Snort Analyser
[Back] First select your Wireshark trace:
Trace name:
Snort Output
Click here for the Pcap file. The Snort output is:
Object reference not set to an instance of an object. |
Rules file
Examples
Detecting TCP ports
To detect an FTP connection to the server, we can detect the connection to a destination port of 21:
# Signature Detection alert tcp any any -> any 21 ( msg:"FTP";sid:10000)
and then use a PCAP file of "FTP", we get a result of:
alert.ids: [**] [1:10000:0] FTP [**] [Priority: 0] 08/31-20:24:40.417691 192.168.47.1:49430 -> 192.168.47.134:21 TCP TTL:128 TOS:0x0 ID:16588 IpLen:20 DgmLen:52 DF ******S* Seq: 0x4372316F Ack: 0x0 Win: 0x2000 TcpLen: 32 TCP Options (6) => MSS: 1460 NOP WS: 2 NOP NOP SackOK [**] [1:10000:0] FTP [**] [Priority: 0] 08/31-20:24:40.418110 192.168.47.1:49430 -> 192.168.47.134:21 TCP TTL:128 TOS:0x0 ID:16589 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x43723170 Ack: 0xE2108BA8 Win: 0x4029 TcpLen: 20 ...
We can improve the rules with by detecting a SYN connection and a bad login (530):
alert tcp any any -> any 21 (flags:S;msg:"FTP Connection";sid:9000005;rev:1;) alert tcp any 21 -> any any (msg:"FTP Bad login"; content:"530 User "; nocase; flow:from_server,established; sid:491; rev:5;)
If we select the FTP trace, we get:
alert.ids: [**] [1:9000005:1] FTP Connection [**] [Priority: 0] 08/31-20:24:40.417691 192.168.47.1:49430 -> 192.168.47.134:21 TCP TTL:128 TOS:0x0 ID:16588 IpLen:20 DgmLen:52 DF ******S* Seq: 0x4372316F Ack: 0x0 Win: 0x2000 TcpLen: 32 TCP Options (6) => MSS: 1460 NOP WS: 2 NOP NOP SackOK [**] [1:9000005:1] FTP Connection [**] [Priority: 0] 08/31-20:25:00.774487 192.168.47.1:49440 -> 192.168.47.134:21 TCP TTL:128 TOS:0x0 ID:16620 IpLen:20 DgmLen:52 DF ******S* Seq: 0x32065348 Ack: 0x0 Win: 0x2000 TcpLen: 32 TCP Options (6) => MSS: 1460 NOP WS: 2 NOP NOP SackOK
Now let's detect a TELNET connection:
alert tcp any any <> any 23 (flags:S; msg:"Telnet Login";sid:9000005;rev:1;)
And select the "Hydra Telnet" trace, we get:
alert.ids: [**] [1:9000005:1] Telnet Login [**] [Priority: 0] 01/12-11:48:04.333781 192.168.47.171:7104 -> 192.168.47.200:23 TCP TTL:128 TOS:0x0 ID:31573 IpLen:20 DgmLen:48 DF ******S* Seq: 0xB3747913 Ack: 0x0 Win: 0xFFFF TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK [**] [1:9000005:1] Telnet Login [**] [Priority: 0] 01/12-11:48:04.334923 192.168.47.171:7105 -> 192.168.47.200:23 TCP TTL:128 TOS:0x0 ID:31577 IpLen:20 DgmLen:48 DF ******S* Seq: 0x5722FE4 Ack: 0x0 Win: 0xFFFF TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK [**] [1:9000005:1] Telnet Login [**] [Priority: 0] 01/12-11:48:04.335830 192.168.47.171:7106 -> 192.168.47.200:23 TCP TTL:128 TOS:0x0 ID:31581 IpLen:20 DgmLen:48 DF ******S* Seq: 0x985C9D8D Ack: 0x0 Win: 0xFFFF TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK
Detecting file types
Now we can create some rules to detect various file types:
# Signature Detection alert tcp any any -> any any (content:"GIF89a"; msg:"GIF";sid:10000) alert tcp any any -> any any (content:"%PDF"; msg:"PDF";sid:10001) alert tcp any any -> any any (content:"|89 50 4E 47|"; msg:"PNG";sid:10002) alert tcp any any -> any any (content:"|50 4B 03 04|"; msg:"ZIP";sid:10003) alert tcp any any -> any any (content:"|FF D8|"; msg:"JPEG";sid:10004) alert tcp any any -> any any (content:"|49 44 33|"; msg:"MP3";sid:10005) alert tcp any any -> any any (content:"|52 49 46 46|"; msg:"AVI";sid:10006) alert tcp any any -> any any (content:"|46 57 53|"; msg:"Flash SWF";sid:10007) alert tcp any any -> any any (content:"|46 4C 56|"; msg:"Flash Video";sid:10008) alert tcp any any -> any any (content:"|1F 8B 08|"; msg:"GZip";sid:10009) alert tcp any any -> any any (content:"|52 61 72 21 1A 07 00|"; msg:"RAR";sid:10010) alert tcp any any -> any any (content:"|D0 CF 11 E0 A1 B1 1A E1|"; msg:"Office 2010";sid:10011)
If we use "email_with_gif", we will get:
