TryHackMe Walkthrough: Snort

Task 1: Introduction

Question 1: Read the task above.

No answer needed.

Task 2: Interactive Material and VM

Question 1: Navigate to the Task-Exercises folder and run the command “./.easy.sh” and write the output

Answer: Too Easy!

Task 3: Introduction to IDS/IPS

IDS vs IPS

Detection vs Prevention

Network Behaviour Analysis System works similar to NIPS. The difference between NIPS and Behaviour-based is; behaviour based systems require a training period (also known as “baselining”) to learn the normal traffic and differentiate the malicious traffic and threats. This model provides more efficient results against new threats.

The system is trained to know the “normal” to detect “abnormal”. The training period is crucial to avoid any false positives. In case of any security breach during the training period, the results will be highly problematic. Another critical point is to ensure that the system is well trained to recognise benign activities.

Detection creates alerts. Prevention terminates the connection.

IDS can identify threats but require user assistance to stop them.

IPS can identify and block the threats with less user assistance at the detection time.

Question 1: Which snort mode can help you stop the threats on a local machine?

Answer: HIPS

Question 2: Which snort mode can help you stop the threats on a local machine?

Answer: NIDS

Question 3: Which snort mode can help you detect the treats on a local machine?

Answer: HIDS

Question 4: Which snort mode can help you stop the threats on a local network?

Answer: NIPS

Question 5: Which snort mode works similar to NIPS mode?

Answer: NBA

Question 6: According to the official description of the snort, what kind of NIPS is it?

Answer: full-blow Note: this is not an obvious answer.

Question 7: NBA training period is also known as …

Answer: baselining

Task 4: First Interaction with Snort

Once we use a configuration file, snort got much more power! The configuration file is an all-in-one management file of the snort. Rules, plugins, detection mechanisms, default actions and output settings are identified here. It is possible to have multiple configuration files for different purposes and cases but can only use one at runtime.

Question 1: Run the Snort instance and check the build number.

Answer: 149

Question 2: Test the current instance with “/etc/snort/snort.conf” file and check how many rules are loaded with the current build.

sudo snort -c /etc/snort/snort.conf -T

Answer: 4151

Question 3: Test the current instance with “/etc/snort/snortv2.conf” file and check how many rules are loaded with the current build.

sudo snort -c /etc/snort/snortv2.conf -T

Answer: 1

Task 5: Operation Mode 1: Sniffer Mode

Question 1: You can practice the parameter combinations by using the traffic-generator script.

Answer: No answer needed.

Task 6: Operation Mode 2: Packet Logger Mode

Be sure to change the ownership of the files and directories.

We log with the parameter “-K ASCII” and read the generated logs via “-r”.

Question 1: Now, you should have the logs in the current directory. Navigate to folder “145.254.160.237”. What is the source port used to connect port 53?

Answer: 3009

Question 2: Use snort.log.1640048004. Read the snort.log file with Snort; what is the IP ID of the 10th packet? [snort -r snort.log.1640048004 -n 10]

Answer: 49313

Question 3: Read the “snort.log.1640048004” file with Snort; what is the referer of the 4th packet?

Answer: http://www.ethereal.com/development.html

Question 4: Read the “snort.log.1640048004” file with Snort; what is the Ack number of the 8th packet?

Answer: 0x38AFFFF3

Question 5: Read the “snort.log.1640048004” file with Snort; what is the number of the “TCP port 80” packets?

Answer: 41

Task 7: Operation Mode 3: IDS/IPS

IDS/IPS mode with parameter “-c and -T”

IDS/IPS mode with parameter “-N”

IDS/IPS mode with parameter “-D”

IDS/IPS mode with parameter “-A”

IDS/IPS mode with parameter “-A console”

IDS/IPS mode with parameter “-A cmg”

IDS/IPS mode with parameter “-A fast”

IDS/IPS mode with parameter “-A full”

IDS/IPS mode with parameter “-A none”

IDS/IPS mode: “Using rule file without configuration file”

Question 1: What is the number of the detected HTTP GET methods?

Answer: 2

Question 2: You can practice the rest of the parameters by using the traffic-generator script.

Answer: No answer needed

Task 8: Operation Mode 4: PCAP Investigation

Investigating single PCAP with parameter “-r”

Investigating multiple PCAPs with parameter “ — pcap-list”

Investigating multiple PCAPs with parameter “ — pcap-show”

Question 1: What is the number of the generated alerts?

Answer: 170

Question 2: Keep reading the output. How many TCP Segments are Queued?

Answer: 18

Question 3: Keep reading the output.How many “HTTP response headers” were extracted?

Question 4: What is the number of the generated alerts?

Answer: 68

Question 5: What is the number of the generated alerts?

Answer: 340

Question 6: Keep reading the output. What is the number of the detected TCP packets?

Answer: 82

Question 8: What is the number of the generated alerts?

Answer: 1020

Task 9: Snort Rule Structure

There are three main rule options in Snort;

General Rule Options — Fundamental rule options for Snort.

Payload Rule Options — Rule options that help to investigate the payload data. These options are helpful to detect specific payload patterns.

Non-Payload Rule Options — Rule options that focus on non-payload data. These options will help create specific patterns and identify network issues.

Use “task9.pcap”

Question 1: Write a rule to filter IP ID “35369” and run it against the given pcap file. What is the request name of the detected packet?

snort -c local.rules -A full -l . -r task9.pcap

Answer: TIMESTAMP REQUEST

Question 2: Create a rule to filter packets with Syn flag and run it against the given pcap file. What is the number of detected packets?

Answer: 1

Question 3: Clear the previous log and alarm files and deactivate/comment out the old rule.

Write a rule to filter packets with Push-Ack flags and run it against the given pcap file. What is the number of detected packets?

Answer: 216

Question 4: Clear the previous log and alarm files and deactivate/comment out the old rule.

Create a rule to filter packets with the same source and destination IP and run it against the given pcap file. What is the number of detected packets?

3 Alerts + 7 Alerts = 10.

Answer: 10

Question 5: Case Example — An analyst modified an existing rule successfully. Which rule option must the analyst change after the implementation?

Answer: rev

Task 10: Snort2 Operation Logic: Points to Remember

Question 1: Read the task above.

Answer: No answer needed.

Task 11: Conclusion

Question 1: Read the task above.

Answer: No answer needed.