background top icon
background center wave icon
background filled rhombus icon
background two lines icon
background stroke rhombus icon
header logo icon

Download "Intrusion Detection With Snort"

input logo icon
"videoThumbnail Intrusion Detection With Snort
Table of contents
|

Table of contents

3:02
Signature Id
4:04
Alert Mode
6:13
Run Snort
19:14
Eternal Blue Attack
22:19
Start Up Snort
26:04
Log Files
31:17
Thank Our Patreons
Similar videos from our catalog
|

Similar videos from our catalog

Video tags
|

Video tags

hackersploit
hacker exploit
hacking
kali linux
installing snort
install snort
installing snort on ubuntu
install snort on ubuntu
install snort on ubuntu 20.04
ids
ips
security
snort tutorial
snort IDS
snort 2
snort 2 vs snort 3
snort intrusion detection system
intrusion detection system
intrusion detection and prevention systems
IDS
IDS systems
intrusion detection
intrusion detection techniques
network security
intrusion detection system in network security
Subtitles
|

Subtitles

subtitles menu arrow
  • ruRussian
Download
00:00:04
[Music]
00:00:07
all right so
00:00:08
where we currently do not have any rules
00:00:11
uh you know within the uh local.rules
00:00:14
file
00:00:15
now
00:00:17
let's start off by creating a few a few
00:00:20
basic ones right now in order to create
00:00:21
one we're going to say sudo vim
00:00:24
and you can use any text editor that
00:00:26
you're comfortable with as long as it
00:00:27
has the permissions to make changes or
00:00:29
to write uh changes to these particular
00:00:32
files so etsy snort
00:00:35
and we are going to go under rules and
00:00:38
the name is local.rules as you can see
00:00:41
it's empty so this file intentionally
00:00:44
intentionally does not come with
00:00:45
signatures put your local additions here
00:00:48
fantastic so
00:00:49
let's start off with a few examples
00:00:52
all right so let's say we wanted to
00:00:54
detect any
00:00:56
uh any icmp pings right and uh i'll
00:00:59
actually talk you through how to use
00:01:01
snoppy in a second
00:01:03
uh but the syntax is very simple so you
00:01:05
start off by specifying if we take a
00:01:08
look at snoppy the action so it's not we
00:01:11
can alert we can essentially you know
00:01:13
send an alert to the terminal
00:01:16
we can log that particular
00:01:18
that particular packet or network
00:01:20
activity we can pass the packet this is
00:01:22
in the case of the intrusion prevention
00:01:24
system uh dropping and rejecting are
00:01:27
also part of
00:01:28
the intrusion
00:01:30
and the intrusion prevention system or
00:01:32
functionality of snot in our case we're
00:01:34
primarily
00:01:35
focused on alerts and logs and in our
00:01:39
case in pretty much many or most cases
00:01:41
we want to use the alert option so
00:01:43
uh i'll say alert
00:01:45
so that's
00:01:46
what we're essentially saying here is
00:01:48
for any of the following traffic
00:01:51
that i specify
00:01:53
i need you snot to actually you know
00:01:55
provide me with an alert whenever a ping
00:01:58
is made so in order to do this we're
00:02:00
going to say alert icmp because pings
00:02:03
essentially send icmp requests
00:02:06
from any network and any port
00:02:10
and then we say
00:02:13
uh
00:02:14
that comes into our home network
00:02:16
remember the home network variable that
00:02:18
we had configured within the snort
00:02:20
configuration file so we're essentially
00:02:21
saying that subnet or what we're saying
00:02:24
is i want you to generate an alert for
00:02:26
any icmp traffic that comes from any
00:02:28
external uh address
00:02:30
uh you know with any external port
00:02:33
into our home network subnet and then
00:02:36
you specify the port in our case we'll
00:02:38
say any because pings are really not
00:02:40
targeted towards any specific port
00:02:42
and then we specify in the case of an
00:02:44
alert we specify a message that we would
00:02:46
like to display
00:02:48
so in this case we can say message and
00:02:50
i'm going to say icmp ping
00:02:52
detected
00:02:54
and that's what's going to be displayed
00:02:56
to the relevant user that's essentially
00:02:58
monitoring the actual intrusions or the
00:03:01
traffic we then need to specify a
00:03:03
signature id this can be whatever you
00:03:05
want it to be
00:03:07
it's generally it's generally
00:03:08
recommended to have this
00:03:10
to essentially provide a unique value so
00:03:12
that it doesn't
00:03:14
conflict with the other signature ids so
00:03:17
in this case um we can just say
00:03:19
signature id is going to be maybe you
00:03:21
know
00:03:23
we can say 1001
00:03:26
and we then want to use a semi semicolon
00:03:29
