Skip to main content

Snort Challenge - The Basics

Rules Ive Used

# This file intentionally does not come with signatures.  Put your local
# additions here.
# alert icmp any any <> any any (msg: "IP ID 35369 Found"; id:35369; sid: 1000001; rev:1)
# log tcp any any <> any any (msg: "ALL SYN FLAGS"; flags:S;  sid: 1000001; rev:1;)
# log tcp any any <> any any (msg: "ALL SYN FLAGS"; flags:P,A;  sid: 1000001; rev:1;)
# log ip any any <> any any (msg: "SAME-IP IN IP"; sameip; sid:1000001; rev:1;)#This was not used in the first snort, they only wanted the next 2 rules, which showed less dups
log udp any any <> any any (msg: "SAME-IP IN TCP"; sameip; sid:1000001; rev:1;)
log tcp any any <> any any (msg: "SAME-IP IN UDP"; sameip; sid:1000002; rev:1;) 

Snort Params: Some

Sniffer mode parameters are explained in the table below;

ParameterDescription
-vVerbose. Display the TCP/IP output in the console.
-dDisplay the packet data (payload).
-eDisplay the link-layer (TCP/IP/UDP/ICMP) headers. 
-XDisplay the full packet details in HEX.
-iThis parameter helps to define a specific network interface to listen/sniff. Once you have multiple interfaces, you can choose a specific interface to sniff. 


 Task 2

Write rules to detect "all TCP port 80 traffic" packets in the given pcap file. 

local.rules

log tcp any 80 <> any any (msg: "Originating Port 80"; sid:1000001; rev:1)

log tcp any any <> any 80 (msg: "Destination Port 80"; sid:1000002; rev:1)

 Terminal:

snort -c local.rules -A full -l . -r [pcap_file]

What is the destination address of packet 63?

Start with  

sudo snort -c /etc/snort/snort.conf -q -r icmp-test.pcap -A console -n 10

-c is ruleset

-q quiets the banned and initial info 

-r reads a pcap

-n 10: reads 10 successes

-A console: outputs alerts to the console
Convert to

Dues to -A working on Alerts, changed above rules to:

local.rules

alert tcp any 80 <> any any (msg: "Originating Port 80"; sid:1000001; rev:1)
alert tcp any any <> any 80 (msg: "Destination Port 80"; sid:1000002; rev:1)

Terminal

sudo snort -c local.rules -q -r snort.log.1686512928 -A console -n 63

 

 What is the ACK number of packet 64?

since the packets have already been filtered into a log file, i used the snort read capability to complete this task

sudo snort -r snort.log.1686512928 -n 64

What is the SEQ number of packet 62?

What is the TTL of packet 65?

What is the source IP of packet 65?

What is the source port of packet 65?

Task 3 

Write rules to detect "all TCP port 21"  traffic in the given pcap.

What is the number of detected packets? 

local.rules

alert tcp any 21 <> any any (msg: "Originating Port 80"; sid:1000001; rev:1)
alert tcp any any <> any 21 (msg: "Destination Port 80"; sid:1000002; rev:1)

Terminal

snort -c local.rules -A full -l . -r [pcap_file]

What is the FTP service name?

sudo snort -dev -r snort.log.1686515728 -n 10

since we are reading the packets that were logged, and want to know information that would likely be held inside the data of the packet, we need the -d option, 

Write a rule to detect failed FTP login attempts in the given pcap.

What is the number of detected packets?

 Here is the updated rule, it first caused issues by tracking the response in both directions, but after limiting it to only one direction i received the correct answer.

alert tcp any 21 <> any any (msg: "FTP Login Failed"; content: "530 User"; sid:1000001; rev:1)
#alert tcp any any <> any 21 (msg: "FTP Login Failed"; content: "530 User"; sid:1000002; rev:1)

 

Write a rule to detect successful FTP logins in the given pcap.

What is the number of detected packets?

 seems to be 230 for successful FTP Login

so:

alert tcp any 21 <> any any (msg: "FTP Login Success"; content: "230 User"; sid:1000001; rev:1)

Write a rule to detect failed FTP login attempts with a valid username but a bad password or no password.

