TryHackMe: Snort Walkthrough (SOC Level 1)

Welcome to this walkthrough of the Snort Room on TryHackMe.

In this room we will learn about the essentials of Snort. Snort is an open-source network intrusion detection and prevention system (IDS/IPS) that is used to monitor network traffic in real-time. It analyzes incoming data packets to detect potentially harmful activities, such as attacks, malware, or policy violations. Snort can be configured to log or block malicious activity based on predefined rules.

It operates by examining network traffic at different layers, from the data link to the application layer, and can identify patterns associated with known threats. Snort is widely used in cybersecurity for network defense, and it is highly customizable, allowing users to create their own detection rules or leverage existing ones.

Let’s learn how to use Snort to detect real-time threats, analyse recorded traffic files and identify anomalies.

https://tryhackme.com/r/room/snort

This room is part of the SOC Level 1 Path.

I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by these challenges on HTB and THM.
Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.

Now, let’s move on!

Task 1: Introduction

This room focuses on learning Snort, an open-source Network Intrusion Detection and Prevention System (NIDS/NIPS). It requires basic knowledge of Linux command-line navigation, network fundamentals (ports, protocols, and traffic), and traffic analysis.

Before starting, it’s recommended to complete the “Network Fundamentals” and “Linux Fundamentals” modules (1, 2, 3) if needed. Snort uses rule-based detection to identify malicious network activity, generating alerts based on defined rules.

Questions

Read the task above.

Answer: No answer needed

Task 2: Interactive Material and VM

Start up the machine attached to this task.

Exercise files

Once the machine had fully started, you will see a folder named Task-Exercises on the Desktop. Each exercise has an individual folder and files; use them accordingly to the questions.In this folder where are two subfolders:

• Config-Sample– Sample configuration and rule files. These files are provided to show what the configuration files look like. Installed Snort instance doesn’t use them, so feel free to practice and modify them. Snort’s original base files are located under /etc/snort folder.
• Exercise-Files – There are separate folders for each task. Each folder contains pcap, log and rule files ready to play with.

Traffic Generator

The machine contains a script (traffic-generator.sh) which allows us to generate traffic to our snort interface.  Once you run the script, it will ask you to choose the exercise type and then automatically open another terminal to show you the output of the selected action.

It is important to choose the correct exercise type when running the script so that the correct traffic data gets generated for each question. Also make sure to wait until the script execution is completed, unless you choose the wrong exercise.

Run the “traffic generator.sh” file by executing it as sudo.

sudo ./traffic-generator.sh

Questions

Navigate to the Task-Exercises folder and run the command “./.easy.sh” and write the output

Easy peasy. Start up your terminal and move into the Task-Exercises folder by using cd, followed by running the script:

cd Desktop
cd Task-Exercises/
./easy.sh

Answer: Too Easy!

Task 3: Introduction to IDS/IPS

Before diving into Snort and analyzing traffic, let’s have a brief overview of what an Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) is. It is possible to configure your network infrastructure and use both of them, but before starting to use any of them, let’s learn the differences.

Difference IDS and IPS

Intrusion Detection System (IDS):

• Purpose: Passively detects and alerts on suspicious activities, abnormal incidents, and policy violations.
• Types:
  1. NIDS (Network IDS): Monitors network traffic across subnets, creating alerts for suspicious signatures.
  2. HIDS (Host-based IDS): Monitors traffic on a single endpoint, alerting on detected threats.

Intrusion Prevention System (IPS):

• Purpose: Actively prevents and stops suspicious activities as soon as detected.
• Types:
  1. NIPS (Network IPS): Protects entire network traffic, terminating malicious connections.
  2. Behaviour-Based IPS (NBA): Learns normal traffic patterns (baseline) to detect new threats but requires a training period.
  3. WIPS (Wireless IPS): Monitors and protects wireless networks from threats.
  4. HIPS (Host-based IPS): Similar to HIDS but actively terminates threats instead of just alerting.

Detection/Prevention Techniques:

1. Signature-Based: Matches known patterns of malicious activity.
2. Behaviour-Based: Identifies new threats by comparing normal vs. abnormal traffic patterns.
3. Policy-Based: Detects violations based on security policies.