and you can then specify revisions for
00:03:31
specific
00:03:32
uh for sp you know for specific rules so
00:03:35
in this case we can say this is a
00:03:36
revision one
00:03:38
and we then close the brackets there so
00:03:40
that is a snort rule all right so we
00:03:43
have created a snot rule fantastic and
00:03:46
you can keep on adding other rules on
00:03:48
the next line so let's write and quit
00:03:51
all right
00:03:53
and what we are going to do now is we
00:03:55
are going to run snot
00:03:56
now in order to run snot you need to
00:03:58
understand a few options right so
00:04:01
whenever you're running snot
00:04:03
the most important option is the alert
00:04:05
mode right so the um the alert mode
00:04:08
allows you to specify what types of uh
00:04:11
you know uh the actual format of alerts
00:04:14
so for example the fast alert mode
00:04:17
writes alerts to the default alert file
00:04:19
in the single line syslog
00:04:22
style
00:04:23
alert message full writes the alert to
00:04:25
the alert file with the full decoded
00:04:28
header as well as the alert message
00:04:30
and in our case we're not really going
00:04:32
to be
00:04:33
logging the alerts uh you know by
00:04:36
default we're going to be logging the
00:04:37
traffic but
00:04:39
we can essentially specify this to
00:04:42
either be fast mode but in our case
00:04:43
we're going to say log all the alerts uh
00:04:47
in on on to the console the other option
00:04:49
we need to use that we're going to be
00:04:51
using is the l option
00:04:53
which allows us if i can find it here
00:04:56
there we are so this is the log
00:04:57
directory so this will set the output
00:04:59
logging directory to log directory we'll
00:05:02
be using that and we'll be specifying
00:05:04
that we want to save all our logs under
00:05:06
var logs not this is very important
00:05:09
because what's the point of performing
00:05:10
network intrusion detection if you're
00:05:12
not logging all the relevant alerts for
00:05:15
late analysis or for implementation or
00:05:18
integration into a tool or a
00:05:20
visualization tool like snot
00:05:23
the other option that we're going to be
00:05:24
using of course is going to be the
00:05:26
interface option we will be specifying
00:05:28
our interface
00:05:29
uh we then need to specify um
00:05:32
the queue option which i believe in this
00:05:34
case is quite important we want uh snow
00:05:37
to run quietly i don't want it to
00:05:39
display all the diagnostic information
00:05:41
in regards to the rules loaded etc so
00:05:44
uh mnopq there we are quiet operation
00:05:47
don't display the banner and
00:05:48
initialization information if you are
00:05:51
running it as an intrusion prevention
00:05:54
system
00:05:55
uh then uh you you never want to use the
00:05:57
capital uh queue option because that
00:06:00
will disable or sorry that will enable
00:06:02
inline mode so yes when you are running
00:06:04
it as an ids ips then uh you need to use
00:06:08
the queue option to run it in inline
00:06:10
mode in our case we're not doing that
00:06:12
all right so to run snort
00:06:14
uh there's a few arguments we need to
00:06:16
specify so we'll say sudo snot we're
00:06:18
gonna run it in the quiet mode
00:06:20
the log file is or the log directory is
00:06:23
under var log
00:06:25
under snort
00:06:26
and
00:06:28
what we can then specify now is our
00:06:30
interface so enp
00:06:32
0s3 in your case it's going to be
00:06:34
different so do take note of that and
00:06:36
then the
00:06:37
the actual alert the actual alert mode
00:06:40
is going to be console because we're
00:06:41
displaying it to ourselves we're not yet
00:06:43
logging them and then we need to specify
00:06:45
the configuration file that we're going
00:06:47
to use if you've created a custom one
00:06:49
then this is the the best time to add it
00:06:51
here so we're going to say cd
00:06:54
sorry etsy snort and snot.conf
00:06:58
and we can hit enter now if it doesn't
00:07:00
provide you with any output or any
00:07:02
errors then that means it's working so
00:07:04
let us actually test this let's see if
00:07:07
this is indeed working so i'm just going
00:07:10
to open up a command prompt here
00:07:12
and there we are i'm just going to clear
00:07:14
that out sorry cls and i'm just going to
00:07:17
perform a ping right
00:07:19
now this device is part of the network
00:07:22
uh you know is part of the the actual
00:07:24
local network so
00:07:26
i can ping a particular device that is
00:07:29
within the network but before i do that
00:07:32
i actually want to
00:07:33
fire up the the linux virtual machine uh
00:07:36
that is the meta splatable2 virtual
