Snort Challenge The Basics TryHackMe

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello everyone how are you today I will do uh the rooms not challenge the basics once I hate me first I will exit split view because I already open it uh to help me browse it based but some is running some errors now is good so first what you need to do is to start the machine for this test no answer needed we are moving to test two writing ID series http and they send us use the given pickup file right rules to detect otcp Port 80 traffic packets in the given pickup file what is the number of the ticket detected detected packets you must answer these questions before correct before answering the rest of the questions in this task so basically we need to write a rule and navigate to the task we see that we have local rules and I have already prepared my notes to to make it easier and this is the for yes this is the first rule so no no welcome rolls paste a left TCP any any an 80 message HTTP packet found the Sid the vision and here is the same but here is the change TCP any any 80 any any so this is changed and the Sid is changed to okay after that sure so they think as we need to answer detected packets see more color rules after that after that read and MX3 pickup and then the answer is 328 what is the destination address of the packet 63 investing in the log file uh now better is to run these commands through the smart Dash c local rules North Dash c local rules after that that we have the log file ready for investigating and read MX3 pickup file now we get more information if I go LS we have now Smart Lock and basically what is the destination address of the package 63 so we'll start to see lockup snort and then number 63. and this is the last one number and they say yes basically what is the destination address of pakist 63 destination address it should be this one or this one this yes what is the acknowledged number of package 64. for that we need to run one more command I will I don't hear now Steve because this is a packet dam for more information 64. and now I have packet 64. this is this one and this thing is acknowledged number and it should be in this one yes what is the S EQ number of package 62 again run the command 62. and the last one copy yes what is the time to leave a pocket 65. oh 65 and if I see time to leave here 128. yes investigate the log file what is the source IP of pocket 65. again just change the number oh what is the this is the same Source ID okay it's my bed Source IP it should be this one yes and what is the source port okay finding this yes great moving on task 3 writing IDC rules FTP navigate to task folder use the given picker file right rows to detect all TCP Port 21 traffic in the giving pickup what is the number of detected packets so basically they think us we need to to make a rule oh back function directory to task 3 rules and I will copy that from my from my nodes test 3. and this is the this is the rule alert TCP any any port 21 this is the port for FTP and then message FTP packet found Sid and this is just DCP any 21 then inbound outbound and any message and Sid 2-2 okay now what is the number of detected packets so those are Dash c local rules there's Dev Dash and Dot to read FTP and the left is 614 this is true yes what is the FTP Service name to do this that it should be what was the command I forget it yeah this is the command but small as soon as small Dash e Dash read and it's not log and what is the message what is the FTP Service name I will again run this command before this because I have here better look no it doesn't write anywhere you can see here some software Adobe imagery that is one of the answers but this thing as FTP read okay I have this comment this is the command because that's the command so paste through the start dash at North log left D then TCP and port 21 and the number I will say 10 only press 10 like it and seeing as no such file or directory [Music] to the start that's ads not not log but 68 2 2 9 I will try like this like this and then Dash D I already Dash D but I forget to name TCP TCP and port 21. and Port 21 and after that number 10 now should be work now we can see Microsoft FTP series clear the previous log and alarm files deactivate comment on the old rows right arrow to detect failed FTP login attempts into given pickup what is the number of the ticket packets so basically they think us the button is 530 user inside the 150 given pattern in the inbound FTP traffic sudo remove alert snort anything that is ends with zero two okay rules they activated these two and and now we can take this row I'll take this one and this thing alert TCP any any message failed FTP login found the content is 530 user and Sid it it should be good now to run to command command where is this command or local rules Dash just to read not to make a start log and then FTP and we see 41. clear the previous log and Alan files files I don't need to clear because I just use this command and I didn't use dash dash L and this and Dot for the for the log file and alert file so what is the root of that successful FTP logins in the given pickup what is the number of the ticket packets again we need to to make the pattern two three zero user and FTP login attempt to default message with the pattern okay so this is the marker login field login font and this is the rule copy this paste so basically any lrtcp any any inbound outbound any any message FTP login found content 230 user Sid and this is all after we run the command the number is one after that they activate comment on the order rule will write a router detect fail FTP logins attempts with a valid username but a bad password or no password what is the number of the ticket packets three two one okay rules and activate this one and this is the this is the rule fade login found basically add a left TCP any any message field long and found content 3g1 and this is all this is just the content is another okay run the command 42 again write a root to check field FTP login attempts with administrator username but apart built a bad password or no password what is the number of text passwords and anything else you can use the content filter more at the amount of time I know local rules and here I have the another rule this is the last for this room paste basically the same but the FTP failed login phone and content is 331 password and content is administrator and running the command alert 7. and this is all change directory to the task for CE and we see here we see that we have here pickup file and local roles too so let's create IDC rules for PNG files in the