Key Differences Between IDS and IPS:

• IDS alerts on threats but requires user action to stop them.
• IPS detects and automatically blocks threats with minimal user intervention.

Introduction to Snort:

• What is Snort?
  An open-source, rule-based Network Intrusion Detection and Prevention System (NIDS/NIPS) developed by Martin Roesch, maintained by Cisco Talos and the open-source community.
• Capabilities:
  • Live traffic analysis
  • Attack detection
  • Packet logging
  • Protocol analysis
  • Real-time alerting
  • Modular and cross-platform (Linux & Windows)
• Main Models:
  1. Sniffer Mode: Displays live IP packets in the console.
  2. Packet Logger Mode: Logs all network traffic.
  3. NIDS/NIPS Mode: Detects and logs/drops malicious packets based on user-defined rules.

Questions

Which snort mode can help you stop the threats on a local machine?

This is a confusing question, a I expected it to the one of the modes just mentioned. But it refers back to the different systems discussed before that. Here they are referring to HIPS, as this is a host-based Intrusion Prevention System, which helps stop threat on a local machine.

Answer: HIPS

Which snort mode can help you detect threats on a local network?

The question relates to Intrusion Detection System since it refers to detecting threats, but this time on a local network. So they answer is NIDS.

Answer: NIDS

Which snort mode can help you detect the threats on a local machine?

Detecting threats (IDS) on a local machine (H), so HIDS is the answer.

Answer: HIDS

Which snort mode can help you stop the threats on a local network?

Stopping threats (IPS) on a local network (N), so the answer is NIPS.

Answer: NIPS

Which snort mode works similar to NIPS mode?

Behaviour-based Intrusion Prevention System (Network Behaviour Analysis – NBA) are very similar to NIPS.

Just like NIPS, the aim is to protect the traffic on the entire subnet and if a signature is identified, the connection is terminated. The difference to NIPS is that NBA uses behaviour-based systems monitor the traffic flow, and it needs to be trained.

Answer: NBA

According to the official description of the snort, what kind of NIPS is it?

The description is as follows.

“Snort can be deployed inline to stop these packets, as well. Snort has three primary uses: As a packet sniffer like tcpdump, as a packet logger — which is useful for network traffic debugging, or it can be used as a full-blown network intrusion prevention system. Snort can be downloaded and configured for personal and business use alike.”

Snort is described as a full-blown network intrusion prevention system.

Ugh..

Answer:  full-blown

NBA training period is also known as …

Behaviour based systems require a training period (also known as “baselining“) to learn the normal traffic and differentiate the malicious traffic and threats

Answer: baselining

Task 4: First Interaction with Snort

This task briefly discusses how to verify that Snort is successfully installed and set up. Here is a summary:

1. Verify Installation: Using snort -V helps confirm that Snort is installed and provides details about the installed version, including linked libraries like libpcap and PCRE.
2. Validate Configuration:
   • Use sudo snort -c /etc/snort/snort.conf -T to ensure the configuration file is correctly set up.
   • This is crucial because Snort’s effectiveness heavily relies on its configuration (rules, plugins, and actions).
   • You can create multiple configuration files for different use cases (e.g., testing, production) but can only use one at runtime.
3. Key Parameters:
   • -V: Version information.
   • -c: Specifies the configuration file.
   • -T: Tests the configuration file without running Snort.
   • -q: Quiet mode suppresses the banner and initial information.

Questions

Run the Snort instance and check the build number.

Just run the following command:

snort -V

The build number is 149.

Answer: 149

Test the current instance with “/etc/snort/snort.conf” file and check how many rules are loaded with the current build.

Here we can run the other command we learned about:

sudo snort -c /etc/snort/snort.conf -T

Nearly at the end you will see the following info:

Answer: No answer needed

Test the current instance with “/etc/snort/snortv2.conf” file and check how many rules are loaded with the current build.

This time run:

sudo snort -c /etc/snort/snort.conf -T

Here there is only 1 snort rule read.