00:07:38
machine that is going to run within the
00:07:40
network we're then going to ping it with
00:07:42
our kali linux vm as well
00:07:44
and you'll actually see the traffic here
00:07:46
so let me just start the vms and we can
00:07:49
resume from that point
00:07:51
all right so i've started all the vms
00:07:53
including the kali linux vm and what i'm
00:07:56
going to do is i'm going to run a ping
00:07:58
on the metasploitable 2 server so i'm
00:08:01
going to say ping and the ip address in
00:08:03
my case of the metasploitable 2 server
00:08:06
is on 192.168.2.157
00:08:11
all right so i'm going to hit enter and
00:08:12
now if we switch back to the
00:08:15
ubuntu vm running
00:08:17
snort we should see these alerts
00:08:20
so back on the ubuntu vm running snot
00:08:22
you can actually see the pings being
00:08:24
detected based on the rule that we
00:08:26
created which is fantastic and i'm just
00:08:29
going to terminate
00:08:30
that particular ping on the kali linux
00:08:32
system so i'll just ctrl c that and let
00:08:35
me switch back over to the ubuntu vm
00:08:39
and you can now see that the alerts have
00:08:41
stopped being produced which proves that
00:08:43
it is indeed working so the format is
00:08:46
very simple you have date time and then
00:08:48
of course you have the signature id then
00:08:50
of course the message that we specified
00:08:52
so icmp ping detected we can also
00:08:54
specify a priority the actual protocol
00:08:57
the address it came from
00:08:59
and the address it went to so this is
00:09:02
the ip of the metasploitable 2 virtual
00:09:04
machine this is the ip address of my
00:09:06
kali linux virtual machine where i
00:09:07
performed the ping from fantastic so
00:09:10
that's how to create a very simple rule
00:09:12
i really like using this example because
00:09:14
it allows me to showcase a few important
00:09:17
techniques all right now what i'm going
00:09:19
to do now
00:09:21
is let's write another rule
00:09:23
for ssh connections right because that
00:09:25
can be quite important to monitor on the
00:09:27
network so i'm going to go back and
00:09:29
modify the local.rules file
00:09:31
and i'm going to create another one so
00:09:33
i'm going to say alert and in this case
00:09:35
because
00:09:36
ssh runs on tcp i'm going to say tcp
00:09:40
from any connection on any port
00:09:43
we want to
00:09:45
essentially generate an alert whenever
00:09:47
it comes into the home
00:09:49
network
00:09:51
subnet on port 22. remember we need to
00:09:54
specify the appropriate port for ssh
00:09:57
because otherwise the rule will not work
00:09:59
we then create a message
00:10:00
and the message can be anything in this
00:10:02
case we can say uh ssh uh authentication
00:10:08
you know and because we can't at this
00:10:10
point we're not really uh you know going
00:10:11
deep into determining whether this is a
00:10:14
connection a successful authentication
00:10:17
attempt or a failed one we're just going
00:10:18
to say
00:10:19
ssh authentication and we can just say
00:10:21
attempt right
00:10:24
just to give it a bit of nuance and then
00:10:26
for the signature id we're going to make
00:10:28
sure it doesn't conflict with our
00:10:29
previous one so we'll say you know 1002
00:10:33
and we'll just say revision is one and
00:10:35
we can close that up
00:10:37
and now i'm going to write in quit
00:10:39
and if i go back on to my kali linux
00:10:42
system we're going to try and
00:10:43
authenticate with metasploitable 2 via
00:10:45
ssh because that metasploitable 2 system
00:10:48
has an ssh server running on it so i'll
00:10:52
just switch back to kali here in a
00:10:54
second there we go so i'll say ssh
00:10:58
the username is msf
00:11:00
admin
00:11:01
and i'm going to say 192.168.2.157
00:11:07
and msf admin
00:11:10
there we are so we authentic
00:11:11
authenticate successfully so what we're
00:11:13
trying to do here is try and see
00:11:15
from the perspective of the defender
00:11:18
what uh
00:11:19
what this network activity looks like
00:11:21
and if they have written rules for it
00:11:23
then they should be able to detect
00:11:24
what's being done on the network that's
00:11:26
the essence of intrusion detection and
00:11:29
network traffic analysis right
00:11:31
in the case of network intrusion
00:11:33
detection we're essentially fine-tuning
00:11:36
uh our network traffic analysis to
00:11:38
identify and automate the process of
00:11:40
identifying intrusions or threats so let
00:11:43
me switch back over into my uh into the
00:11:46
actual
00:11:47
ubuntu vm and i had actually not started
00:11:50
up snot so let me just do that again
00:11:52