traffic navigate the task folder already done use the given pick a file write a rooted PNG file in the given pcap investigate the logs and index by the software name embedded in the packet task 4 this is the role so basically verb TCP any any message PNG file found content is this one how you can find this content you just type Medical number image what was that magical number PNG like that type like that no it wasn't picky baby Wikipedia Wikipedia list of signatures right this is the one so PNG and we see here this is the magical number and if you paste that in your local in your uh local rules you need to have these pipes because without pipes it won't work okay yes and investigate logs identify the software name embedded in the packet so we need to make a snark lock front it we need to run full command local Dot rules so that's not local dot rows after that read FTP one more time we don't need the number just to just to investigate so I will just LS and here is the snot log and they say it's interesting investigate the logs and identify the sort of name in embedded in the packet so the slot Dash D test Earth not lock this will be working like this what happened machine is a little bit confused so we need to find the software and we see here this is only the one received with this and this Adobe image area read okay clear the previous log and align files deactivate comment on this old rule write a little Direct and the Gip file in the given pickup investigator logs and in and identify the image format embedded in the packet oh clear soda remove alert slot Nano local rules make a new rule and this is the rule for the for tip and the single other TCP any any message TFE file fund yes it's not PNG hdfe content is give 89A and how I know this is 898 if you go and search for GFE and if you use sometimes these numbers it won't work if you use this one it doesn't work for for me because it was not that type of image or key file it's uh this one 89A because of that I have this 89A okay so so does not Dash tasting as investing logs and identify the image format embedded in the packet right Dash c local rules Dot read and ft and we get here uh four alerts and what is the format of the pictures mm-hmm foreign [Music] to see more information and we see here is the tip 89A so moving on Task 5 writing IDC rules let's create a series for torrent meta files in the traffic navigate file write a root select the torrent metaphor in the given pickup what is the number of the ticket packets extensions try to filter the given pattern in the TCP technique and task five we are there oh the rule is this one paste alert TCP any any message tolerance I found content torrent Sid on revision run and alerts number is two what is the name of the torrent application Dash Dash read and smart plug for more information name is bit torrent what is my multi multi-purpose internet mail extensions type of the torrent meta file This Is The Answer application X slash BitTorrent application investigate a lot a lot of files what is the host name of the torrent meta file hostname striker2 Dot torrentbox.com so moving on task 6 troubleshooting rules in tax errors we see here that we have some rows and these rows have the errors if we need to to change this rules so thus to connect them a little bit OLS team directory to indirectly to task 5. after that we see here that we have my task six and 13 to write three task six and we have here the rows one two three four five six seven and one pick up five we need to overwrite these rows because they have our errors and then with these rows we need to read this pickup file and they think us first through the snow fix the syntax error unlockable rules file and make it work smoothly what is the number of the ticket packets we will not save this no no local one rules and already this is good here but they need to be spaced between this okay to the smart c local one rules and read mx1 Peter pi and the answer is 16. fix the syntax error in local two rows file and make it for smoothly what is the number of protective packets so the same command but two and let the easy icmp any any any message double shooting two Sid Sid right this is the TCP any and no port or not any not nothing so it now should work now in the command and is 68. fix the syntax error in local 3 rows file and make the world work smoothly what is the number of detected packets so unless Nano moving to three Sid should be unique okay it's on the code here space is there message found Sid one okay one so both here here is good Sid will be two and two I think it's all okay here it's working 87 okay fix the syntax error local four rules and make it more smoothly semicolons matters Nano four I'll let I simply TCP any ne88 this is robot SCP I can found okay Sid 0 revision one okay it is the semicolon it says ID to 19. 90 and fix the syntax error in local five rows and make it works smoothly Direction and columns now they think as we have only output not inbound in a snort so this is the error now should be work you see here to hear some LSS ID it's all good here okay Sid this one is error 2 okay division should be two and here I guess Sid 113 it's good everyone three okay and the command five hundred fifty-five nice for the locker six rules case sensitivity methods use the capital capitals or no case so now six and again same as a TCP any this is a load request and uh as I just said before sometimes these numbers don't work and you just need the number let's type something else and we I will just make content as get and now it will work six write it smart in alert system now we are moving to local 7 rules rules it out messages doesn't make sense and no no love color easier like this and we see that we don't have here message so normally it should be like this message and then message something in like this and that should be work but you need to type some in the message okay but they don't have something uh we don't need something to do just say what is the required option and that is the message so moving on to task seven using external rules MS 17. no 0 1 0. let's use external rules to fight against the latest streets navigate to test world use the give and pickup file use the given rule to investigate the ms-1710 exploitation what is the number of detected packets ask seven and we see here that we have two rows this rule is for us to see the number of the alerts so does not Dash c local dot rules after that Dot end read ms1 so we have already rule here just need to investigate and that is a lot a lot of traffic it's going on another singers what is ms-17101 MS 1701 okay CV number and