Answer: 1

Task 5: Operation Mode 1: Sniffer Mode

Like tcpdump, Snort has various flags capable of viewing various data about the packet it is ingesting. Let’s cover the most essentials flag:

1. Sniffing with Interface (-i) sudo snort -v -i eth0 If there’s only one interface, Snort will use it by default. If multiple exist, specify the desired one, e.g., eth0.
2. Verbose Mode (-v) sudo snort -v This mode will display TCP/IP information similar to tcpdump.
3. Display Packet Data (-d) sudo snort -d Shows the payload in addition to basic TCP/IP details.
4. Dump with Link-Layer Headers (-de) sudo snort -d -e Combines the payload dump (-d) with link-layer headers (-e). You’ll see additional information like MAC addresses.
5. Full Packet Details in Hex (-X) sudo snort -X Displays the entire packet, including headers and payload, in HEX and ASCII formats.

Ensure you run the traffic-generator script as sudo to generate sufficient ICMP/HTTP traffic:

sudo ./traffic-generator

Each mode provides progressively more detailed packet information.

Questions

You can practice the parameter combinations by using the traffic-generator script

Make sure to play around and try some of the different modes. Remember to run the generator script after turning on snort!

Answer: No answer needed

Task 6: Operation Mode 2: Packet Logger Mode

Snort can sniff and log packets using logger mode. This mode logs packets in a specified directory, allowing you to analyze traffic. Logs can be saved in binary (default) or ASCII format.

Key Parameters:

• -l: Specifies the log directory (default: /var/log/snort).
• -K ASCII: Logs packets in human-readable ASCII format.
• -r: Reads and processes previously logged files.
• -n: Limits the number of packets Snort processes.

Logging with -l:

• Command: sudo snort -dev -l .
• Logs are saved in binary/tcpdump format in the current directory or the specified directory.
• Example log file: snort.log.<timestamp>.

Logging with -K ASCII:

• Command: sudo snort -dev -K ASCII -l .
• Logs are human-readable and categorized into directories by IP addresses (e.g., 192.168.175.129/).
• Easier to read directly with text editors.

Reading Logs with -r:

• Command: sudo snort -r snort.log.<timestamp>
• Allows Snort to analyze binary logs, similar to sniffer mode.
• Binary logs can also be opened with tools like tcpdump (tcpdump -r) or Wireshark.
• ASCII logs are not readable by Snort.
• Use -r with filters like icmp, tcp, or verbose mode (-X) for targeted analysis.

Now, use the attached VM and navigate to the Task-Exercises/Exercise-Files/TASK-6 folder to answer the questions!

Questions

Investigate the traffic with the default configuration file with ASCII mode.

sudo snort -dev -K ASCII -l .

Execute the traffic generator script and choose “TASK-6 Exercise”. 

sudo ./traffic-generator.sh

Wait until the traffic ends, then stop the Snort instance. Now analyse the output summary and answer the question. Now, you should have the logs in the current directory. Navigate to folder “145.254.160.237”. What is the source port used to connect port 53?

First of all, if you have problems opening the log file read the section about logfile ownership. Either change to the superuser:

• sudo su
• Changing the ownership of files/directories – You can also change the ownership of the file/folder to read it as your user: sudo chown username file or sudo chown username -R directory

To answer the question about the source port we can actually look at the generated log files:

The file names like TCP:3009-53 in the Snort logs represent the protocol and the source/destination port numbers associated with the logged network traffic. Here’s the breakdown:

• TCP: Indicates the protocol (in this case, TCP).
• 3009: Represents the source port of the connection.
• 53: Represents the destination port of the connection.

So the answer here is 3009.

Answer: 3009

Use snort.log.1640048004. Read the snort.log file with Snort; what is the IP ID of the 10th packet?

snort -r snort.log.1640048004 -n 10

You should see some general statistics, along with a list of the 10 packets. The final one looks like this:

Here the IP ID is written: 49313.

Answer: 49313

Read the “snort.log.1640048004″ file with Snort; what is the referer of the 4th packet?

This info is lacking if we run the previous command. We need to add the -X flag to display the entire packet, including headers and payload, in HEX and ASCII formats.

snort -r snort.log.1640048004 -n 10 -X

The referer is found nearly in the end.

Answer: http://www.ethereal.com/development.htm

Read the “snort.log.1640048004″ file with Snort; what is the Ack number of the 8th packet?

