SNORT

OPERATION MODE 2: PACKET LOGGER MODE

Investigate the traffic with the default configuration file with ASCII mode. Then execute the traffic generator script and choose "TASK-6 Exercise". What is the source port used to connect port 53?

root@thm:~$ sudo snort -dev -K ASCII -l .
root@thm:~$ cd ~/Desktop/Task-Exercises/
root@thm:~$ sudo ./traffic-generator.sh
 Task-6 Exercise
 
root@thm:~$ sudo su
root@thm:~$ cd ~/Desktop/145.254.160.237/
root@thm:~$ ls -la
root@thm:~$ cat UDP\:3009-53
 * 145.254.160.237:3009 -> 145.253.2.203:53
   145.253.2.203:53 -> 145.254.160.237:3009

Read the snort.log file snort.log.1640048004 with Snort; what is the IP ID of the 10th packet?

root@thm:~$ cd ~/Desktop/Task-Exercises/Exercise-Files/TASK-6
root@thm:~$ ls -la
 snort.log.1640048004
root@thm:~$ sudo snort -r snort.log.1640048004 -n 10 -dev
 * 65.208.228.223:80 -> 145.254.160.237:3372 TCP TTL:47 TOS:0x0 ID:49313

Read the "snort.log.1640048004" file with Snort; what is the referrer of the 4th packet?

root@thm:~$ cd ~/Desktop/Task-Exercises/Exercise-Files/TASK-6
root@thm:~$ ls -la
 snort.log.1640048004
root@thm:~$ sudo snort -r snort.log.1640048004 -n 4 -Xe
 * Referrer: http://www.ethereal.com/development.html

Read the "snort.log.1640048004" file with Snort; what is the Ack number of the 8th packet?

root@thm:~$ cd ~/Desktop/Task-Exercises/Exercise-Files/TASK-6
root@thm:~$ ls -la
 snort.log.1640048004
root@thm:~$ sudo snort -r snort.log.1640048004 -n 8 -Xe
 * ***A**** Seq: 0x114C66F0  Ack: 0x38AFFFF3  Win: 0x1920  TcpLen: 20

Read the "snort.log.1640048004" file with Snort; what is the number of the "TCP port 80" packets?

root@thm:~$ cd ~/Desktop/Task-Exercises/Exercise-Files/TASK-6
root@thm:~$ ls -la
 snort.log.1640048004
root@thm:~$ sudo snort -r snort.log.1640048004 -Xe 'tcp and port 80'
 * Packet I/O Totals:
   Received:           41
   Analyzed:           41 (100.000%)

OPERATION MODE 3: IDS/IPS

Investigate the traffic with the default configuration file. Then execute the traffic generator script and choose "TASK-7 Exercise". What is the number of the detected HTTP GET methods?

root@thm:~$ sudo snort -c /etc/snort/snort.conf -A full -l .
root@thm:~$ cd ~/Desktop/Task-Exercises/
root@thm:~$ sudo ./traffic-generator.sh
 Task-7 Exercise
 * stop the snort ingestion to view the captured traffic
 * HTTP Inspect - encodings (Note: stream-reassembled packets included):
   POST methods:                         0         
   GET methods:                          2         
   HTTP Request Headers extracted:       2         
   HTTP Request Cookies extracted:       0         
   Post parameters extracted:            0         
   HTTP response Headers extracted:      3

OPERATION MODE 4: PCAP INVESTIGATION

Investigate the mx-1.pcap file with the default configuration file. What is the number of the generated alerts?

root@thm:~$ cd /home/ubuntu/Desktop/Task-Exercises/Exercise-Files/TASK-8
root@thm:~$ sudo snort -c /etc/snort/snort.conf -r mx-1.pcap -A full -l . 
 * Alerts: 170 (147.826%)

Investigate the mx-1.pcap file with the default configuration file. Keep reading the output. How many TCP Segments are Queued?

root@thm:~$ cd /home/ubuntu/Desktop/Task-Exercises/Exercise-Files/TASK-8
root@thm:~$ sudo snort -c /etc/snort/snort.conf -r mx-1.pcap -A full -l . 
 * TCP Segments Queued: 18

