TryHackMe | Snort https://tryhackme.

com/room/snort

• 
Dashboard

• 
Learn

• 
Compete



Leaderboards
Platform Rankings

King of the Hill
Attack & Defend

Workspace
Compete & Collaborate

• 
Other

Resources Buy Vouchers Develop Rooms For Business For Education Swag Shop

• 

• 

• Go Premium
• 4

Profile Refer a friend Badges My Rooms Access Give Feedback Logout


951


Snort Show Split View  Cloud Details Awards Help 

Learn how to use Snort to detect real-time threats, analyse recorded traffic files and identify anomalies.

 Chart  Scoreboard  Discuss  Writeups  More

Difficulty: Medium

Active Machine Information

Loading... Loading... Loading... Loading...

32%

Task 1  Introduction 

Task 2  Interactive Material and VM  

Task 3  Introduction to IDS/IPS 

Task 4  First Interaction with Snort 

Task 5  Operation Mode 1: Sniffer Mode 

Task 6  Operation Mode 2: Packet Logger Mode 

1 of 5 2/18/24, 18:05
TryHackMe | Snort https://tryhackme.com/room/snort

Let's run Snort in Logger Mode

You can use Snort as a sniffer and log the sniffed packets via logger mode. You only need to use the packet logger mode
parameters, and Snort does the rest to accomplish this.

Packet logger parameters are explained in the table below;

Parameter Description

-l Logger mode, target log and alert output directory. Default output folder is /var/log/snort

The default action is to dump as tcpdump format in /var/log/snort

-K ASCII Log packets in ASCII format.

-r Reading option, read the dumped logs in Snort.

-n Specify the number of packets that will process/read. Snort will stop after reading the specified number of packets.

Let's start using each parameter and see the difference between them. Snort needs active traffic on your interface, so we need to
generate traffic to see Snort in action.

Logfile Ownership
Before generating logs and investigating them, we must remember the Linux file ownership and permissions. No need to deep
dive into user types and permissions. The fundamental file ownership rule; whoever creates a file becomes the owner of the
corresponding file.

Snort needs superuser (root) rights to sniff the traffic, so once you run the snort with the "sudo" command, the "root" account will
own the generated log files. Therefore you will need "root" rights to investigate the log files. There are two different approaches to
investigate the generated log files;

• Elevation of privileges - You can elevate your privileges to examine the files. You can use the "sudo" command to execute
your command as a superuser with the following command sudo command . You can also elevate the session privileges
and switch to the superuser account to examine the generated log files with the following command: sudo su

• Changing the ownership of files/directories - You can also change the ownership of the file/folder to read it as your user:
sudo chown username file or sudo chown username -R directory The "-R" parameter helps recursively process the
files and directories.

Logging with parameter "-l"

First, start the Snort instance in packet logger mode; sudo snort -dev -l .

Now start ICMP/HTTP traffic with the traffic-generator script.

Once the traffic is generated, Snort will start showing the packets and log them in the target directory. You can configure the
default output directory in snort.config file. However, you can use the "-l" parameter to set a target directory. Identifying the default
log directory is useful for continuous monitoring operations, and the "-l" parameter is much more useful for testing purposes.

The -l . part of the command creates the logs in the current directory. You will need to use this option to have the logs for each
exercise in their folder.

logging with -l

user@ubuntu$ sudo snort -dev -l .

Running in packet logging mode

--== Initializing Snort ==--

Initializing Output Plugins!
Log directory = /var/log/snort
pcap DAQ configured to passive.
Acquiring network traffic from "ens33".
Decoding Ethernet

--== Initialization Complete ==--

...
Commencing packet processing (pid=2679)
WARNING: No preprocessors configured for policy 0.
WARNING: No preprocessors configured for policy 0.

Now, let's check the generated log file. Note that the log file names will be different in your case.

checking the log file

user@ubuntu$ ls .

snort.log.1638459842

As you can see, it is a single all-in-one log file. It is a binary/tcpdump format log. This is what it looks like in the folder view.

Logging with parameter "-K ASCII"

Start the Snort instance in packet logger mode; sudo snort -dev -K ASCII

Now run the traffic-generator script as sudo and start ICMP/HTTP traffic. Once the traffic is generated, Snort will start showing
the packets in verbosity mode as follows;

logging with -K ASCII

2 of 5 2/18/24, 18:05
TryHackMe | Snort https://tryhackme.com/room/snort

user@ubuntu$ sudo snort -dev -K ASCII -l .

Running in packet logging mode

--== Initializing Snort ==--

Initializing Output Plugins!
Log directory = /var/log/snort
pcap DAQ configured to passive.
Acquiring network traffic from "ens33".
Decoding Ethernet

--== Initialization Complete ==--

...
Commencing packet processing (pid=2679)
WARNING: No preprocessors configured for policy 0.
WARNING: No preprocessors configured for policy 0.

Now, let's check the generated log file.

Checking the log file

user@ubuntu$ ls .

142.250.187.110 192.168.175.129 snort.log.1638459842

This is what it looks like in the folder view.

The logs created with "-K ASCII" parameter is entirely different. There are two folders with IP address names. Let's look into them.

checking the log file

user@ubuntu$ ls ./192.168.175.129/

ICMP_ECHO UDP:36648-53 UDP:40757-53 UDP:47404-53 UDP:50624-123

Once we look closer at the created folders, we can see that the logs are in ASCII and categorised format, so it is possible to read
them without using a Snort instance.

