Preventing Attacks with Snort

Snort Challenge – Live Attacks | TryHackMe

Task 1: Introduction

So far, we have been only detecting alerts with the rules that we have created.

In this room, we are going to stop malicious activities from exploiting a host.

If you have not completed the other Snort rooms, it is highly suggested that you complete them first.

Otherwise, let’s start

Task 2: Scenario 1 | Brute-Force

Use the attached VM to finish this task.

[+] THE NARRATOR

J&Y Enterprise is one of the top coffee retails in the world. They are known as tech-coffee shops and serve millions of coffee lover tech geeks and IT specialists every day.

They are famous for specific coffee recipes for the IT community and unique names for these products. Their top five recipe names are;

WannaWhiteZeroSleepMacDownBerryKeep and CryptoY.

J&Y’s latest recipe, “Shot4J“, attracted great attention at the global coffee festival. J&Y officials promised that the product will hit the stores in the coming months.

The super-secret of this recipe is hidden in a digital safe. Attackers are after this recipe, and J&Y enterprises are having difficulties protecting their digital assets.

Last week, they received multiple attacks and decided to work with you to help them improve their security level and protect their recipe secrets.

This is your assistant J.A.V.A. (Just Another Virtual Assistant). She is an AI-driven virtual assistant and will help you notice possible anomalies. Hey, wait, something is happening…

[+] J.A.V.A.

Welcome, sir. I am sorry for the interruption. It is an emergency. Somebody is knocking on the door!

[+] YOU

Knocking on the door? What do you mean by “knocking on the door”?

[+] J.A.V.A.

We have a brute-force attack, sir.

[+] THE NARRATOR

This is not a comic book! Would you mind going and checking what’s going on! Please…

[+] J.A.V.A.

Sir, you need to observe the traffic with Snort and identify the anomaly first. Then you can create a rule to stop the brute-force attack. GOOD LUCK!

Answer the questions below

To identify the source of the attack, we need to start Snort in sniffer mode and, optional we can configure for the logs to be saved in the current directory.

sudo snort -dev -l .

After running Snort, we were able to identify the following:

Attacker IP: 10.10.245.36

Target Port: 22

After we have identified the attacker and the ports being targeted, we will create a rule that will prevent the attacker from gaining foothold to the machine.

The simple rule below will reject any traffic going to port 22. For this exercise, we will be using the default rule, so we are going to write the rule in “etc/snort/rules/local.rules”.

  • reject tcp any any <> any 22 (msg:”Brute force Attack Detected – Packet Rejected”; flow:to_server; sid:100001; rev:1)

As per the room, take note of the following:

  • Create the rule and test it with “-A console” mode.
  • Use “-A full” mode and the default log path to stop the attack.
  • Write the correct rule and run the Snort in IPS “-A full” mode.
  • Block the traffic at least for a minute and then the flag file will appear on your desktop.

Before we run Snort, make sure we have the right intertefaces.

To run snort in IPS mode, we will activate it with the “-Q –daq afpacket” parameters, and identify the interfaces from which Snort would capture traffic.

sudo snort -Q --daq afpacket -i eth0:eth1 -dev -c /etc/snort/snort.conf -A full -l /var/log/snort

We have successfully thwarted attacks to port 22.

Stop the attack and get the flag (which will appear on your Desktop)

Answer: THM{81b7fef657f8aaa6e4e200d616738254}

What is the name of the service under attack?

Answer: SSH

What is the used protocol/port in the attack?

Answer: TCP/22

Task 3: Scenario 2 | Reverse-Shell

Use the attached VM to finish this task.

[+] THE NARRATOR

Good Job! Glad to have you in the team!

[+] J.A.V.A.

Congratulations sir. It is inspiring watching you work.

[+] You

Thanks team. J.A.V.A. can you do a quick scan for me? We haven’t investigated the outbound traffic yet.

[+] J.A.V.A.

Yes, sir. Outbound traffic investigation has begun.

[+] THE NARRATOR

The outbound traffic? Why?

[+] YOU

We have stopped some inbound access attempts, so we didn’t let the bad guys get in. How about the bad guys who are already inside? Also, no need to mention the insider risks, huh? The dwell time is still around 1-3 months, and I am quite new here, so it is worth checking the outgoing traffic as well.

[+] J.A.V.A.

Sir, persistent outbound traffic is detected. Possibly a reverse shell…

[+] YOU

You got it!

[+] J.A.V.A.

Sir, you need to observe the traffic with Snort and identify the anomaly first. Then you can create a rule to stop the reverse shell. GOOD LUCK!

Answer the questions below

sudo snort -dev -A console

When we started Snort in sniffer mode, we identified another port, that is port 80. On top of that, there is a local machine connecting to a malicious IP. The most suspicious part is that, it is connecting to port 4444, which is the default listener for Metasploit C2 framework.

We will now write a rule that will reject all traffic trying to connect to the attacker’s port of 4444. Save the rule in the default local rules location.

  • reject tcp any 4444 -> any any (msg: “Outbound Traffic Rejected – Port 4444”; sid: 100001;)

Let’s run Snort in IPS mode.

sudo snort -Q --daq afpacket -i eth0:eth1 -q -dev -c /etc/snort/snort.conf -A full -l /var/log/snort

After a minute, we have successfully stopped the attack.

Stop the attack and get the flag (which will appear on your Desktop)

Answer: THM{0ead8c494861079b1b74ec2380d2cd24}

What is the used protocol/port in the attack?

Answer: TCP/4444

Which tool is highly associated with this specific port number?

Answer: Metasploit

Thanks for reading! Happy learning 🙂

Leave a comment