We can see this info in the output from the previous question, but this time we look at the 8th packet:

Bonus info: the acknowledgement number field in the TCP header is used in TCP communication to indicate the next sequence number the sender of the acknowledgment expects to receive. It’s a crucial part of TCP’s reliable data transfer mechanism.

Answer: 0x38AFFFF3

Read the “snort.log.1640048004″ file with Snort; what is the number of the “TCP port 80” packets?

We need to use BPF filters to help us here to quickly filter the traffic from the log to only include TCP traffic sent from or received on port 80.The command to run is:

snort -r snort.log.1640048004 tcp and port 80

Remember to remove the earlier limit of packets (10). We need to filter on all the logged packets.

Answer: 41

Task 7: Operation Mode 3: IDS/IPS

Snort can operate in IDS/IPS mode to monitor and manage traffic based on user-defined rules. Here’s a breakdown of its key features and parameters:

The most important Snort IPS parameters:

• –c: Specifies the configuration file.
• –T: Tests the configuration file for errors.
• –N: Disables logging but maintains console output if verbosity (-v) or full packet dump (-X) is activated.
• –D: Runs Snort in the background (daemon mode).
• –A: Sets alert modes:
  • full: Detailed alerts (default if unspecified).
  • fast: Simplified alerts with timestamps, source/destination IPs, and ports.
  • console: Fast-style alerts displayed on the console.
  • cmg: Includes basic header and payload in hex/text format.
  • none: Disables alerts.

Usage Highlights:

1. Configuration Testing (-c and -T):
   • Example: sudo snort -c /etc/snort/snort.conf -T checks for configuration issues.
2. Logging Disabled (-N):
   • Prevents log file creation but displays traffic info on the console with other active options.
3. Background Mode (-D):
   • Runs Snort as a daemon. Useful for automation but requires stable configuration. Example: sudo snort -c /etc/snort/snort.conf -D.
   • Manage background processes with ps and terminate with kill.
4. Alert Modes (-A):
   • Compare different alert outputs by observing console or logs.

Example Rule:

The following rule triggers an alert for ICMP traffic:

alert icmp any any <> any any (msg: "ICMP Packet Found"; sid: 100001; rev:1;)

This rule is located in /etc/snort/rules/local.rules.

Questions

Investigate the traffic with the default configuration file.

sudo snort -c /etc/snort/snort.conf -A full -l .

Execute the traffic generator script and choose TASK-7 Exercise. Wait until the traffic stops, then stop the Snort instance. Now analyse the output summary and answer the question.

sudo ./traffic-generator.sh

What is the number of the detected HTTP GET methods?

Full disclosure: I was searching and searching and couldn’t find the right info. Then I realized that I needed to stop the Snort instance. First after stopping the IDS process will the output summary be visible. If you look around a bit you will find the following HTTP summary data:

Here it is clear that two HTTP Get requests took place in the traffic generated by the traffic-generator script.

Answer: 2

You can practice the rest of the parameters by using the traffic-generator script.

I highly recommend you to play a bit around with the parameters discussed in the task. Take your time, I’m not going anyway!

Answer: No answer needed

Task 8: Operation Mode 4: PCAP Investigation

Snort’s capabilities go beyond sniffing, logging, and detecting/preventing threats. Its PCAP read/investigate mode allows you to work with PCAP files effectively. After processing a PCAP file with Snort, you’ll receive default traffic statistics and alerts based on your ruleset.Simply reading a PCAP without any additional parameters will only provide an overview of the packets and basic statistics. However, this isn’t particularly useful in most cases. By investigating the PCAP with Snort, you can take advantage of its rules to speed up the investigation process by detecting known threat patterns.PCAP mode parameters are explained below:

–pcap-single=

This allows you to read and analyze a single PCAP file. For example, running sudo snort -r icmp-test.pcap would load and analyze the packets in icmp-test.pcap.

sudo snort -c /etc/snort/snort.conf -q -r icmp-test.pcap -A console -n 10

This command analyzes the icmp-test.pcap file using Snort’s configuration, producing alerts based on the ruleset. The -A console flag outputs alerts to the console, and -n 10 limits the number of packets processed.