Investigate the mx-1.pcap file with the default configuration file. Keep reading the output. How many "HTTP response headers" were extracted?

root@thm:~$ cd /home/ubuntu/Desktop/Task-Exercises/Exercise-Files/TASK-8
root@thm:~$ sudo snort -c /etc/snort/snort.conf -r mx-1.pcap -A full -l . 
 * HTTP response Headers extracted: 3

Investigate the mx-1.pcap file with the second configuration file. What is the number of the generated alerts?

root@thm:~$ cd /home/ubuntu/Desktop/Task-Exercises/Exercise-Files/TASK-8
root@thm:~$ sudo snort -c /etc/snort/snortv2.conf -r mx-1.pcap -A full -l . 
 * Alerts: 68 ( 59.130%)

Investigate the mx-2.pcap file with the default configuration file. What is the number of the generated alerts?

root@thm:~$ cd /home/ubuntu/Desktop/Task-Exercises/Exercise-Files/TASK-8
root@thm:~$ sudo snort -c /etc/snort/snort.conf -r mx-2.pcap -A full -l . 
 * Alerts: 340 (147.826%)

Investigate the mx-2.pcap file with the default configuration file. What is the number of the detected TCP packets?

root@thm:~$ cd /home/ubuntu/Desktop/Task-Exercises/Exercise-Files/TASK-8
root@thm:~$ sudo snort -c /etc/snort/snort.conf -r mx-2.pcap -A full -l . 
 * TCP Port Filter
    Filtered: 0
    Inspected: 0
    Tracked: 82

Investigate the mx-2.pcap and mx-3.pcap files with the default configuration file. What is the number of the generated alerts?

root@thm:~$ cd /home/ubuntu/Desktop/Task-Exercises/Exercise-Files/TASK-8
root@thm:~$ sudo snort -c /etc/snort/snort.conf -r mx-2.pcap -A full -l .
root@thm:~$ sudo snort -c /etc/snort/snort.conf --pcap-list="mx-2.pcap mx-3.pcap" --pcap-show -A full -l .  
 * Alerts: 1020 (147.826%)

SNORT RULE STRUCTURE

Use "task9.pcap". Write a rule to filter IP ID "35369" and run it against the given pcap file. What is the request name of the detected packet?

#Snort 3 Rule Writing Guide
root@thm:~$ BROWSER > https://docs.snort.org/welcome
 Search: ip id
  - https://docs.snort.org/start/alert_logging

#syntax <action> <protocol> <sourceIP> <sourcePort> <direction> <destinationIP> <destinationPort> (options {general rule options | payload rule options | non-payload rule options}; sid:uniqueID; rev:revisionNumber;)
rooth@thm:~$ nano /etc/snort/rules/local.rules
 alert ip any any <> any any (msg:"IP ID - 35369"; ip_id:35369; sid:1000001; rev:1;)
  - the ip_id is a snortV3 field; use 'id' as a snortV2 field
#test user-created rule
root@thm:~$ cd /home/ubuntu/Desktop/Task-Exercises/Exercise-Files/TASK-9
root@thm:~$ ls
 local.rules  task9.pcap
root@thm:~$ snort -c local.rules -r task9.pcap -A full -l . 
root@thm:~$ ls
 alert  local.rules  snort.log.1735674019  task9.pcap
root@thm:~$ cat alert
 [**] [1:1000001:1] IP ID - 35369 [**]
 [Priority: 0] 
 03/03-20:00:32.042975 192.168.121.2 -> 192.168.120.1
 ICMP TTL:255 TOS:0x0 ID:35369 IpLen:20 DgmLen:40
 Type:13  Code:0  ID: 7  Seq: 6  TIMESTAMP REQUEST

Use "task9.pcap". Create a rule to filter packets with Syn flag and run it against the given pcap file. What is the number of detected packets?