and i'll just do it again and we can run
00:11:55
that authentication attempt once more so
00:11:58
i'll just exit and i'll run it again and
00:12:01
i'll just provide the password there and
00:12:04
i'll switch back over
00:12:06
and you can see we get the ssh
00:12:08
authentication attempt alerts fantastic
00:12:11
so you can now start to see
00:12:12
how uh how cool this is and of course
00:12:15
this will also work for all the other
00:12:17
rules that we specified so for example i
00:12:19
can you know i can actually ping so if i
00:12:22
say ping
00:12:23
168.2 0.1 57
00:12:26
you can see that that ping is detected
00:12:28
so you know really really
00:12:30
robust uh network intrusion detection
00:12:33
system and uh you know the power of your
00:12:35
network intrusion detection system will
00:12:37
be based upon your rules now as i said
00:12:40
the reason why i disabled the other ones
00:12:42
is because i wanted to showcase how you
00:12:44
can write your own so let's explore how
00:12:46
to use the snoppy tool right
00:12:49
so the snowplay tool is essentially a
00:12:51
graphical user interface that allows you
00:12:53
to simplify the process of creating a
00:12:56
rule so it's really very simple you
00:12:58
specify whether it's an alert or uh
00:13:00
whether you want to log it etc you then
00:13:02
specify the protocol
00:13:04
right so you know we can say tcp in this
00:13:07
case we can say any
00:13:09
uh
00:13:10
any uh you know any connection from any
00:13:12
address into our home network so we'll
00:13:15
specify the variable so home
00:13:17
network so you can see it provides you
00:13:19
the fields and you can easily specify or
00:13:21
create your rule and at the bottom you
00:13:23
can actually copy it and paste it within
00:13:24
your local dot rules file in this case
00:13:27
let's see if we can create a rule for
00:13:30
ftp so ftp is on port 21 signature id
00:13:34
we'll give that
00:13:36
1003 revision number one
00:13:39
we can also specify the rule message
00:13:41
here so we can say in this case ftp
00:13:44
authentication
00:13:46
uh
00:13:49
attempt
00:13:50
right and we can also uh we can also
00:13:53
limit the actual or we can also specify
00:13:56
what ip we're interested in so instead
00:13:58
of looking for all ftp connections
00:14:00
coming into the the actual network we
00:14:03
can specify only alert us when there's
00:14:05
an ftp connection made to a specific ip
00:14:08
within our network so in this case we
00:14:10
can specify the ip address of the
00:14:13
actual metasploitable 2 virtual machine
00:14:15
ftp authentication attempt on ms2
00:14:19
right and we can then specify additional
00:14:22
options uh if we require them in this
00:14:25
case i'm just going to copy that there
00:14:27
and we'll go back here and we'll just
00:14:29
terminate snort
00:14:31
and we'll go into our rules here
00:14:34
and i'll say insert paste that in there
00:14:36
let me just make sure that that is
00:14:37
displayed correctly
00:14:39
and there aren't any issues yep that
00:14:41
looks good so snoppy is really useful in
00:14:43
this way write in quit and we'll start
00:14:46
up snort again
00:14:47
and i'm just going to make or you know
00:14:50
we can actually authenticate with uh
00:14:52
that
00:14:53
with kali linux
00:14:55
with ms2 with kali linux so i'll say
00:14:57
exit ftp
00:15:01
192.168.2.157
00:15:04
on port 21 hit enter
00:15:07
msf admin
00:15:09
msf
00:15:11
msf admin there there we go etc all
00:15:15
right so let me switch back over
00:15:17
here we are
00:15:19
you can see that in this case when we
00:15:21
started it it looks like there was an
00:15:23
ssh authentication attempt
00:15:26
uh
00:15:27
i believe that is the case that was on
00:15:29
port 22. i'm not really sure why that
00:15:31
was logged but uh hey ho as you can see
00:15:34
it actually logged the actual ftp
00:15:36
authentication attempt on the
00:15:37
metasploitable 2 system so from this
00:15:41
example or exercise you can start to get
00:15:44
a feel and understand as to how robust
00:15:46
snort rules can be
00:15:48
and this is obviously made evident by
00:15:51
the you know by the really awesome rules
00:15:54
that are written by the community and by
00:15:55
snot themselves
00:15:57
all right so again i would recommend
00:15:59
taking a look at snoppy if you want to
00:16:01
learn how to write your own rules
00:16:02
another great resource to learn how to
00:16:04
write your own rules is to like is to
00:16:06
take a look at the rules
00:16:07
written by the community
00:16:09
so
00:16:11
let's take a look at a few examples now
00:16:14
the first thing we would need to do of
00:16:15
course is to disable or enable the rules