–pcap-list=””

This allows you to provide a space-separated list of PCAP files for Snort to process multiple files simultaneously. Snort will analyze both files using the same configuration.

sudo snort -c /etc/snort/snort.conf -q --pcap-list="icmp-test.pcap http2.pcap" -A console -n 10

This command processes both icmp-test.pcap and http2.pcap files but outputs combined alerts without distinguishing between the two files.–pcap-showThis parameter shows the name of each PCAP as it is being processed. It’s useful when you’re working with multiple files and need to differentiate which alerts correspond to which file.

sudo snort -c /etc/snort/snort.conf -q --pcap-list="icmp-test.pcap http2.pcap" -A console --pcap-show

Questions

Investigate the mx-1.pcap file with the default configuration file.

sudo snort -c /etc/snort/snort.conf -A full -l . -r mx-1.pcap

What is the number of the generated alerts?

Enter the command above. Among the output you will see the following section:

The number of alert is 170.

Answer: 170

Keep reading the output. How many TCP Segments are Queued?

Scroll a bit down and you can find the answer:

The number of stream segments is 18.

Answer: 18

Keep reading the output. How many “HTTP response headers” were extracted?

Even more done you can see HTTP info. Among other data, we can see that the number of HTTP response headers extracted is 3.

Answer: 3

Investigate the mx-1.pcap file with the second configuration file.

sudo snort -c /etc/snort/snortv2.conf -A full -l . -r mx-1.pcap

What is the number of the generated alerts?

Run snort on the same file, but now with config file snortv2.conf.

This time the answer is 68:

Answer: No answer needed

Investigate the mx-2.pcap file with the default configuration file.

sudo snort -c /etc/snort/snort.conf -A full -l . -r mx-2.pcap

What is the number of the generated alerts?

Run the above command. You get the idea now:

The answer is 340 here.

Answer: 340

Keep reading the output. What is the number of the detected TCP packets?

Look at the output again. The number of detected TCP packets is 82:

Answer: 82

Well, they are really making this easy with giving us the right command. You know the drill. You can find the number of alerts here:

Investigate the mx-2.pcap and mx-3.pcap files with the default configuration file.

sudo snort -c /etc/snort/snort.conf -A full -l . --pcap-list="mx-2.pcap mx-3.pcap"

What is the number of the generated alerts?

The number is 1020.

Answer: 1020.

Task 9: Snort Rule Structure

Understanding Snort rule format is critical for blue and purple teamers, especially in IDS/IPS contexts. Snort operates in passive mode by default (IDS) and requires inline mode for IPS functionality. The structure of a Snort rule includes action, protocol, source/destination IPs, ports, and optional rule options.

The following image from TryHackMe is really great:

Key Components:

1. Actions:
   • alert: Generates an alert and logs the packet.
   • log: Logs the packet.
   • drop: Blocks and logs the packet.
   • reject: Blocks, logs, and terminates the session.
2. Protocol:
   Supports IP, TCP, UDP, and ICMP. Application traffic (e.g., FTP) can be filtered using ports.
3. IP and Port Filtering:
   • Specify individual IPs, ranges (192.168.1.0/24), or exclude (!192.168.1.0/24).
   • Ports can target single ports, ranges (1:1024), or exclude (!21).
4. Direction Operators:
   • ->: Source to destination flow.
   • <>: Bidirectional flow.
5. Rule Options:
   • General Options:
     • msg: Description displayed upon rule triggering.
     • sid: Unique rule ID (>1,000,000 for user-created rules).
     • rev: Revision number for rule updates.
     • reference: Adds context (e.g., CVE references).
   • Payload Options:
     • content: Matches ASCII/HEX data.
     • nocase: Disables case sensitivity.
     • fast_pattern: Optimizes initial packet matching.
   • Non-Payload Options:
     • id: Filters IP ID field.
     • flags: Filters TCP flags (e.g., SYN, FIN, RST, PSH, ACK, URG).
     • dsize: Filters based on payload size.
     • sameip: Matches identical source/destination IPs.

Creating your rules

Efficient rule creation requires understanding Snort’s options, focusing on use cases, and constant revision for optimal performance. Rules are saved in local.rules (e.g., /etc/snort/rules/local.rules). This is where we should add additions in this task.

Questions

Use “task9.pcap”. Write a rule to filter IP ID “35369” and run it against the given pcap file. What is the request name of the detected packet?

