using option -A console, traffic will be displayed at console. Stop the capture (CRTL+C) in 30 seconds, examine the traffic from the console for the challenge questions.

sudo snort -c /etc/snort/snort.conf -v -A console

Analyze the Traffic

As soon as I see the traffic come in and go out from port 4444, I automatically associated it with the reverse shell generated on Metasploit. The screenshot below shows the Reverse Shell connection to malicious node.

I then wrote a summary note with Mousepad.

Create the Rule to Block Malicious Traffic

Based on the findings from the previous section, I created a rule to address the source address and service port on the victim. Add the customized rule to the local rule file located at /etc/snort/rules/local.rules.

Rule #1: alert tcp 10.10.144.156 4444 -> 10.10.196.55 any (msg:"Reverse Shell Connection!"; sid:100001; rev:1;)

Test the New Rule

Before capturing and blocking the target traffic, we should ensure that the customized rule is configured correctly by running a test.

sudo snort -c /etc/snort/snort.conf -T -A console

Implement the Rule in IPS Mode

To run IPS mode, we need to add some options to the command;

  • “-q” makes Snort less verbose, showing fewer informational messages.
  • “-Q” enables Inline mode, so Snort will actively block or drop suspicious traffic.
  • “--daq afpacket” afpacket module, which supports Inline mode.
  • “-i eth0:eth1” specifies the network interfaces eth0 and eth1 to monitor.
  • “-A full” means Snort will provide complete details about any detected issues.
  • “-l /var/log/snort/” specifies Snort should store its logs to default log path.

sudo snort -c /etc/snort/snort.conf -q -Q --daq afpacket -i eth0:eth1 -A full -l /var/log/snort/

Capture the Flag

After allowing the IPS to run for a minute, a flag.txt file will appear on the desktop.

Share: X (Twitter) Facebook LinkedIn