00:16:18
we had disabled
00:16:20
within the configuration file so i'll
00:16:22
just uh modify that file now
00:16:25
and
00:16:26
we are sorry that is still the rules
00:16:28
file um we want to modify the snot.conf
00:16:32
file
00:16:33
and we want to head over to the lines
00:16:35
that we had commented right because
00:16:38
those rules are very very important so
00:16:40
we want to uncomment the ones we had
00:16:42
commented earlier on so in order to do
00:16:44
this with vim we're just going to
00:16:46
uh specify the start line which was 578
00:16:50
and
00:16:51
696
00:16:52
for the end line and we are then going
00:16:54
to say of the start of the line that
00:16:57
begins with a hash or a pound
00:17:00
just get rid of that
00:17:02
hit enter that gets rid of the comment
00:17:05
for the rules that we had initially
00:17:07
commented so it'll still maintain the
00:17:08
initial comments uh you know that were
00:17:11
specified by default so let's write in
00:17:14
quit
00:17:15
and let's take a look at the community
00:17:17
rules offered by snot so if you head
00:17:20
over into your browser on snort.org you
00:17:22
can actually download rules
00:17:24
right
00:17:25
there we are
00:17:26
and right over here as you can see
00:17:30
for snot version 3 you have the ability
00:17:31
to download those rules and for snot
00:17:33
version 2. 2.9 you can download those
00:17:36
rules there
00:17:37
so you can click on that
00:17:40
and you can open up your downloads
00:17:42
directory and you can extract that
00:17:44
ideally it's recommended to extract that
00:17:46
within the actual etsy snort rules
00:17:48
directory but i'll just show you an
00:17:50
example as to how you can learn how to
00:17:52
write really complex rules and the
00:17:55
options afforded to you
00:17:56
right so i'll extract this here
00:17:59
this will contain
00:18:00
a snort dot configuration file based on
00:18:03
the rules
00:18:05
on on these particular community rules
00:18:07
so if you take a look there
00:18:09
you can see that it still
00:18:11
utilizes the local.rules file and then
00:18:14
of course it has all of these other
00:18:15
rules here
00:18:17
and if we take a look at them closely
00:18:20
i think we would need to include them
00:18:22
but what we can do is we can identify
00:18:24
the rules that we're looking for as an
00:18:26
example in this case
00:18:28
they're going to be under
00:18:29
community.rules there we are
00:18:32
so
00:18:33
this is essentially a set of rules
00:18:36
that allows you to detect exploits
00:18:39
intrusions for specific cves malware
00:18:43
malware network activity so you know for
00:18:46
example in this case you can see that
00:18:48
alert
00:18:50
you know for tcp connections coming from
00:18:52
an external network into the home
00:18:54
network subnet uh on port 7597 then that
00:18:58
is logged as malware backdoor qac worm
00:19:01
client login success
00:19:03
and you can also specify the tcp uh you
00:19:06
know the actual tcp flow and the actual
00:19:08
state i'll get to that with snope in a
00:19:11
second
00:19:12
but one really cool example i can
00:19:14
showcase here is the eternal blue attack
00:19:16
right so eternal blue i can search for
00:19:18
that alert here you and what i'll do
00:19:21
here is let me just open up my
00:19:22
preferences so you can actually see it
00:19:24
there we are
00:19:26
so this is the eternal blue alert so
00:19:28
eternal blue is a windows exploit of
00:19:30
vulnerability within when the windows
00:19:32
smb
00:19:33
version one
00:19:35
that allows you to perform remote code
00:19:36
execution so i can spin up a windows 7
00:19:40
virtual machine and we can try and
00:19:42
exploit it with
00:19:44
uh with metasploit from the kali linux
00:19:46
system and we can add this rule to our
00:19:49
custom rule or to the local dot rules
00:19:52
file and you can actually be able to
00:19:54
tell that snot will be able to identify
00:19:57
that as that exploitation process as an
00:20:00
intrusion or malicious now one of the
00:20:03
great things with snort rules is that
00:20:05
allow you to also specify this a
00:20:07
reference point so you can specify the
00:20:09
cve code
00:20:10
as well as the the url where you can
00:20:12
actually read more about a specific
00:20:14
vulnerability so what i'll do is i'll
00:20:17
copy this and we'll modify
00:20:19
the actual rule local.rules file i'll
00:20:21
put it in there as i said you can you
00:20:24
can actually copy that community.rules
00:20:26
file
00:20:27
into the actual etsy uh
00:20:30
etsy snort rules directory and load
00:20:33
those rules as well but i typically like
00:20:35
loading the ones that i'm interested in
