OiO.lk Community platform!

Oio.lk is an excellent forum for developers, providing a wide range of resources, discussions, and support for those in the developer community. Join oio.lk today to connect with like-minded professionals, share insights, and stay updated on the latest trends and technologies in the development field.
  You need to log in or register to access the solved answers to this problem.
  • You have reached the maximum number of guest views allowed
  • Please register below to remove this limitation

Trouble Triggering Snort IDS Local Rule and Capturing Alerts

  • Thread starter Thread starter Zafri Wahab
  • Start date Start date
Z

Zafri Wahab

Guest
I'm new to using Snort IDS and need some help with triggering a custom local rule and capturing the alerts. Here is the rule I need to trigger:

local.rules: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Potential hostile executable served from compromised or malicious WordPress site"; flow:to_server,established; content:"/wp-admin/"; http_uri; content:".exe|20|HTTP/1."; fast_pattern:only; pcre:"/\.exe$/U"; metadata:ruleset community, service http; sid:36914; rev:2;)

My understanding is that I need to trigger this rule and capture it in C:\Snort\log\alert.ids and also in Wireshark. Here's what I have done so far:

  1. Built a WordPress server using Python: server.py :

Code:
import http.server
import socketserver

class MyRequestHandler(http.server.SimpleHTTPRequestHandler):
    def do_GET(self):
        if self.path == '/wp-admin/malicious.exe':
            self.send_response(200)
            self.send_header('Content-type', 'application/octet-stream')
            self.end_headers()
            self.wfile.write(b'This is a fake executable for testing.')
        else:
            self.send_error(404, "File not found.")

HOST = '192.168.1.40'
PORT = 8080

with socketserver.TCPServer((HOST, PORT), MyRequestHandler) as httpd:
    print(f"Serving HTTP on {HOST}:{PORT}")
    httpd.serve_forever()
  1. Created a script to trigger the rule: trigger.py:

Code:
import requests

url = "http://192.168.1.40:8080/wp-admin/malicious.exe"
response = requests.get(url)
print(f"Response Status Code: {response.status_code}")

  1. Ran Snort with the following command: snort.exe -c "C:\snort\etc\snort.conf" -l "C:\snort\Log" -A full -i 5 -d -e -X -v -k none


  2. snort.conf configuration:

    a. ipvar HOME_NET 192.168.1.40/24

    b. output alert_fast: alert.ids

    c. include $RULE_PATH\local.rules

I'm not sure what am I missing.

Any help or suggestions would be greatly appreciated. Thank you!

I'm not seeing any alerts in alert.ids or in Wireshark. I believe I have configured everything correctly, but I must be missing something.
<p>I'm new to using Snort IDS and need some help with triggering a custom local rule and capturing the alerts. Here is the rule I need to trigger:</p>
<p>local.rules:
<code>alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Potential hostile executable served from compromised or malicious WordPress site"; flow:to_server,established; content:"/wp-admin/"; http_uri; content:".exe|20|HTTP/1."; fast_pattern:only; pcre:"/\.exe$/U"; metadata:ruleset community, service http; sid:36914; rev:2;) </code></p>
<p>My understanding is that I need to trigger this rule and capture it in C:\Snort\log\alert.ids and also in Wireshark. Here's what I have done so far:</p>
<ol>
<li>Built a WordPress server using Python:
server.py :</li>
</ol>
<pre><code>import http.server
import socketserver

class MyRequestHandler(http.server.SimpleHTTPRequestHandler):
def do_GET(self):
if self.path == '/wp-admin/malicious.exe':
self.send_response(200)
self.send_header('Content-type', 'application/octet-stream')
self.end_headers()
self.wfile.write(b'This is a fake executable for testing.')
else:
self.send_error(404, "File not found.")

HOST = '192.168.1.40'
PORT = 8080

with socketserver.TCPServer((HOST, PORT), MyRequestHandler) as httpd:
print(f"Serving HTTP on {HOST}:{PORT}")
httpd.serve_forever()
</code></pre>
<ol start="2">
<li>Created a script to trigger the rule:
trigger.py:</li>
</ol>
<pre><code>import requests

url = "http://192.168.1.40:8080/wp-admin/malicious.exe"
response = requests.get(url)
print(f"Response Status Code: {response.status_code}")
</code></pre>
<ol start="3">
<li><p>Ran Snort with the following command:
<code>snort.exe -c "C:\snort\etc\snort.conf" -l "C:\snort\Log" -A full -i 5 -d -e -X -v -k none </code></p>
</li>
<li><p>snort.conf configuration:</p>
<p>a. ipvar HOME_NET 192.168.1.40/24</p>
<p>b. output alert_fast: alert.ids</p>
<p>c. include $RULE_PATH\local.rules</p>
</li>
</ol>
<p>I'm not sure what am I missing.</p>
<p>Any help or suggestions would be greatly appreciated. Thank you!</p>
<p>I'm not seeing any alerts in alert.ids or in Wireshark. I believe I have configured everything correctly, but I must be missing something.</p>
 

Latest posts

Top