This is what it looks like in the folder view.

In a nutshell, ASCII mode provides multiple files in human-readable format, so it is possible to read the logs easily by using a text
editor. By contrast with ASCII format, binary format is not human-readable and requires analysis using Snort or an application like
tcpdump.

Let's compare the ASCII format with the binary format by opening both of them in a text editor. The difference between the binary
log file and the ASCII log file is shown below. (Left side: binary format. Right side: ASCII format).

Reading generated logs with parameter "-r"

Start the Snort instance in packet reader mode; sudo snort -r

reading log files with -r

3 of 5 2/18/24, 18:05
TryHackMe | Snort https://tryhackme.com/room/snort

user@ubuntu$ sudo snort -r snort.log.1638459842

Running in packet dump mode

--== Initializing Snort ==--

Initializing Output Plugins!
pcap DAQ configured to read-file.
Acquiring network traffic from "snort.log.1638459842".

--== Initialization Complete ==--

...
Commencing packet processing (pid=3012)
WARNING: No preprocessors configured for policy 0.
12/02-07:44:03.123225 192.168.175.129 -> 142.250.187.110
ICMP TTL:64 TOS:0x0 ID:41900 IpLen:20 DgmLen:84 DF
Type:8 Code:0 ID:1 Seq:49 ECHO
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
WARNING: No preprocessors configured for policy 0.
12/02-07:44:26.169620 192.168.175.129 -> 142.250.187.110
ICMP TTL:64 TOS:0x0 ID:44765 IpLen:20 DgmLen:84 DF
Type:8 Code:0 ID:1 Seq:72 ECHO
===============================================================================
Packet I/O Totals:
Received: 51
Analyzed: 51 (100.000%)
Dropped: 0 ( 0.000%)
Filtered: 0 ( 0.000%)
Outstanding: 0 ( 0.000%)
Injected: 0
===============================================================================
Breakdown by protocol (includes rebuilt packets):
...
Total: 51
===============================================================================
Snort exiting

Note that Snort can read and handle the binary like output (tcpdump and Wireshark also can handle this log format). However, if
you create logs with "-K ASCII" parameter, Snort will not read them. As you can see in the above output, Snort read and displayed
the log file just like in the sniffer mode.

Opening log file with tcpdump.

Opening the log file with tcpdump

user@ubuntu$ sudo tcpdump -r snort.log.1638459842 -ntc 10

reading from file snort.log.1638459842, link-type EN10MB (Ethernet)

IP 192.168.175.129 > 142.250.187.110: ICMP echo request, id 1, seq 49, length 64
IP 142.250.187.110 > 192.168.175.129: ICMP echo reply, id 1, seq 49, length 64
IP 192.168.175.129 > 142.250.187.110: ICMP echo request, id 1, seq 50, length 64
IP 142.250.187.110 > 192.168.175.129: ICMP echo reply, id 1, seq 50, length 64
IP 192.168.175.129 > 142.250.187.110: ICMP echo request, id 1, seq 51, length 64
IP 142.250.187.110 > 192.168.175.129: ICMP echo reply, id 1, seq 51, length 64
IP 192.168.175.129 > 142.250.187.110: ICMP echo request, id 1, seq 52, length 64
IP 142.250.187.110 > 192.168.175.129: ICMP echo reply, id 1, seq 52, length 64
IP 192.168.175.1.63096 > 239.255.255.250.1900: UDP, length 173
IP 192.168.175.129 > 142.250.187.110: ICMP echo request, id 1, seq 53, length 64

Opening log file with Wireshark.

Answer the questions below

Investigate the traffic with the default configuration file with ASCII mode.

sudo snort -dev -K ASCII -l .

Execute the traffic generator script and choose "TASK-6 Exercise". Wait until the traffic ends, then stop the Snort instance. Now
analyse the output summary and answer the question.

sudo ./traffic-generator.sh
Now, you should have the logs in the current directory. Navigate to folder "145.254.160.237". What is the source port used to
connect port 53?

Answer format: ****  Submit  Hint

Use snort.log.1640048004

Read the snort.log file with Snort; what is the IP ID of the 10th packet?

snort -r snort.log.1640048004 -n 10

Answer format: *****  Submit  Hint

Read the "snort.log.1640048004" file with Snort; what is the referer of the 4th packet?

Answer format: ****://***.********.***/***********.****  Submit  Hint

Read the "snort.log.1640048004" file with Snort; what is the Ack number of the 8th packet?

Answer format: **********  Submit

Read the "snort.log.1640048004" file with Snort; what is the number of the "TCP port 80" packets?

Answer format: **  Submit  Hint

Task 7  Operation Mode 3: IDS/IPS 

Task 8  Operation Mode 4: PCAP Investigation 

Task 9  Snort Rule Structure 

Task 10  Snort2 Operation Logic: Points to Remember 

Task 11  Conclusion  

4 of 5 2/18/24, 18:05
TryHackMe | Snort https://tryhackme.com/room/snort

Created by tryhackme and

ujohn

This is a free room, which means anyone can deploy virtual machines in the room (without being subscribed)! 40480 users are in
here and this room is 706 days old.

5 of 5 2/18/24, 18:05