Before running the mentioned snort command we need to insert our rule into the /etc/snort/rules/local.rules file. The only rule option we have to filter on is the IP ID, which is part of the non-payload options. This can be added by adding (id:35369;) to the end of our rule. The only thing lacking is the type of Protocol to filter one. This is not mentioned, but we can just filter on the four protocols supported by Snort2, one at a time (IP/TCP/UDP/ICMP). Finally, each rule needs a sid, and user created rules should a sid higher than 1.000.000.

I suggest we write the rule as follows:

alert icmp any any <> any any (id:35369;sid:1000001)

Make sure you are in the Exercises/Exercise-Files/TASK-9 folder. To edit the file you can use the following command:

sudo gedit local.rules

It should look like this:

Save it, and run the snort command:

snort -c local.rules -A full -l . -r task9.pcap

It should say one alert:

Now, Snort should have created a log file:

The request name is TIMESTAMP REQUEST.

Answer: TIMESTAMP REQUEST

Create a rule to filter packets with Syn flag and run it against the given pcap file. What is the number of detected packets?

Edit the local.rules file again. This time we will add the following rule:

alert tcp any any <> any any (flags:S;sid:1000002)

Packets with the SYN (S) flag set should by definition be TCP (remember the 3-way handshake?). Your rule file should look like this:

Read the output summary to get the answer:

Answer: 1

Clear the previous log and alarm files and deactivate/comment out the old rule. Write a rule to filter packets with Push-Ack flags and run it against the given pcap file. What is the number of detected packets?

I did not know what a Push-Ack flag was, so I ended up reading about them. In essence these flags mean the following:

• PSH (Push): Instructs the receiver to pass the data to the application immediately.
• ACK (Acknowledgment): Acknowledges receipt of data.

We can use a similar rule as before:

alert tcp any any <> any any (flags:PA;sid:1000003)

Add it to the rule file and run Snort again. You know the drill now.

The number of package alert is 216.

Answer: 216

Clear the previous log and alarm files and deactivate/comment out the old rule. Create a rule to filter packets with the same source and destination IP and run it against the given pcap file. What is the number of packets that show the same source and destination address?

To create a Snort rule that filters packets with the same source IP and destination IP, you can use the ip protocol and a check for the source IP matching the destination IP using the sameip keyword.

The rule should look like this:

alert ip any any -> any any (sameip; sid:1000004;)

I received 13 alert, but this is not the right answer.  The hint mentions:

Review the logs and count the number of the alerts. Don’t consider the unassigned IP addresses, IP requests and broadcast/multicast messages.

After some research I found out the rule needs to be expanded to take the following into consideration:

• Exclude unassigned or reserved IP addresses (e.g., 0.0.0.0).
• Exclude broadcast traffic (e.g., 255.255.255.255).
• Excludes multicast traffic (e.g., 224.0.0.0/4).

By manually going through the log and by ignoring log entries from broadcast & multicast traffic, and traffic originating from unassigned IP addresses I counted to 7. These are the log entries worth counting:

[**] [1:1000004:0] [**]
[Priority: 0]
12/18-21:57:47.100000 192.168.0.1:0 -> 192.168.0.1:0
TCP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:46 DF
******** Seq: 0x0 Ack: 0x0 Win: 0xFFFC TcpLen: 20

[**] [1:1000004:0] [**]
[Priority: 0]
12/18-21:57:47.200000 192.168.0.21:0 -> 192.168.0.21:0
UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:46 DF
Len: 18

[**] [1:1000004:0] [**]
[Priority: 0]
12/18-21:57:47.300000 192.168.0.44:4444 -> 192.168.0.44:4444
UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:46 DF
Len: 18

[**] [1:1000004:0] [**]
[Priority: 0]
12/18-21:57:47.400000 192.168.0.21:0 -> 192.168.0.21:0
UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:46 DF
Len: 18

[**] [1:1000004:0] [**]
[Priority: 0]
12/18-21:57:47.500000 192.168.0.21:0 -> 192.168.0.21:0
UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:46 DF
Len: 18

[**] [1:1000004:0] [**]
[Priority: 0]
12/18-21:57:47.600000 192.168.0.11:4444 -> 192.168.0.11:4444
TCP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:46 DF
******** Seq: 0x0 Ack: 0x0 Win: 0xFFFC TcpLen: 20

[**] [1:1000004:0] [**]
[Priority: 0]
12/18-21:57:47.700000 192.168.0.11:0 -> 192.168.0.11:0
TCP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:46 DF
******** Seq: 0x0 Ack: 0x0 Win: 0xFFFC TcpLen: 20

Answer: 7

Case Example – An analyst modified an existing rule successfully. Which rule option must the analyst change after the implementation?