00:20:37
especially if you're learning this is
00:20:38
really a really cool way so we can put
00:20:40
it in there the only thing you need to
00:20:41
make sure you do is make sure that the
00:20:44
signature is unique or the signature id
00:20:46
right and uh that looks fine so you can
00:20:50
see what's happening here is we're
00:20:51
saying
00:20:52
what we're telling snot to do is alert
00:20:54
us if there's any tcp connection coming
00:20:56
from any network into our home network
00:20:59
that connects to any device on our home
00:21:01
network on port 445
00:21:03
whereby the flow is the the actual flow
00:21:06
is you can see to the server established
00:21:08
so that's the tcp state and the content
00:21:11
this is where you would specify the
00:21:13
signature so based on the content
00:21:15
contained within a packet
00:21:17
that is used to perform the eternal blue
00:21:20
exploit this is where you specify the
00:21:22
signature so in this case you can see
00:21:24
it's uh in this it looks like it's uh
00:21:26
hexadecimal and then of course you have
00:21:29
the byte extract there etc etc we're not
00:21:32
going to be exploring how to write
00:21:33
complex uh rules uh you know based on
00:21:36
specific exploit signatures but
00:21:38
most of them have already been written
00:21:40
for you so you can actually test them
00:21:41
out on your network another good example
00:21:43
of this is let's see if we can identify
00:21:45
whether the latest vulnerability log4j
00:21:48
there we go so you can see an alert has
00:21:50
been made for log4j and you can now
00:21:53
start to see the power of snot and the
00:21:55
actual snort rules because if you use
00:21:58
the latest version of this
00:21:59
community.rules file then that means
00:22:01
that you're up to date with the latest
00:22:03
vulnerabilities and you'll be able to
00:22:04
detect them as they occur on your
00:22:06
network which is absolutely fantastic so
00:22:10
let's just use this simple example
00:22:12
so i'm going to write in quit
00:22:15
right
00:22:16
and we can actually start it up so
00:22:19
uh we're going to start up snort here
00:22:22
and i'll hit enter so i'm going to fire
00:22:24
up the windows 7 virtual machine for the
00:22:27
purpose of this demonstration
00:22:29
and i'll then switch over to kali we can
00:22:31
exploit the vulnerability and see
00:22:33
whether it's logged right over here on
00:22:35
our console so let me just fire up the
00:22:37
vm
00:22:39
all right so uh we have snot running
00:22:41
i've started up the windows vm i know
00:22:43
the ip address
00:22:45
and i'm currently on the kali linux
00:22:47
virtual machine and we're going to be
00:22:49
utilizing a popular exploitation
00:22:51
framework called metasploit uh that
00:22:53
already contains a pre-built
00:22:54
exploitation module that allows me to
00:22:56
exploit the eternal blue vulnerability
00:22:59
on affected versions of windows windows
00:23:01
7 being one of them so you know in this
00:23:04
scenario just assume that you had a
00:23:06
windows 7 system on your network and it
00:23:09
was vulnerable to eternal blue
00:23:11
and you know an attacker had gained
00:23:13
access and you know you would be able to
00:23:15
essentially identify that this attack
00:23:17
was being performed so i'll just say use
00:23:19
that module here so i'll say use paste
00:23:22
that in there and for this module the
00:23:24
only option i need to set is the target
00:23:26
ip so this is the ip of the windows vm
00:23:29
so the ip address is 192.168.2.35
00:23:35
and i can then hit exploit right and
00:23:37
this should provide me with elevated
00:23:39
privileges on the windows system if
00:23:41
successful
00:23:42
so based on the way this exploit works
00:23:46
i should be able to detect this attack
00:23:48
as a defender by taking a look at the
00:23:50
alerts generated by snort based on the
00:23:53
rule that we created right and if we had
00:23:56
implemented or loaded the entire set of
00:23:58
rules within the community or rules file
00:24:01
then this would be the case anyway but
00:24:02
again i just wanted to showcase how you
00:24:05
can also uh you know identify specific
00:24:07
cves and vulnerabilities and exploits
00:24:10
right so let me just switch over back
00:24:12
into the ubuntu vm
00:24:14
and there we are you can actually see it
00:24:16
live so
00:24:18
there we are we have uh based on the
00:24:20
other rules that we had enabled we have
00:24:22
a few other alerts here so you can see
00:24:25
bad traffic potentially bad traffic and
00:24:27
then of course we have that rule here
00:24:29
the eternal blue
00:24:31
alert is generated so os microsoft
00:24:33
