Rules Ive Used
# This file intentionally does not come with signatures. Put your local
# additions here.
# alert icmp any any <> any any (msg: "IP ID 35369 Found"; id:35369; sid: 1000001; rev:1)
# log tcp any any <> any any (msg: "ALL SYN FLAGS"; flags:S; sid: 1000001; rev:1;)
# log tcp any any <> any any (msg: "ALL SYN FLAGS"; flags:P,A; sid: 1000001; rev:1;)
# log ip any any <> any any (msg: "SAME-IP IN IP"; sameip; sid:1000001; rev:1;)#This was not used in the first snort, they only wanted the next 2 rules, which showed less dups
log udp any any <> any any (msg: "SAME-IP IN TCP"; sameip; sid:1000001; rev:1;)
log tcp any any <> any any (msg: "SAME-IP IN UDP"; sameip; sid:1000002; rev:1;)
Snort Params: Some
Sniffer mode parameters are explained in the table below;
| Parameter | Description |
| -v | Verbose. Display the TCP/IP output in the console. |
| -d | Display the packet data (payload). |
| -e | Display the link-layer (TCP/IP/UDP/ICMP) headers. |
| -X | Display the full packet details in HEX. |
| -i | This parameter helps to define a specific network interface to listen/sniff. Once you have multiple interfaces, you can choose a specific interface to sniff. |
Task 2
Write rules to detect "all TCP port 80 traffic" packets in the given pcap file.
local.rules
log tcp any 80 <> any any (msg: "Originating Port 80"; sid:1000001; rev:1)
log tcp any any <> any 80 (msg: "Destination Port 80"; sid:1000002; rev:1)
Terminal:
snort -c local.rules -A full -l . -r [pcap_file]
What is the destination address of packet 63?
Start with
sudo snort -c /etc/snort/snort.conf -q -r icmp-test.pcap -A console -n 10
-c is ruleset
-q quiets the banned and initial info
-r reads a pcap
-n 10: reads 10 successes
-A console: outputs alerts to the console
Convert to
Dues to -A working on Alerts, changed above rules to:
local.rules
alert tcp any 80 <> any any (msg: "Originating Port 80"; sid:1000001; rev:1)
alert tcp any any <> any 80 (msg: "Destination Port 80"; sid:1000002; rev:1)
Terminal
sudo snort -c local.rules -q -r snort.log.1686512928 -A console -n 63
What is the ACK number of packet 64?
since the packets have already been filtered into a log file, i used the snort read capability to complete this task
sudo snort -r snort.log.1686512928 -n 64
What is the SEQ number of packet 62?
What is the TTL of packet 65?
What is the source IP of packet 65?
What is the source port of packet 65?
Task 3
Write rules to detect "all TCP port 21" traffic in the given pcap.
What is the number of detected packets?
local.rules
alert tcp any 21 <> any any (msg: "Originating Port 80"; sid:1000001; rev:1)
alert tcp any any <> any 21 (msg: "Destination Port 80"; sid:1000002; rev:1)
Terminal
snort -c local.rules -A full -l . -r [pcap_file]
What is the FTP service name?
sudo snort -dev -r snort.log.1686515728 -n 10
since we are reading the packets that were logged, and want to know information that would likely be held inside the data of the packet, we need the -d option,
Write a rule to detect failed FTP login attempts in the given pcap.
What is the number of detected packets?
Here is the updated rule, it first caused issues by tracking the response in both directions, but after limiting it to only one direction i received the correct answer.
alert tcp any 21 <> any any (msg: "FTP Login Failed"; content: "530 User"; sid:1000001; rev:1)
#alert tcp any any <> any 21 (msg: "FTP Login Failed"; content: "530 User"; sid:1000002; rev:1)
Write a rule to detect successful FTP logins in the given pcap.
What is the number of detected packets?
seems to be 230 for successful FTP Login
so:
alert tcp any 21 <> any any (msg: "FTP Login Success"; content: "230 User"; sid:1000001; rev:1)
Write a rule to detect failed FTP login attempts with a valid username but a bad password or no password.
What is the number of detected packets?
I found that 331 and 336 reference this error, i was unsure what other strings showed, so limited the search to that first.
alert tcp any 21 <> any any (msg: "FTP Login Failed and no/bad pass"; content: "331"; sid:1000001; rev:1)
alert tcp any 21 <> any any (msg: "FTP Login Failed and no/bad pass"; content: "336"; sid:1000002; rev:1)
After reading those packets you can see that the packets state "331 Password required", this could easily be added to better avoid false positives.
Terminal
45 snort -c local.rules -A full -l . -r ftp-png-gif.pcap
46 ll
47 sudo snort -dev -r snort.log.1686517528
Write a rule to detect failed FTP login attempts with "Administrator" username but a bad password or no password.
What is the number of detected packets?
Since we know what the error normally looks like, and we can see at least one packet that represents the issue, we can make a very specific filter using that information
alert tcp any 21 <> any any (msg: "FTP Login Failed Admin and no/bad pass"; content: "331 Password required for Administrator";nocase; sid:1000001; rev:1)
Task 4
Write a rule to detect the PNG file in the given pcap.