When an analyst modifies an existing Snort rule successfully, they must update the rev(revision number) field in the rule. This field tracks changes to the rule and ensures proper version control. The rev field allows other analysts to know that the rule has been modified and ensures that Snort uses the correct version of the rule. It also helps in troubleshooting by identifying which revision of the rule is causing alerts.

Answer: rev

Task 10: Snort2 Operation Logic: Points to Remember

This task is very theory heavy. The main points are as follows:

Main Components of Snort

1. Packet Decoder: Collects and prepares packets for processing.
2. Pre-processors: Arranges and modifies packets for the detection engine.
3. Detection Engine: Analyzes packets and applies rules.
4. Logging and Alerting: Generates logs and alerts.
5. Outputs and Plugins: Handles output integration (e.g., syslog, MySQL) and plugin support.

Types of Snort Rules

1. Community Rules: Free and publicly accessible (GPLv2).
2. Registered Rules: Free but require registration; 30-day delay for updates.
3. Subscriber Rules: Paid subscription; updated twice weekly.

Configuration Files

• snort.conf: Main configuration file.
• local.rules: User-generated rules file.

Steps to Configure Snort

Set Network Variables:

• HOME_NET: Define the protected network (e.g., 192.168.1.1/24).
• EXTERNAL_NET: Define the external network (e.g., any or !$HOME_NET).
• Paths:
  • RULE_PATH: /etc/snort/rules
  • SO_RULE_PATH: $RULE_PATH/so_rules
  • PREPROC_RULE_PATH: $RULE_PATH/plugin_rules

Configure the Decoder:

Enable IPS mode using the afpacket module:

• #config daq: afpacket
• #config daq_mode: inline
• #config logdir: /var/logs/snort
•  

Common DAQ modules:

• Pcap: Default sniffer mode.
• Afpacket: Inline IPS mode.
• Others: Ipq, Nfq, Ipfw, Dump.

Configure Output Plugins:

Define logging and alerting formats for better efficiency.

Customize Ruleset:

• Activate site-specific rules: Example: include $RULE_PATH/local.rules
• Uncomment lines by removing # to enable specific rules.

Important Notes

• Rule Updates: Always update rules via tools or modules instead of replacing configured files to avoid misconfigurations.
• IPS Mode: Works best with single-node installations using afpacket.
• Output Management: Adjust default console outputs for efficient use.

Questions

Read the task above.

Answer: No answer needed

Task 11: Conclusion

In this room, we covered Snort, what it is, how it operates, and how to create and use the rules to investigate threats.

• Understanding and practising the fundamentals is crucial before creating advanced rules and using additional options.
• Do not create complex rules at once; try to add options step by step to notice possible syntax errors or any other problem easily.
• Do not reinvent the wheel; use it or modify/enhance it if there is a smooth rule.
• Take a backup of the configuration files before making any change.
• Never delete a rule that works properly. Comment it if you don’t need it.
• Test newly created rules before migrating them to production.

Questions

Read the task above.

Answer: No answer needed

Congratulations on completing Snort!!!

Congratulations on finishing this walkthrough of the TryHackMe Snort room. I thought this room had a great balance between theory and practice, and I personally can’t wait to practice our skills during the next two Snort rooms. Coming up: Snort Challenge: The Basics.

I hope you enjoyed this walkthrough. Come back soon for more walkthroughs of rooms on TryHackMe and HackTheBox, and other Cybersecurity discussions.

Like my articles?

You are welcome to comment on this post, or share my post with friends.
I would be even more grateful if you support me by buying me a cup of coffee:

I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:

https://referral.hackthebox.com/mzwwXlg