# Snort Challenge - The Basics **Room Link:** ## Writing IDS Rules (HTTP) \ **Navigate to the task folder.**\ **Use the given pcap file.**\ **Write rules to detect "all TCP port 80 traffic" packets in the given pcap file.** **What is the number of detected packets?** **local.rules** ``` alert tcp any any <> any 80 (msg:"TCP Port 80 Traffic Detected inbound"; sid:10001;) alert tcp any 80 <> any any (msg:"TCP Port 80 Traffic Detected outbound"; sid:10002;) ``` **Kali** ``` sudo snort -c local.rules -r mx-3.pcap -A full -l . ```

**What is the destination address of packet 63?** The easiest way to look at a certain packet is to use -n to only show the amount of packets we want to see. **Kali** ``` sudo snort -r snort.log.1690286170 -n63 ```

**What is the ACK number of packet 64?** **Kali** ``` sudo snort -r snort.log.1690286170 -n64 ```

**What is the SEQ number of packet 62?** **Kali** ``` sudo snort -r snort.log.1690286170 -n62 ```

**What is the TTL of packet 65?** **Kali** ``` sudo snort -r snort.log.1690286170 -n65 ```

**What is the source IP of packet 65?**

**What is the source port of packet 65?**

## Writing IDS Rules (FTP) **local.rules** ``` alert tcp any any <> any 21 (msg:"FTP inbound"; sid:10001;) alert tcp any 21 <> any any (msg:"FTP outbound"; sid:10002;) ``` **What is the number of detected packets?** **Kali** ``` sudo snort -c local.rules -r ftp-png-gif.pcap -A full -l . ```

**What is the FTP service name?** **Kali** ``` sudo snort -r snort.log.1690287034 -X ```

**Write a rule to detect failed FTP login attempts in the given pcap. What is the FTP service name?** **local.rules** ``` alert tcp any any <> any 21 (msg: "Failed FTP Login"; content:"530 User"; sid: 100003; rev: 1;)alert tcp any any <> any 21 (msg: "Failed FTP Login"; content:"530 User"; sid: 100003; rev: 1;)alert tcp any any <> any 21 (msg: "Failed FTP Login"; content:"530 User"; sid: 100003; rev: 1;) ``` **Kali** ``` sudo snort -c local.rules -r ftp-png-gif.pcap -A full -l . ```

**Write a rule to detect successful FTP logins in the given pcap. What is the number of detected packets?** **local.rules** ``` alert TCP any any <> any 21 (msg:"FTP Success Login"; content:"230 User"; sid:100000; rev:1;) ``` **Kali** ``` sudo snort -c local.rules -r ftp-png-gif.pcap -A full -l . ```

**Write a rule to detect failed FTP login attempts with a valid username but a bad password or no password. What is the number of detected packets?** **local.rules** ``` alert tcp any any <> any 21 (msg: "FTP Failed Login-Bad or No Password"; content:"331 Password"; sid: 100005; rev: 1;) ``` **Kali** ``` sudo snort -c local.rules -r ftp-png-gif.pcap -A full -l . ```

**Write a rule to detect failed FTP login attempts with "Administrator" username but a bad password or no password. What is the number of detected packets?** **local.rules** ``` alert tcp any any <> any 21 (msg: "FTP Failed Login-Bad or No Password"; content:"331 Password"; sid: 100005; rev: 1;) ``` **Kali** ``` sudo snort -c local.rules -r ftp-png-gif.pcap -A full -l . ```

## Writing IDS Rules (PNG) **Write a rule to detect the PNG file in the given pcap.** **local.rules** ``` alert TCP any any <> any any (msg:"PNG File Dectected"; content:"|89 50 4E 47 0D 0A 1A 0A|"; sid:100002; rev:1;) ``` **Investigate the logs and identify the software name embedded in the packet.** **Kali** ``` sudo snort -c local.rules -r ftp-png-gif.pcap -A full -l . sudo snort -r snort.log* -X ```

**Write a rule to detect the GIF file in the given pcap.** **local.rules** ``` alert TCP any any <> any any (msg:"GIF87a detected"; content:"|47 49 46 38 37 61|"; sid:10000003; rev:1;) alert TCP any any <> any any (msg:"GIF89A detected"; content:"|47 49 46 38 39 61|"; sid:10000004; rev:1;) ``` **Investigate the logs and identify the software name embedded in the packet.** **Kali** ``` sudo snort -c local.rules -r ftp-png-gif.pcap -A full -l . sudo snort -r snort.log* -X ```

## Writing IDS Rules (Torrent Metafile) **Write a rule to detect the torrent metafile in the given pcap.** **local.rules** ``` alert TCP any any <> any any (msg:"Torrent Detected"; content:".torrent"; sid:10000003; rev:1;) ``` **What is the number of detected packets?** **Kali** ``` sudo snort -c local.rules -r torrent.pcap -A full -l . sudo snort -r snort.log* -X ```