windows smb remote code execution
00:24:35
attempt classification attempted
00:24:37
administrator privilege gain priority
00:24:39
one where the attack came from and it's
00:24:42
the the port it came from and the actual
00:24:45
ip address of the windows system on port
00:24:47
445 and they're going to be multiple
00:24:49
alerts because the exploit sends
00:24:51
multiple packets and of course we have
00:24:54
these additional ones so you can see in
00:24:56
order for this to work because this
00:24:57
exploit targets smb uh you can see there
00:25:00
we are we have a net bios alert that
00:25:02
tells us that uh an smb ipc share was
00:25:06
accessed by the following ip
00:25:08
so you can actually see how useful this
00:25:11
is
00:25:12
so i'm just going to terminate the
00:25:14
exploit and we can take a look at the
00:25:16
final section of what i wanted to cover
00:25:19
all right so the final um
00:25:22
the final section that i wanted to
00:25:24
highlight was logging and where all of
00:25:26
this information is being saved
00:25:28
so if you uh let me just terminate snot
00:25:31
here if you take a look at the command that
00:25:33
we used to run snot you can see that all
00:25:35
logging was uh all the logs were saved
00:25:37
and under var log snot right however the
00:25:41
actual um
00:25:43
the actual alerts were displayed on the
00:25:45
console so the only thing that was
00:25:47
logged was the traffic which is very
00:25:50
important to understand so let's open up
00:25:52
my file browser here and if i go into
00:25:55
the var log directory so var log and we
00:25:58
go into snort we'll be able to see some
00:26:01
interesting files
00:26:02
so these are all the log files that were
00:26:06
created by snort
00:26:08
and these are essentially the this is
00:26:10
essentially the raw packet capture on
00:26:12
the network so this doesn't have any
00:26:13
alerts attached to it uh and these can
00:26:16
be accessed with wireshark now in order
00:26:19
to access these log files you need to
00:26:21
run wireshark as root because these are
00:26:24
owned by the root user so we'll say sudo
00:26:26
wireshark and i'll show you that you
00:26:28
know
00:26:29
snot really really is extremely powerful
00:26:31
so i'll say file
00:26:34
open and i'll go to my computer and i'll
00:26:36
say var
00:26:38
log
00:26:39
and we'll head over into
00:26:41
snort
00:26:43
and we'll open up the latest one that
00:26:44
contained the actual windows smb traffic
00:26:48
so i'll say open
00:26:49
and there we are so all the packets were
00:26:51
captured directly or immediately from
00:26:53
the actual smb exploit and you can see
00:26:56
uh you know all that traffic was
00:26:58
captured so the all the packets have
00:27:00
been captured that's not a problem
00:27:02
uh i want to cover how to log
00:27:06
the actual alerts right and any other
00:27:08
type of um
00:27:10
either alerts or uh
00:27:12
you know if you want to log all alerts
00:27:15
because this the actual alerts are
00:27:17
pretty much the most important piece of
00:27:19
information and if you're not logging
00:27:21
them you should be so in order to log
00:27:24
them what you need to do is we'll use
00:27:26
the same format where we specify
00:27:28
acquired mode we're logging into the
00:27:30
following directly
00:27:31
under the following directory however
00:27:34
for the actual um
00:27:36
for the actual uh let me just show you
00:27:38
this right now so
00:27:40
man snot for the actual
00:27:43
alert mode we are going to be using
00:27:44
either fast fall or none in the case of
00:27:47
fast this will write the alert to the
00:27:49
default alert file in a single line
00:27:51
syslog style and that message that is
00:27:53
the preferred format if you're going to
00:27:55
be using these logs or importing them
00:27:58
into tools like splunk
00:28:00
so in order to do that we're going to
00:28:02
say instead of console we're going to
00:28:04
say fast as an example right
00:28:06
so let me just type that in here and
00:28:09
i'll hit enter
00:28:10
and let me see if i can generate some
00:28:13
traffic so let me just generate some
00:28:15
traffic
00:28:17
all right so i've generated some traffic
00:28:19
and you might be thinking to yourself
00:28:22
what on earth is happening you've
00:28:24
generated traffic or you know you've
00:28:25
performed a few pings and you've
00:28:27
connected to the ftp server on the
00:28:29
metasploitable to virtual machine why
00:28:31
isn't anything being displayed here well
00:28:33
that's because
00:28:35
we specified to snort that hey i want
00:28:38
you to log i want you to log all alerts
00:28:42
under the following uh using the the
00:28:44
