Hey all, this is the fourteenth installment in my walkthrough series on TryHackMe’s SOC Level 1 path and the third room in this module on Network Security and Traffic Analysis, where we are coming to understand the core concepts of Network Security and Traffic Analysis to spot and probe network anomalies using industry tools and techniques.
In this room, we will put your snort skills into practice and write snort rules to analyse live capture network traffic.
Link: https://tryhackme.com/room/snortchallenges1
I really enjoyed working with Snort yesterday and am looking forward to the next two Snort rooms, so let’s get into it!
Task 1: Introduction
The room invites you a challenge to investigate a series of traffic data and stop malicious activity under two different scenarios. Let’s start working with Snort to analyse live and captured traffic.
We recommend completing the Snort room first, which will teach you how to use the tool in depth.
Exercise files for each task are located on the desktop as follows;
Task 2: Writing IDS Rules (HTTP)
Let’s create IDS Rules for HTTP traffic!
Answer the questions below:
Navigate to the task folder.
Use the given pcap file.
Write rules to detect “all TCP port 80 traffic” packets in the given pcap file.
2.1 What is the number of detected packets?
Note: You must answer this question correctly before answering the rest of the questions in this task.
Load up that machine and let’s get going. We’re going to need to make two different rules to accomplish this so navigate to the TASK-2 folder and edit the local.rules file:
Now we’re going to run the command we should be familiar with from yesterday:
sudo snort -c local.rules -A full -l . -r mx-3.pcapThen we’ll get our result in the console:
| Answer: 328
2.2 What is the destination address of packet 63?
Again, we should feel comfy doing this, we did it in the first Snort room yesterday:
After running the command from the previous question your directory should look like this (with different number at the end of the snort.log file):
so we’ll use Snort to read the file:
sudo snort -r snort.log.1708454706 -n 63the -n 63 will get the first 63 packets:
| Answer: 145.254.160.237
Investigate the log file.
2.3 What is the ACK number of packet 64?
Same thing…
sudo snort -r snort.log.1708454706 -n 64
| Answer: 0x38AFFFF3
Investigate the log file.
2.4 What is the SEQ number of packet 62?
sudo snort -r snort.log.1708454706 -n 62
| Answer: 0x38AFFFF3
Investigate the log file.
2.5 What is the TTL of packet 65?
sudo snort -r snort.log.1708454706 -n 65
| Answer: 128
Investigate the log file.
2.6 What is the source IP of packet 65?
| Answer: 145.254.160.237
Investigate the log file.
2.7 What is the source port of packet 65?
| Answer: 3372
Task 3: Writing IDS Rules (FTP)
Let’s create IDS Rules for FTP traffic!
Answer the questions below
Navigate to the task folder.
Use the given pcap file.
Write rules to detect “all TCP port 21” traffic in the given pcap.
3.1 What is the number of detected packets?
Go to the Task-3 folder and edit the rules. Again, we’re going to make 2:
run snort on the pcap utilizing the rules you just made:
sudo snort -c local.rules -A full -l . -r ftp-png-gif.pcapcheck the console:
| Answer: 614
Investigate the log file.
3.2 What is the FTP service name?
we can do this a number of different ways, the way I’ll show is just using what we’ve been taught so far, using cat:
so cat out the resulting snort.log file and you’ll see a string that stands out among the gibberish. (you can also use the strings command to do this more cleanly).
| Answer: Microsoft FTP Service
Clear the previous log and alarm files.
Deactivate/comment on the old rules.
Write a rule to detect failed FTP login attempts in the given pcap.
3.3 What is the number of detected packets?
For this we need to use our content and field and we’ll have to do some research, how do we determine failed FTP logins? Let’s google:
My first result got me this information:
Knowing that, we need to stick it into the content field in our rules like so:
run this and we’ll get our answer:
| Answer: 41
Clear the previous log and alarm files.
Deactivate/comment on the old rules.
Write a rule to detect successful FTP login attempts in the given pcap.
3.4 What is the number of detected packets?
Same process, just a different content code:
| Answer: 1
Clear the previous log and alarm files.
Deactivate/comment on the old rules.
Write a rule to detect failed FTP login attempts with a valid username but a bad password or no password.
3.5 What is the number of detected packets?
| Answer: 42
Clear the previous log and alarm files.
Deactivate/comment on the old rules.
Write a rule to detect failed FTP login attempts with “Administrator” username but a bad password or no password.
3.6 What is the number of detected packets?
For this we’ll have to use the content field again, once to filter the string “Administrator” and once for code 331:
| Answer: 7
Task 4: Writing IDS Rules (PNG)
Let’s create IDS Rules for PNG files in the traffic!
Answer the questions below:
Navigate to the task folder.
Use the given pcap file.
Write a rule to detect the PNG file in the given pcap.
4.1 Investigate the logs and identify the software name embedded in the packet.
for this we need to use the strings command. What is strings? It’s just how it sounds it just finds strings in a file.
sudo strings ftp-png-gif.pcap
| Answer: Adobe ImageReadyq
Clear the previous log and alarm files.
Deactivate/comment on the old rule.
Write a rule to detect the GIF file in the given pcap.
4.2 Investigate the logs and identify the image format embedded in the packet.
For this I used the content filter: “GIF”.
next use strings on the resulting log and you’ll find your answer:
After getting the answer, I checked the hint to see if that’s how they want you to do it and it’s not, they want you to look up the “Magic Number” and when I did that, I came up with this. So based off that we’re also able to filter off of Hex and ASCII, pretty versatile!
Task 5: Writing IDS Rules (Torrent Metafile)
Let’s create IDS Rules for torrent metafiles in the traffic!
Answer the questions below
Navigate to the task folder.
Use the given pcap file.
Write a rule to detect the torrent metafile in the given pcap.
5.1 What is the number of detected packets?
I tried to do this the hard way and find some beginning string that all torrent metafiles start with, just content filter by “.torrent” as the hint suggests…
| Answer: 2
Investigate the log/alarm files.
5.2 What is the name of the torrent application?
again, let’s use strings:
sudo strings snort.log.x
The resulting output will answer the last three questions:
| Answer: bittorrent
Investigate the log/alarm files.
5.3 What is the MIME (Multipurpose Internet Mail Extensions) type of the torrent metafile?
| Answer: application/x-bittorrent
Investigate the log/alarm files.
5.4 What is the hostname of the torrent metafile?
| Answer: tracker2.torrentbox.com
This concludes the Snort Challenge — The Basics — Part 1 on TryHackMe. Medium wouldn’t save the entire article in one piece even though it was well below the word count, so I’ll post the other half tomorrow.
We’ll see you then for the remainder of the Snort Challenge — The Basics!