#Snort 3 Rule Writing Guide
root@thm:~$ BROWSER > https://docs.snort.org/welcome
 Search: syn
  - https://docs.snort.org/rules/options/non_payload/flags?highlight=syn#flags

#syntax <action> <protocol> <sourceIP> <sourcePort> <direction> <destinationIP> <destinationPort> (options {general rule options | payload rule options | non-payload rule options}; sid:uniqueID; rev:revisionNumber;)
rooth@thm:~$ nano /etc/snort/rules/local.rules
 alert tcp any any <> any any (msg:"SYN"; flags:S; sid:1000001; rev:1;)

#test user-created rule
root@thm:~$ cd /home/ubuntu/Desktop/Task-Exercises/Exercise-Files/TASK-9
root@thm:~$ ls
 local.rules  task9.pcap
root@thm:~$ snort -c local.rules -r task9.pcap -A full -l . 
root@thm:~$ ls
 alert  local.rules  snort.log.1735674019  task9.pcap
root@thm:~$ [**] [1:1000001:1] SYN [**]
 [Priority: 0] 
 03/03-20:02:09.464106 2003:51:6012:110::b15:22:60892 -> 2003:51:6012:121::2:22
 TCP TTL:62 TOS:0x0 ID:0 IpLen:40 DgmLen:80
 ******S* Seq: 0xB82637E7  Ack: 0x0  Win: 0x7080  TcpLen: 40
 TCP Options (5) => MSS: 1440 SackOK TS: 166450886 0 NOP WS: 7

Clear the previous log and alarm files and deactivate/comment out the old rule. Use "task9.pcap". Write a rule to filter packets with Push-Ack flags and run it against the given pcap file. What is the number of detected packets?

#Snort 3 Rule Writing Guide
root@thm:~$ BROWSER > https://docs.snort.org/welcome
 Search: flags
  - https://docs.snort.org/rules/options/non_payload/flags?highlight=flags#flags

#syntax <action> <protocol> <sourceIP> <sourcePort> <direction> <destinationIP> <destinationPort> (options {general rule options | payload rule options | non-payload rule options}; sid:uniqueID; rev:revisionNumber;)
root@thm:~$ rm -rf alert snort.log.*
root@thm:~$ nano /etc/snort/rules/local.rules
 alert tcp any any <> any any (msg:"SYN"; flags:PA; sid:1000001; rev:1;)

#test user-created rule
root@thm:~$ cd /home/ubuntu/Desktop/Task-Exercises/Exercise-Files/TASK-9
root@thm:~$ ls
 local.rules  task9.pcap
root@thm:~$ snort -c local.rules -r task9.pcap -A full -l . 
root@thm:~$ ls
 alert  local.rules  snort.log.1735674019  task9.pcap
 
root@thm:~$ cat alert 
 ...
root@thm:~$ grep [\[\*\*\]] alert | wc -l
 216

Clear the previous log and alarm files and deactivate/comment out the old rule. Use "task9.pcap". Create a rule to filter packets with the same source and destination IP and run it against the given pcap file. What is the number of packets that show the same source and destination address?

#Snort 3 Rule Writing Guide
root@thm:~$ BROWSER > https://docs.snort.org/welcome
 Search: same
  - none found

root@thm:~$ BROWSER > http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node1.html > CTRL+F
 Search: same
  - sameip

#syntax <action> <protocol> <sourceIP> <sourcePort> <direction> <destinationIP> <destinationPort> (options {general rule options | payload rule options | non-payload rule options}; sid:uniqueID; rev:revisionNumber;)
root@thm:~$ rm -rf alert snort.log.*
root@thm:~$ nano /etc/snort/rules/local.rules
 alert ip any any <> any any (msg:"SAME SRC/DST IP"; sameip; sid:1000001; rev:1;)

#test user-created rule
root@thm:~$ cd /home/ubuntu/Desktop/Task-Exercises/Exercise-Files/TASK-9
root@thm:~$ ls
 local.rules  task9.pcap
root@thm:~$ snort -c local.rules -r task9.pcap -A full -l . 
root@thm:~$ ls
 alert  local.rules  snort.log.1735674019  task9.pcap
 
root@thm:~$ cat alert 
 manual count: 7
  - excluding: unassigned IP addresses, IP requests and broadcast/multicast messages

Case Example - An analyst modified an existing rule successfully. Which rule option must the analyst change after the implementation?

rev

PreviousNETWORK SECURITY & TRAFFIC ANALYSIS NextNETWORK MINER

Last updated 3 months ago