What is the number of detected packets?

I found that 331 and 336 reference this error, i was unsure what other strings showed, so limited the search to that first.

alert tcp any 21 <> any any (msg: "FTP Login Failed and no/bad pass"; content: "331"; sid:1000001; rev:1)
alert tcp any 21 <> any any (msg: "FTP Login Failed and no/bad pass"; content: "336"; sid:1000002; rev:1)

After reading those packets you can see that the packets state "331 Password required", this could easily be added to better avoid false positives.

Terminal

   45  snort -c local.rules -A full -l . -r ftp-png-gif.pcap
   46  ll
   47  sudo snort -dev -r snort.log.1686517528

Write a rule to detect failed FTP login attempts with "Administrator" username but a bad password or no password.

What is the number of detected packets?

Since we know what the error normally looks like, and we can see at least one packet that represents the issue, we can make a very specific filter using that information

alert tcp any 21 <> any any (msg: "FTP Login Failed Admin and no/bad pass"; content: "331 Password required for Administrator";nocase; sid:1000001; rev:1)

Task 4

Write a rule to detect the PNG file in the given pcap.

Investigate the logs and identify the software name embedded in the packet.

 local.rules

 alert tcp any any <> any any (msg: "'PNG' found in Data"; content:"PNG"; sid:100001; rev:1;)

 Terminal

snort -c local.rules -A full -l . -r ftp-png-gif.pcap

 snort -dev -r [log.file]

Write a rule to detect the GIF file in the given pcap.

Investigate the logs and identify the image format embedded in the packet.

 local.rules

 alert tcp any any <> any any (msg: "'GIF' found in Data"; content:"GIF"; sid:100001; rev:1;)

 Terminal

snort -c local.rules -A full -l . -r ftp-png-gif.pcap

 snort -dev -r snort.log.1686557290

Task 5

Write a rule to detect the torrent metafile in the given pcap.

 What is the number of detected packets?

 local.rules

alert tcp any any <> any any (msg: "'Torrent' found in Data"; content:"Torrent"; sid:100001; rev:1;)

results in 11 alerts

they are using BitTorrent, but what does the torrent metafile look like?

alert tcp any any <> any any (msg: "'.Torrent' found in Data"; content:".Torrent"; sid:100001; rev:1;)

resulted in no alerts, while

alert tcp any any <> any any (msg: "'.torrent' found in Data"; content:".torrent"; sid:100001; rev:1;)

resulted in more, it seems if you use multiple cases, it will automatically nocase / treat the search as case sensitive

What is the name of the torrent application?

BitTorrent

What is the MIME (Multipurpose Internet Mail Extensions) type of the torrent metafile?

 Since i wanted to search for the MIME type, and we already have a log with the known packets im going to get the ascii output of those

snort -c local.rules -K ascii -A full -l . -r snort.log.1686559485 

it seems that was unnecessary, the MIME is located in the part of the packet that states Accept:

What is the hostname of the torrent metafile?

This is found in the same  packet near the end

Task 6

Here we are repairing rules, since we just need the number of alerts, we can open them all

Terminal

gedit local-* &

sudo snort -c local-X.rules -r mx-1.pcap

fix the rules and run snort on the packet accordingly


I thought that the -> was an error, but some research showed the follwoing

The direction operator of a header indicates the direction of the traffic that the rule should apply to. There are two valid direction operators:

  • ->
  • <>

The -> operator is the most common, and it denotes that the IP addresses and port numbers on the left side represent the source and the IP addresses and port numbers on the right side represent the destination.

The <> operation is the bidirectional operator, and it tells Snort to consider the two IP address and port pairs as either the source or destination.

The direction operator is placed after the first ports declaration in the header.

https://docs.snort.org/rules/headers/directions

In order to test rules and validate, you can use the -T

sudo snort -c local-1.rules -T

spaces are important for snort rules any(msg > any (msg

dont forget, there are 2 any's on either side of the direction operator

duplicate sid's in the same ruleset also cause issues

be careful of : vs ; and their locations in the rules

 some rules have mistakes when translating ASCII to hex, be carefull when using non humanreadable information for content searches and verify it has the correct information

finally, even though its not required, it is highly encouraged, that all rules have a msg, so anyone using the rules can understand its purpose.

