- The room invites you to a challenge where you will investigate a series of traffic data and stop malicious activity work with Snort to analyze live and captured traffic
- Analyze the traffic with Snort and identify the anomaly first. Then you can create a rule to stop the reverse shell and capture the flag
- Basic knowledge of network security concepts
- Access to the TryHackMe platform
- Start Snort in sniffer mode and try to figure out the attack source, service, and port.
- In the CLI enter
snort -vde
to display the packet data, headers as well as the data link layer headers - Analyze the packet and look for anomalies
- This IP with this port keeps coming up in the packets
- It seems suspicious let us find out how often this port comes up. Enter
snort -vde | grep 4444
- We figured that the IP is using port 4444 which is a default listening port for Metasploit
- Let's create an IPS rule in Snort to stop the attack
- Gain root access using
sudo su
then in the root directory and navigate to the rules directory. Entercd /etc/snort/rules
- In the rules directory there are various rule sets available we need to open local.rules and add our rule. Enter
nano local.rule
- Let's add our rule. Here we are rejecting any inbound and outbound traffic coming from this source IP address
- To run Snort in IPS mode. Enter
snort -c /etc/snort/rules/local.rules
so we can use the rule we created - We are successful in rejecting the packets. We captured the flag!
- In the CLI enter
- Observe the console output or log files for alerts generated by the attack.
- Note down alert details like timestamp, source IP, destination IP, type of alert, and ports.
- Research details that come up for further information
- We successfully blocked the attacker's IP stopping the reverse shell and capturing the flag. Snorts IPS capability is an effective tool to prevent such attacks.
- We can prevent reverse shells by installing firewalls or enforcing the principle of least privilege