## Troubleshooting Rule Syntax Errors **Fix the syntax error in local-1.rules file and make it work smoothly.** **local-1.rules** ``` alert TCP any 3372 -> any any (msg:"Troubleshooting 1"; sid:1000001; rev:1;) ``` **What is the number of the detected packets?** **Kali** ``` sudo snort -c local-1.rules -r mx-1.pcap -A full -l . ```

**Fix the syntax error in local-2.rules file and make it work smoothly.** **local-2.rules** ``` alert icmp any any -> any any (msg:"Troubleshooting 2"; sid:1000001; rev:1;) ``` **What is the number of the detected packets?** **Kali** ``` sudo snort -c local-2.rules -r mx-1.pcap -A full -l . ```

**Fix the syntax error in local-3.rules file and make it work smoothly.** **local-3.rules** ``` alert icmp any any -> any any (msg:"ICMP Packet Found"; sid:1000001; rev:1;) alert tcp any any -> any 80,443 (msg:"HTTPX Packet Found"; sid:1000002; rev:1;) ``` **What is the number of the detected packets?** **Kali** ``` sudo snort -c local-3.rules -r mx-1.pcap -A full -l . ```

**Fix the syntax error in local-4.rules file and make it work smoothly.** **local-4.rules** ``` alert icmp any any -> any any (msg:"ICMP Packet Found"; sid:1000001; rev:1;) alert tcp any any -> any 80,443 (msg:"HTTPX Packet Found"; sid:1000002; rev:1;) ``` **What is the number of the detected packets?** **Kali** ``` sudo snort -c local-4.rules -r mx-1.pcap -A full -l . ```

**Fix the syntax error in local-5.rules file and make it work smoothly.** **local-5.rules** ``` alert icmp any any <> any any (msg: "ICMP Packet Found"; sid:1000001; rev:1;) alert icmp any any <> any any (msg: "Inbound ICMP Packet Found"; sid:1000002; rev:1;) alert tcp any any -> any 80,443 (msg: "HTTPX Packet Found"; sid:1000003; rev:1;) ``` **What is the number of the detected packets?** **Kali** ``` sudo snort -c local-5.rules -r mx-1.pcap -A full -l . ```

**Fix the syntax error in local-6.rules file and make it work smoothly.** **local-6.rules** ``` alert tcp any any <> any 80 (msg: "GET Request Found"; content:"|47 45 5sudo snort -c local-6.rules -r mx-1.pcap -A full -l .4|"; sid:100001; rev:1;) ``` **What is the number of the detected packets?** **Kali** ``` sudo snort -c local-6.rules -r mx-1.pcap -A full -l . ```

**Fix the syntax error in local-7.rules file and make it work smoothly.** **local-7.rules** ``` alert tcp any any <> any 80 (msg:"No Message"; content:"|2E 68 74 6D 6C|"; sid: 100001; rev:1;) ``` **Kali** ``` sudo snort -c local-7.rules -r mx-1.pcap -A full -l . ``` ## Using External Rules (MS17-010) **Use the given rule file (local.rules) to investigate the ms1710 exploitation. What is the number of detected packets?** **Kali** ``` sudo snort -c local.rules -A full -l . -r ms-17-010.pcap ```

**Clear the previous log and alarm files. Use local-1.rules empty file to write a new rule to detect payloads containing the "\IPC$" keyword. What is the number of detected packets?** **local-1.rules** ``` alert tcp any any -> any 445 (msg: "Exploit Detected!"; flow: to_server, established; content: "IPC$"; sid:2094285; rev: 3;) ``` **Kali** ``` sudo snort -c local-1.rules -A full -l . -r ms-17-010.pcap sudo snort -r snort.log* -X ```

## Using External Rules (Log4j) **Use the given rule file (local.rules) to investigate the log4j exploitation.** **What is the number of detected packets?** **Kali** ``` sudo snort -c local.rules -A full -l . -r log4j.pcap ```

\ **Investigate the log/alarm files. How many rules were triggered?**

\ **Investigate the log/alarm files. What are the first six digits of the triggered rule sids?** **Kali** ``` sudo snort -c local.rules -A Full -l . -r log4j.pcap ```

**local-1.rules** ``` alert tcp any any -> any any (msg:"Payload 770-855 bytes"; dsize:770<>855; sid:100001; rev:1;) ``` **What is the number of detected packets?** **Kali** ``` sudo snort -c local-1.rules -A full -l . -r log4j.pcap sudo snort -eX -r snort.log* | vi - ```

**Output** ``` KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8xNjIuMC4yMjguMjUzOjgwfHx3Z2V0IC1xIC1PLSA0NS4xNTUuMjA1LjIzMzo1ODc0LzE2Mi4wLjIyOC4yNTM6ODApfGJhc2g= ``` **CyberChef:**

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://jeffgthompsons-organization.gitbook.io/blue-team/walkthroughs/tryhackme/snort-challenge-the-basics.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.