Task 7

Use local-1.rules empty file to write a new rule to detect payloads containing the "\IPC$" keyword

local.rules

alert tcp any any <> any any (msg: "find \IPC$"; content:"\\IPC$"; sid:1000001; rev:1;)

Terminal

   86  sudo snort -c local-1.rules -T
   87  sudo snort -c local-1.rules -r ms-17-010.pcap 

What is the requested path?

   90  sudo snort -c local-1.rules -A full -l . -r ms-17-010.pcap
   94  sudo snort -dev -r snort.log.1686563223

Found CVSS score at https://www.tenable.com/plugins/nessus/97737

Task 8

Use the given rule file (local.rules) to investigate the log4j exploitation.

What is the number of detected packets?

sudo snort -c local.rules -r log4j.pcap

 look at the alers/logged file

How many rules were triggered?.

 this one is weird, i see 3 different filtered events, with one of them filtering twice, therefore 4 rules triggered? unsure

What are the first six digits of the triggered rule sids?

 look at the filtered events

Use local-1.rules empty file to write a new rule to detect packet payloads between 770 and 855 bytes.

What is the number of detected packets?

local.rules

alert tcp any any <> any any (msg: "payload between 770:855";dsize:770<>855; sid:1000001; rev:1;)

Terminal

  115  sudo gedit local-1.rules &
  116  ll
  117  sudo snort -c local-1.rules -T
  118  sudo snort -c local-1.rules -r log4j.pcap

What is the name of the used encoding algorithm?

Terminal

sudo snort -c local-1.rules -A full -l . -r log4j.pcap
sudo snort -dev -r snort.log.1686565875

What is the IP ID of the corresponding packet?

local.rules

alert tcp any any <> any any (msg: "payload between 770:855";dsize:770<>855;content:"Base64"; sid:1000001; rev:1;)

Terminal

  sudo gedit local-1.rules &
  sudo snort -c local-1.rules -dev -A full -l . -r log4j.pcap

  sudo snort -c local-1.rules -T

 sudo snort -dev -r snort.log.1686566133

Decode the encoded command.

What is the attacker's command?

 This Packet has some Ciphertext, copying it and placing it in cyberchef to convert from Base64 is one way to figure out what the command actually is.

What is the CVSS v2 score of the Log4j vulnerability?

Found at https://nvd.nist.gov/vuln/detail/cve-2021-44228 

Labels:

Comments

Post a Comment

Popular posts from this blog

Bandit 20 Over The Wire

Lessons Learned using nc to create a steady connection, also on background and foreground processes Logging in On a kali vm/ linux machine Type: ssh bandit20@bandit.labs.overthewire.org -p 2220 GbKksEFF4yrVs6il55v6gwY5aVje5f0j Completing The Challenge The Goal: There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21). The Solution: bandit20@bandit:~$ nc -l -p 2000 ^Z [1]+  Stopped                 nc -l -p 2000 bandit20@bandit:~$ ./suconnect 2000 ^Z [2]+  Stopped                 ./suconnect 2000 bandit20@bandit:~$ fg 1 nc -l -p 2000 GbKksEFF4yrVs6il55v6gwY5aVje5f0j ^Z [1]+  Stopped                 nc -l -p 2000 bandit20@bandit:~$ fg 2 ./suconnect 2000 Read: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Post a Comment
Read more

Bandit 11 Over The Wire

 Lessons Learned using cyberchef for things like rot13 Logging in On a kali vm/ linux machine Type: ssh bandit11@bandit.labs.overthewire.org -p 2220  IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR Completing The Challenge The Goal: The password for the next level is stored in the file data.txt , where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions The Solution: bandit11@bandit:~$ cat data.txt Gur cnffjbeq vf 5Gr8L4qetPEsPk8htqjhRK8XSP6x2RHh   The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu This is known as rot13 and many free websites exist to solve this issue. CyberChef is a very good site/tool for this and can be downloaded
Post a Comment
Read more