TryHackMe: Snort Challenge — Live Attacks (Difficulty: Medium)

Put your snort skills into practice and defend against a live attack

The room is https://tryhackme.com/room/snortchallenges2

Task 1: Introduction

The room invites you to a challenge where you will investigate a series of traffic data and stop malicious activity under two different scenarios. Let’s start working with Snort to analyse live and captured traffic.

Before joining this room, we suggest completing the ‘Snort’ room.

Answer the questions below:

Read the task above.

No answer needed.

Task 2: Scenario 1 | Brute-Force

Use the attached VM to finish this task.

[+] THE NARRATOR

J&Y Enterprise is one of the top coffee retails in the world. They are known as tech-coffee shops and serve millions of coffee lover tech geeks and IT specialists every day.

They are famous for specific coffee recipes for the IT community and unique names for these products. Their top five recipe names are;

WannaWhite, ZeroSleep, MacDown, BerryKeep and CryptoY.

J&Y’s latest recipe, “Shot4J”, attracted great attention at the global coffee festival. J&Y officials promised that the product will hit the stores in the coming months.

The super-secret of this recipe is hidden in a digital safe. Attackers are after this recipe, and J&Y enterprises are having difficulties protecting their digital assets.

Last week, they received multiple attacks and decided to work with you to help them improve their security level and protect their recipe secrets.

This is your assistant J.A.V.A. (Just Another Virtual Assistant). She is an AI-driven virtual assistant and will help you notice possible anomalies. Hey, wait, something is happening…

[+] J.A.V.A.

Welcome, sir. I am sorry for the interruption. It is an emergency. Somebody is knocking on the door!

[+] YOU

Knocking on the door? What do you mean by “knocking on the door”?

[+] J.A.V.A.

We have a brute-force attack, sir.

[+] THE NARRATOR

This is not a comic book! Would you mind going and checking what’s going on! Please…

[+] J.A.V.A.

Sir, you need to observe the traffic with Snort and identify the anomaly first. Then you can create a rule to stop the brute-force attack. GOOD LUCK!

Answer the questions below:

Question 1:

First of all, start Snort in sniffer mode and try to figure out the attack source, service and port.

Then, write an IPS rule and run Snort in IPS mode to stop the brute-force attack. Once you stop the attack properly, you will have the flag on the desktop!

Here are a few points to remember:

  • Create the rule and test it with “-A console” mode.
  • Use “-A full” mode and the default log path to stop the attack.
  • Write the correct rule and run the Snort in IPS “-A full” mode.
  • Block the traffic at least for a minute and then the flag file will appear on your desktop.

Stop the attack and get the flag (which will appear on your Desktop)

Solution:

  • sudo nano /etc/snort/rules/local.rules
  • drop tcp any any -> any any (sid: 1000005;)
# $Id: local.rules,v 1.11 2004/07/23 20:15:44 bmc Exp $
# ----------------
# LOCAL RULES
# ----------------
# This file intentionally does not come with signatures. Put your local
# additions here.
drop tcp any any -> any any (sid: 1000005;)
  • sudo snort -c /etc/snort/snort.conf -q -Q --daq afpacket -i eth0:eth1 -A full

1 minute later BOOM!

Question 2: What is the name of the service under attack?

  • sudo snort -c /etc/snort/snort.conf -q -Q --daq afpacket -i eth0:eth1 -A console

Question 3: What is the used protocol/port in the attack?

Task 3: Scenario 2 | Reverse-Shell

Use the attached VM to finish this task.

[+] THE NARRATOR

Good Job! Glad to have you in the team!

[+] J.A.V.A.

Congratulations sir. It is inspiring watching you work.

[+] You

Thanks team. J.A.V.A. can you do a quick scan for me? We haven’t investigated the outbound traffic yet.

[+] J.A.V.A.

Yes, sir. Outbound traffic investigation has begun.

[+] THE NARRATOR

The outbound traffic? Why?

[+] YOU

We have stopped some inbound access attempts, so we didn’t let the bad guys get in. How about the bad guys who are already inside? Also, no need to mention the insider risks, huh? The dwell time is still around 1–3 months, and I am quite new here, so it is worth checking the outgoing traffic as well.

[+] J.A.V.A.

Sir, persistent outbound traffic is detected. Possibly a reverse shell…

[+] YOU

You got it!

[+] J.A.V.A.

Sir, you need to observe the traffic with Snort and identify the anomaly first. Then you can create a rule to stop the reverse shell. GOOD LUCK!

Answer the questions below:

Question 4:

First of all, start Snort in sniffer mode and try to figure out the attack source, service and port.

Then, write an IPS rule and run Snort in IPS mode to stop the brute-force attack. Once you stop the attack properly, you will have the flag on the desktop!

Here are a few points to remember:

  • Create the rule and test it with “-A console” mode.
  • Use “-A full” mode and the default log path to stop the attack.
  • Write the correct rule and run the Snort in IPS “-A full” mode.
  • Block the traffic at least for a minute and then the flag file will appear on your desktop.

Stop the attack and get the flag (which will appear on your Desktop)

Solution:

  • sudo nano /etc/snort/rules/local.rules
  • drop tcp any any -> any any (sid: 1000005;)
# $Id: local.rules,v 1.11 2004/07/23 20:15:44 bmc Exp $
# ----------------
# LOCAL RULES
# ----------------
# This file intentionally does not come with signatures. Put your local
# additions here.
drop tcp any any -> any any (sid: 1000005;)
  • sudo snort -c /etc/snort/snort.conf -q -Q --daq afpacket -i eth0:eth1 -A full

1 minute later Voila!

Question 5: What is the used protocol/port in the attack?

  • sudo snort -c /etc/snort/snort.conf -q -Q --daq afpacket -i eth0:eth1 -A console

Question 6: Which tool is highly associated with this specific port number?

Check: https://www.speedguide.net/port.php?port=4444

Thanks for reading and sharing. See you later, stay health and have a nice day.

You can find me on:

LinkedIn: bit.ly/34BKvtC

Github: bit.ly/3JNmXkK

linktr.ee: bit.ly/3DZiDN1

Hamdi Sevben

#tryhackme #tryhackme-snort #thm-snort #tryhackme-Snort Challenge-Live Attacks #thm-Snort Challenge-Live Attacks #ids #ips #bruteforce #reverseshell #intrusion-prevention-system #intrusion-detection-system

--

--

| Penetration Tester | AWS Cloud Practitioner | eWPTXv2 | eMAPT | CPTE | CEH | CPEH | HTB Practitioner | TryHackMe Top %1 |

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Hamdi Sevben

| Penetration Tester | AWS Cloud Practitioner | eWPTXv2 | eMAPT | CPTE | CEH | CPEH | HTB Practitioner | TryHackMe Top %1 |