Refer to The Basics for the challenge room on TryHackMe
Writing IDS Rules (HTTP)
Write a single rule to detect "all TCP port 80 traffic" packets in the given pcap file.
Number of detected packets?
Since the question pertains to HTTP traffic (TCP port 80), the rule should specify tcp port 80.
Rule: alert tcp any any <> any 80 (msg: "HTTP Packet Found!"; sid:100008; rev:1;)
sudo snort -c <Local Rule Path> -r < .pcap Path> - A full -l .
Investigate the log file, what is the destination address of packet 63?
Using the -n 63 option will limit the output to 63 alerts from specific logs. To identify the destination address, examine the last packet.
sudo snort -r <Snort Log Path> -n 63
What is the ACK number of packet 64?
Using the -n 64 option will limit the output to 64 alerts from specific logs. To determine the ACK number, review the 64th packet.
sudo snort -r snort.log.1722048011 -n 64
What is the SEQ number of packets 62?
Reuse the output from the previous step and scroll up to the 62nd packet to find the relevant information.
What is the TTL of packet 65? Source IP of packet 65? Source port of packet 65?
You can address all three questions with a single command.
sudo snort -r snort.log.1722048011 -n 65
Writing IDS Rules (FTP)
A list of FTP message code can be found in List of FTP server return codes.
Detect “all TCP port 21”, Number of detected packets?
Since the question requires FTP packets, we should include tcp port 21 in the rules.
Rule: alert tcp any any <> any 21 (msg: "FTP Packet Found!"; sid:100008; rev:1;)
sudo snort -c <Local Rule Path> -r <.pcap Path> - A full -l .
What is the FTP service name?
Using the -X option allows us to review the full packet details in HEX, including the FTP service name. After exporting the results to a test file, use the search feature (CTRL + F) in your text editor to locate specific information.
sudo snort -r snort.log.1722048928 -X >> test.txt
Detect failed FTP login attempts, Number of detected packets?
According to the list of FTP server return codes, a failed FTP login returns a 530 service code. Therefore, we should include this code in the rule.
Rule: alert tcp any any <> any 21 (msg: "FTP login failed"; content:"530"; nocase; sid:100008; rev:1;)
sudo snort -c <Local Rule Path> -r < .pcap Path> - A full -l .
Verify the FTP error message by examining the log to confirm that the failed login packet contains the service code 530.
Detect successful FTP logins, Number of detected packets?
According to the list of FTP server return codes, a successful FTP login returns a 230 service code. Therefore, we should include this code in the rule.
Rule: alert tcp any any <> any 21 (msg: "FTP login failed"; content:"230"; nocase; sid:100008; rev:1;)
sudo snort -c <Local Rule Path> -r < .pcap Path> - A full -l .
Verify the FTP message by examining the log to confirm that the success login packet contains the service code 530.
Detect FTP login attempts with a valid username but no password entered yet, Number of detected packets?
According to the list of FTP server return codes, an FTP session with a valid username but no password entered yet returns a 331 service code. Therefore, this code should be included in the rule.
Rule: alert tcp any any <> any 21 (msg: "FTP login failed"; content:"331"; nocase; sid:100008; rev:1;)
sudo snort -c <Local Rule Path> -r < .pcap Path> - A full -l .
Verify the FTP message by examining the log to confirm that an FTP session with a valid username but no password entered yet returns a 331 service code
Detect FTP login attempts with the "Administrator" username but no password entered yet, Number of detected packets?
This question is similar to the previous one, but it requires an additional rule to capture login attempts using the "Administrator" username. Therefore, we will use fast_pattern to combine both conditions in the rule.
Rule: alert tcp any any <> any 21 (msg: "FTP login failed"; content:"331"; fast_pattern; content:" Administrator"; nocase; sid:100008; rev:1;)
sudo snort -c <Local Rule Path> -r < .pcap Path> - A full -l .
Verify the FTP message by examining the log to confirm that an FTP session with a username "Administrator" but no password entered yet returns a 331 service code.
Writing IDS Rules (PNG)
Write a rule to detect the PNG file in the given pcap, Investigate the logs and identify the software name embedded in the packet.