Investigate the logs and identify the software name embedded in the packet.
local.rules
alert tcp any any <> any any (msg: "'PNG' found in Data"; content:"PNG"; sid:100001; rev:1;)
Terminal
snort -c local.rules -A full -l . -r ftp-png-gif.pcap
snort -dev -r [log.file]
Write a rule to detect the GIF file in the given pcap.
Investigate the logs and identify the image format embedded in the packet.
local.rules
alert tcp any any <> any any (msg: "'GIF' found in Data"; content:"GIF"; sid:100001; rev:1;)
Terminal
snort -c local.rules -A full -l . -r ftp-png-gif.pcap
snort -dev -r snort.log.1686557290Task 5
Write a rule to detect the torrent metafile in the given pcap.
What is the number of detected packets?
local.rules
alert tcp any any <> any any (msg: "'Torrent' found in Data"; content:"Torrent"; sid:100001; rev:1;)
results in 11 alerts
they are using BitTorrent, but what does the torrent metafile look like?
alert tcp any any <> any any (msg: "'.Torrent' found in Data"; content:".Torrent"; sid:100001; rev:1;)
resulted in no alerts, while
alert tcp any any <> any any (msg: "'.torrent' found in Data"; content:".torrent"; sid:100001; rev:1;)
resulted in more, it seems if you use multiple cases, it will automatically nocase / treat the search as case sensitive
What is the name of the torrent application?
BitTorrent
What is the MIME (Multipurpose Internet Mail Extensions) type of the torrent metafile?
Since i wanted to search for the MIME type, and we already have a log with the known packets im going to get the ascii output of those
snort -c local.rules -K ascii -A full -l . -r snort.log.1686559485
it seems that was unnecessary, the MIME is located in the part of the packet that states Accept:
What is the hostname of the torrent metafile?
This is found in the same packet near the end
Task 6
Here we are repairing rules, since we just need the number of alerts, we can open them all
Terminal
gedit local-* &
sudo snort -c local-X.rules -r mx-1.pcap
fix the rules and run snort on the packet accordingly
I thought that the -> was an error, but some research showed the follwoing
The direction operator of a header indicates the direction of the traffic that the rule should apply to. There are two valid direction operators:
-><>The
->operator is the most common, and it denotes that the IP addresses and port numbers on the left side represent the source and the IP addresses and port numbers on the right side represent the destination.The
<>operation is the bidirectional operator, and it tells Snort to consider the two IP address and port pairs as either the source or destination.The direction operator is placed after the first ports declaration in the header.
https://docs.snort.org/rules/headers/directions
In order to test rules and validate, you can use the -T
sudo snort -c local-1.rules -T
spaces are important for snort rules any(msg > any (msg
dont forget, there are 2 any's on either side of the direction operator
duplicate sid's in the same ruleset also cause issues
be careful of : vs ; and their locations in the rules
some rules have mistakes when translating ASCII to hex, be carefull when using non humanreadable information for content searches and verify it has the correct information
finally, even though its not required, it is highly encouraged, that all rules have a msg, so anyone using the rules can understand its purpose.
Task 7
Use local-1.rules empty file to write a new rule to detect payloads containing the "\IPC$" keyword
local.rules
alert tcp any any <> any any (msg: "find \IPC$"; content:"\\IPC$"; sid:1000001; rev:1;)
Terminal
86 sudo snort -c local-1.rules -T
87 sudo snort -c local-1.rules -r ms-17-010.pcap
What is the requested path?
90 sudo snort -c local-1.rules -A full -l . -r ms-17-010.pcap
94 sudo snort -dev -r snort.log.1686563223
Found CVSS score at https://www.tenable.com/plugins/nessus/97737
Task 8
Use the given rule file (local.rules) to investigate the log4j exploitation.
What is the number of detected packets?
sudo snort -c local.rules -r log4j.pcap
look at the alers/logged file
How many rules were triggered?.
this one is weird, i see 3 different filtered events, with one of them filtering twice, therefore 4 rules triggered? unsure
What are the first six digits of the triggered rule sids?
look at the filtered events
Use local-1.rules empty file to write a new rule to detect packet payloads between 770 and 855 bytes.
What is the number of detected packets?
local.rules
alert tcp any any <> any any (msg: "payload between 770:855";dsize:770<>855; sid:1000001; rev:1;)
Terminal
115 sudo gedit local-1.rules &
116 ll
117 sudo snort -c local-1.rules -T
118 sudo snort -c local-1.rules -r log4j.pcap
What is the name of the used encoding algorithm?
Terminal
sudo snort -c local-1.rules -A full -l . -r log4j.pcap
sudo snort -dev -r snort.log.1686565875
What is the IP ID of the corresponding packet?
local.rules
alert tcp any any <> any any (msg: "payload between 770:855";dsize:770<>855;content:"Base64"; sid:1000001; rev:1;)
Terminal
sudo snort -c local-1.rules -T
sudo snort -dev -r snort.log.1686566133
Decode the encoded command.
What is the attacker's command?
This Packet has some Ciphertext, copying it and placing it in cyberchef to convert from Base64 is one way to figure out what the command actually is.
What is the CVSS v2 score of the Log4j vulnerability?
Found at https://nvd.nist.gov/vuln/detail/cve-2021-44228
Comments
Post a Comment