this is the expert because the attacker can take remote access from us CBC score is 9.3 and we see here that is the number of alerts or of detected packets use local one rules empty file to write a new route to take payloads containing the slash IPC dollar keyword what is the number of ticket packets the content option will help you to filter the payload so we need to use because this is the empty one I need to write some rule and the rule is this one alert TCP any any messages IPC cable is found the quantities IPC dollar that's all and should we remove this alerts hello need to see clear yes alert snort nice so let's start this C more color rules local one rules now we're using not local rules we are losing local one use so there's there there's l dot read Amazon now we are trying to find the IPC keyword with this rule and what is the number of detected packets this speaker file is Lord okay alerts only 12. okay investigate the log a lot of files what is the requisite pept and speed APC slash download so normally I should use this command sudo start Dash lead Dash read and start file for more information and the pet the patch will be this one copy I will remove these numbers and these numbers too nothing stronger so like this and like this and this love I forget it but it was 16 I'm sure this is the pads this is the pet I'm sure about it but these numbers need to be under and this the numbers will be the replaced without typing try to train like this so and this one now it doesn't work and with IPC this is the and this is to replace that replace and why is it working I don't know sorry guys this is this taking so much time but I just want to answer I did it before and I just removed these numbers and it worked but now I'm not sure like why is that working but I did before I did like this copy paste I remove these numbers and this but now it's not working and this I'm sure that this essential this I will try this one no no that's why it's not working it should be this okay ends with ipc4 uh now I get it 13. this now are we talking oh my God oh so much trouble about this fight so and I forget it what it was so what is this CVSs version 2 score or the MS availability and like like I said is 9.3 okay using external rules log 4 so moving on the task 8 use the given pickup file use the given further rule file local tools to investigate the log for expectation what is the number of ticket packets so intellectually train directory to test eight the last one Nano local dot rules they are the rules it's already prepared you just need to investigate to run the sudo installed so the smart Dash c local dot rules Dash tab Dash L dash dot dash R and log 4. oh the last answer was uh a little bit complicated right so the alerts is 26. investigate the log alarm files how many rows were triggered so if you do get alert we see here that is the rule this one that is the rule 30 31. 28 26 but we need to number them how we can do that I have here the command and the command for test 8 tests will be get alert grip and this so we said before that uh I will just do one more time get alert and this is how it starts with one column two one zero zero three seven and then these two numbers are another 331 30 they are different 28 so if I do comment uh this moment to grab taste and now I can integrate one column and first six numbers and the and anything that is after that and now I can see the rules that are triggered and we'll remember that here is the one 26 30 that is two which is the same that is three numbers so looking down looking down this is all same this is the fourth so answer this fourth what are the fix six digits of the triggered rule rule sides starts with 21. so the second starts with 21. first six are this one use the local one rules empty file to write a new rule to detect packet payloads between 7 and 7. 0 and a55 bytes what is the number of the ticket packets and they sing as the size options will help you to filter the payload size so no no local one rules this one should be empty it's empty roll I have already prepared this is the rule and if you don't know how to find this size this number for snort you need to Google it but now you know and you can take it for your notes and if you ever will work with snort in your future you have this optional notes okay and the message is abnormal packet size detected and this is size and this is all now I should run the command s. c local one rule stand them don't take don't take local rules local one rules and their step there's l Dot read and log 4. now we should be defined the ticket packet payloads between these numbers 41. yes investigate the log our files what is the name of the used and encoding algorithm oh so those are there's D it should be dirty there's three yes that's reads or okay and Dash D and dash M numbers and what is the name of the encoding algorithm we have 41 number in this thing has no file it's no such fun directory we have two files here I will take six three eight I think that is the right one and then there's T there's n 41 I forget probably to to clear this previous one and here is the 41 and looking here that is the base answer is base64. this is the encoding algorithm what is the IP ID of the corresponding packet ipid please repeat time to let us ID this is decoder encoded command what is the attacker command oh basically base 64 this is the base64 if you don't know what is the base64 you need to learn and I will copy all of that and base64 is from car to this slash okay from here to this this is basics for this one I need to delete I will use cyber chef oh from base64 cyber chef delete these numbers and now this is not the answer did I miss something probably so like this this is all of that copy now delete and this is this copy what is the sea C MCC version 2 score of the log for vulnerability log 4 score log core and they send us the if you wonder a by a score is 10 but if you click here they think as version two it's 9.3 and thank you all guys for the watching this video was a little bit longer but uh it was a lot a lot of work and if I did the manually disorder alerts and uh if you did all manually all these rules I need two covers for this video or more so I don't want to to make it so longer I just prepared it in my up notes and I use the copy and paste and and I can't remember all these all rules so it's easier to work like this and uh I hope so that you like the video and thank you for watching

Info

Channel: denza

Views: 2,969

Rating: undefined out of 5

Keywords:

Id: V70yN9Opxb8

Channel Id: undefined

Length: 52min 55sec (3175 seconds)

Published: Thu Jun 29 2023