We will use the file signature to detect .PNG files.
Rule: alert ip any any <> any any (msg: ".PNG is Found!"; content:"|89 50 4E 47 0D 0A 1A 0A|"; sid:100010; rev:1;)
sudo snort -c <Local Rule Path> -r < .pcap Path> - A full -l .
By examining the output log, we can determine that the embedded software is Adobe ImageReady, as indicated by the ASCII data.
sudo snort -r <Snort Log Path> -X
Write a rule to detect the GIF file in the given pcap, Investigate the logs and identify the image format embedded in the packet.
We will use the file signature to detect .GIF files.
Rule: alert ip any any <> any any (msg: ".GIF is Found!"; content:"|47 49 46 38|"; sid:100011; rev:1;)
sudo snort -c <Local Rule Path> -r < .pcap Path> - A full -l .
sudo snort -r <Snort Log Path> -X
Note: Setting the signature rule to “47 49 46 38 37 61,” which corresponds to GIF87a, will not detect the files, as they are in GIF89a format.
Writing IDS Rules (Torrent Metafile)
Write a rule to detect the torrent metafile in the given pcap.
Torrent metafile is a .torrent file containing metadata that describes the files to be shared and their structure on a BitTorrent network. We will use “2E 74 6F 72 72 65 6E 74” to detect the .torrent file.
Rule: alert ip any any <> any any (msg: ".Torrent is Found!"; content:"| 2E 74 6F 72 72 65 6E 74|"; sid:100012; rev:1;)
sudo snort -c <Local Rule Path> -r < .pcap Path> - A full -l .
What is the name of the torrent application?
Using the -X option enables us to review the full packet details in both HEX and ASCII. By examining the ASCII data, we can identify that the application in use is BitTorrent.
sudo snort -r <Snort Log Path> -X
What is the MIME (Multipurpose Internet Mail Extensions) type of the torrent metafile?
Refer to the previous Figure, the MIME type is application/x-bittorrent.
The MIME type application/x-bittorrent indicates that the file is a torrent metafile, which BitTorrent programs use to handle and share files. This type of file contains details on how to download and piece together the larger files shared over the BitTorrent network.
What is the hostname of the torrent metafile?
Under the same log, we can see the host information (tracker2.torrentbox.com) within the packet.
Troubleshooting Rule Syntax Errors
Test each ruleset with following command;
sudo snort -c local-X.rules -r mx-1.pcap -A console
Fix the syntax error in local-1.rules file . Number of the detected packets?
After running the test, we know there’s error in the syntax “any(msg:”
After adding a space in between “any (msg:”, we have successfully detected the packets.
Fix the syntax error in local-2.rules file . Number of the detected packets?
After running the test, we know the error caused by the missing port value in rule (icmp any -> any any).
After adding a port value after headers “icmp any any -> any any”, we have successfully detected the packets.
Fix the syntax error in local-3.rules file . Number of the detected packets?
After running the test, we know the error caused by the duplicated rule SID (sid: 1000001)
After adjusting one SID of two rules (sid: 1000002), we have successfully detected the packets.
Fix the syntax error in local-4.rules file . Number of the detected packets?
After running the test, we know the error caused by rule at line 9.
By examining the rules, we know that there’s syntax error and SID duplication.
After fixing the syntax (: > ;) and adjusting one SID of two rules (sid: 1000002), we have successfully detected the packets.
Fix the syntax error in local-5.rules file . Number of the detected packets?
After running the test, we know the error caused by direction specifier (<-).
Note: There is no “<-“ operator in Snort, only “->” Source to destination flow and “<>” Bidirectional flow.
After fixing the syntax error, I receive another error alert.
After fixing the syntax error, I receive another error alert from line 10. Which is the same error as local-4.rules file.
After fixing the syntax (: > ;), we have successfully detected the packets.
Fix the logical error in local-6.rules file to create alerts. Number of the detected packets?
After running the test, we notice there’s no captured packet.
By studying the rule message, we know that this is meant for detecting HTTP GET Request.
After modifying the options (content:”GET”;nocase), we have successfully detected the packets.