alert.ids: [**] [1:10000:0] GIF [**] [Priority: 0] 01/05-19:38:04.190265 77.72.118.168:80 -> 192.168.47.171:2641 TCP TTL:128 TOS:0x0 ID:61162 IpLen:20 DgmLen:83 ***AP**F Seq: 0x3F2262B1 Ack: 0x58BD04DF Win: 0xFAF0 TcpLen: 20 [**] [1:10000:0] GIF [**] [Priority: 0] 01/05-19:38:04.392845 77.72.118.168:80 -> 192.168.47.171:2642 TCP TTL:128 TOS:0x0 ID:61167 IpLen:20 DgmLen:83 ***AP**F Seq: 0x3151C23 Ack: 0xE754450F Win: 0xFAF0 TcpLen: 20 [**] [1:10000:0] GIF [**] [Priority: 0] 01/05-19:38:04.491234 77.72.118.168:80 -> 192.168.47.171:2643 TCP TTL:128 TOS:0x0 ID:61176 IpLen:20 DgmLen:83 ***AP**F Seq: 0x5A035437 Ack: 0xAEC367BE Win: 0xFAF0 TcpLen: 20 [**] [1:10000:0] GIF [**] [Priority: 0] 01/05-19:38:04.498959 77.72.118.168:80 -> 192.168.47.171:2644 TCP TTL:128 TOS:0x0 ID:61179 IpLen:20 DgmLen:83 ***AP*** Seq: 0x274E0754 Ack: 0x9DD8B40B Win: 0xFAF0 TcpLen: 20
Detecting credit card details
We can detect credit card details with:
# Detecting credit card details alert tcp any any <> any any (pcre:"/5\d{3}(\s|-)?\d{4}(\s|-)?\d{4}(\s|-)?\d{4}/"; \ msg:"MasterCard number detected in clear text";content:"number";nocase;sid:9000003;rev:1;) alert tcp any any <> any any (pcre:"/3\d{3}(\s|-)?\d{6}(\s|-)?\d{5}/"; \ msg:"American Express number detected in clear text";content:"number";nocase;sid:9000004;rev:1;) alert tcp any any <> any any (pcre:"/4\d{3}(\s|-)?\d{4}(\s|-)?\d{4}(\s|-)?\d{4}/"; \ msg:"Visa number detected in clear text";content:"number";nocase;sid:9000005;rev:1;)
If we select "Email with credit card details", we get:
alert.ids: [**] [1:9000005:1] Visa number detected in clear text [**] [Priority: 0] 01/06-21:20:26.755456 192.168.47.171:1061 -> 192.168.47.134:25 TCP TTL:128 TOS:0x0 ID:628 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0xCA178C7B Ack: 0x91870925 Win: 0xFEF9 TcpLen: 20 [**] [1:9000003:1] MasterCard number detected in clear text [**] [Priority: 0] 01/06-21:20:26.755456 192.168.47.171:1061 -> 192.168.47.134:25 TCP TTL:128 TOS:0x0 ID:628 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0xCA178C7B Ack: 0x91870925 Win: 0xFEF9 TcpLen: 20
Detecting ping
We can detect ICMP activity with:
alert icmp any any -> any any (msg:"ICMP Packet found";sid:9000000;) alert icmp any any -> any any (itype: 0; msg: "ICMP Echo Reply";sid:9000001;) alert icmp any any -> any any (itype: 3; msg: "ICMP Destination Unreachable";sid:9000002;) alert icmp any any -> any any (itype: 4; msg: "ICMP Source Quench Message received";sid:9000003;) alert icmp any any -> any any (itype: 5; msg: "ICMP Redirect message";sid:9000004;) alert icmp any any -> any any (itype: 8; msg: "ICMP Echo Request";sid:9000005;) alert icmp any any -> any any (itype: 11; msg: "ICMP Time Exceeded";sid:9000006;)
If we run with "Ping sweep" we get:
alert.ids: [**] [1:9000005:0] ICMP Echo Request [**] [Priority: 0] 08/25-15:48:52.876833 192.168.47.1 -> 192.168.47.2 ICMP TTL:59 TOS:0x0 ID:57989 IpLen:20 DgmLen:28 Type:8 Code:0 ID:12928 Seq:0 ECHO [**] [1:9000000:0] ICMP Packet found [**] [Priority: 0] 08/25-15:48:52.876833 192.168.47.1 -> 192.168.47.2 ICMP TTL:59 TOS:0x0 ID:57989 IpLen:20 DgmLen:28 Type:8 Code:0 ID:12928 Seq:0 ECHO [**] [1:9000005:0] ICMP Echo Request [**] [Priority: 0] 08/25-15:48:52.878333 192.168.47.1 -> 192.168.47.5 ICMP TTL:50 TOS:0x0 ID:27892 IpLen:20 DgmLen:28 Type:8 Code:0 ID:19485 Seq:0 ECHO