Additionally, I run sudo snort -c local-6.rules -r mx-1.pcap -A full -l . for verifying the GET Requet rule. Read the Snort Log with -X option, we verify that the new rule successfully capture the HTTP GET Request.
Fix the logical error in local-7.rules file to create alerts. What is the name of the required option:
By studying the rule, we notice the message is missing. Judging by the file signature 2E 68 74 6D 6C, we know it’s looking for .html
Adding the msg option.
Using External Rules (MS17-010)
MS17-010 is a critical security update released by Microsoft to address vulnerabilities in the Server Message Block (SMB) protocol. It’s associated with the "EternalBlue" exploit used in the WannaCry ransomware attack.
Use the given rule file (local.rules) to investigate the ms1710 exploitation, what is the number of detected packets?
Since the question only addresses alterations, there is no need to export a log. Use the -A console option to output the results to the terminal instead of a log file.
sudo snort -c <Local Rule Path> -r <.pcap Path> -A console
Write a rule to detect payloads containing the "\IPC$" keyword. What is the number of detected packets?
To discover the keyword \IPC$, we will include content:"keyword" in our rule. Since the backslash "\" is an escape character, it must be escaped with another backslash to be correctly interpreted in the content string.
Note: MS17-010 addressed the flaws that allowed remote code execution through the \IPC$ share and other SMB-related functionalities.
Rule: alert ip any any <> any any (msg: "\\IPC$ Found!"; content:"\\IPC$"; nocase; sid:1000001; rev:1;)
sudo snort -c <Local Rule Path> -r < .pcap Path> -A console
Examining the log to ensure the packet contains \IPC$.
Investigate the log/alarm files, what is the requested path?
Refer to the previous log screenshot; the requested path is \\<IP Address>\IPC$.
Investigate the log/alarm files, what is the CVSS v2 score of the MS17-010 vulnerability?
To find the answer, search for the "CVSS v2 score of the MS17-010 vulnerability" from the browser.
Using External Rules (Log4j)
The flaw in Log4j (ver. 2.0 - 2.14.1) was a remote code execution vulnerability (CVE-2021-44228) that allowed attackers to execute arbitrary code on servers by sending specially crafted log messages.
Use the given rule file (local.rules) to investigate the log4j exploitation, what is the number of detected packets?
By utilizing the provided rules, we can identify the detected packets.
sudo snort -c <Local Rule Path> -r < .pcap Path> -A full -l .
Investigate the log files, how many rules were triggered?
By examining the log from the previous question, we should find the triggered events under the Action Stats (Alerts) section.
sudo snort -c <Local Rule Path> -r < .pcap Path> -A console
Investigate the log files, what are the first six digits of the triggered rule SIDs?
We should be able to find the triggered SIDs before the "snort exiting" line.
sudo snort -c <Local Rule Path> -r < .pcap Path> -A console
Write a rule to detect packet payloads between 770 and 855 bytes, what is the number of detected packets?
To detect packet payloads between 770 and 855 bytes, add dsize: 770 <> 855 to the rule.
Rule: alert tcp any any -> any any (msg:"File Size Between 770 and 855 Bytes Found!"; dsize:771<>856; sid:2000002; rev:1;)
sudo snort -c <Local Rule Path> -r <.pcap Path> -A full -l .
Investigate the log files, what is the name of the used encoding algorithm?
After skimming through all the captured packets, I found the encoding algorithm in the packet with ID: 62808.
sudo snort -r < Snort-Log-Path > -X
Investigate the log files, what is the IP ID of the corresponding packet?
Refer to the previous question to identify its IP address.
Decode the encoded command, what is the attacker's command?
Use the strings tool and pipe the output to grep to capture the desired content.
Then Use Cyberchef to decode the command. By studying the decoded command, we know that the attacker tried to fetch and execute a script from the URL 45.155.205.233:5874 / 162.0.228.253:80 using curl or wget, and then pipes the retrieved content directly to bash to be executed as a shell script.
What is the CVSS v2 score of the Log4j vulnerability?
Search for "CVSS 2.0 Log4j vulnerability" in your browser to find the CVSS score.