actual alert method
00:28:47
um and of course this is the alert mode
00:28:49
in this case we specified the alert mode
00:28:50
as fast which is the preferred format
00:28:53
under the var log snot
00:28:55
directory so
00:28:56
we were already in that directory and we
00:28:58
can see it right over here so it's
00:29:00
generated a
00:29:01
uh it's generated a log file called alet
00:29:04
so if we open this up
00:29:05
there we are we get the the actual
00:29:08
traffic that i had
00:29:09
had essentially generated where i
00:29:11
performed a few pings based on the rules
00:29:13
that i gener that had actually created
00:29:15
we have an we had an ftp authentication
00:29:18
attempt and some potentially bad traffic
00:29:20
right over there
00:29:21
so now at this point you know we can
00:29:25
utilize this format
00:29:27
uh
00:29:28
this this logging format to essentially
00:29:30
import this into tools like into tools
00:29:33
like splunk
00:29:34
so
00:29:35
again
00:29:36
once you've got all of these logs they
00:29:38
can be analyzed you know on this system
00:29:40
or as i said you can configure a
00:29:43
log forwarder to essentially have them
00:29:46
dynamically loaded have the latest logs
00:29:48
or alerts dynamically loaded onto a tool
00:29:51
like splunk for analysis and at that
00:29:54
point then you'd essentially be able to
00:29:55
know what was happening on your network
00:29:58
in regards to attacks and intrusions
00:29:59
directly from splunk which is absolutely
00:30:02
fantastic
00:30:04
so that is going to be it in regards to
00:30:06
what i wanted to cover we've covered
00:30:08
quite a lot hopefully by this point you
00:30:10
should know how to get snot installed
00:30:12
how to uh how to customize and configure
00:30:15
it how to create your own rules how to
00:30:17
load in community rules how to write
00:30:20
rules uh and of course how to log
00:30:23
you know the actual
00:30:24
alerts that you've captured as well as
00:30:26
the packets that you are capturing
00:30:29
with that being said uh let me just
00:30:31
switch back over to the slides
00:30:34
all right so uh as a parting note all
00:30:37
the links and resources
00:30:39
are used in this video will be added to
00:30:42
the description section of this video so
00:30:44
you can check them out uh you'll also be
00:30:47
provided with access to the slides as a
00:30:49
reference so that you can actually
00:30:50
navigate uh you can actually navigate
00:30:53
through this video if you have any
00:30:54
questions or suggestions leave them in
00:30:56
the comments section
00:30:57
or you can reach uh you can reach out to
00:30:59
me and the hackersploit community on our
00:31:02
discord server the link to that is also
00:31:04
in the description
00:31:05
in the next video we're going to be
00:31:06
taking a look at threat detection with
00:31:09
wazoo
00:31:10
with that being said i will be seeing
00:31:12
you in the next video
00:31:15
i just want to take a couple of moments
00:31:17
to thank our patreons thank you michael
00:31:19
hubbard dustin umpress jerry speds doozy
00:31:23
sid saab ryan carr shamir douglas jojo
00:31:27
bibi balangos kushkev rs
00:31:31
boykov and david bricker you guys are
00:31:33
really awesome thank you very much for
00:31:35
supporting us and you guys make these
00:31:38
types of videos possible so we really
00:31:40
appreciate it and we look forward to
00:31:42
producing even more high quality content
00:31:50
[Music]

Description:

This video covers the process of using custom and community Snort rules. An IDS is a system/host planted within a network to capture traffic and identify malicious activity based on predefined rules, after which, this malicious activity is logged, and a notification is sent to the relevant parties informing them of an intrusion. You can register for part 2 of this series for free here: https://event.on24.com/eventRegistration/EventLobbyServlet?target=unavailable.jsp&eventid=3731394&sessionid=1&partnerref=hackersploit&format=fhvideo1&contenttype=&username=&key=5E35929407F163502826CBE7896D85D5&errorcd=eventnotactive&msg=event+not+active //LINKS Snort Website: https://www.snort.org/ Snorpy Rule Generator: http://www.cyb3rs3c.net/ Video Slides: https://docs.google.com/presentation/d/1CNc_WTxe2B_OdKzZV0ndAZtdIwGoZvDE/edit?usp=sharing&ouid=116946387936310747035&rtpof=true&sd=true Register For Part 2 Of This Series: https://event.on24.com/eventRegistration/EventLobbyServlet?target=unavailable.jsp&eventid=3731394&sessionid=1&partnerref=hackersploit&format=fhvideo1&contenttype=&username=&key=5E35929407F163502826CBE7896D85D5&errorcd=eventnotactive&msg=event+not+active Get 100$ In Free Linode Credit: https://login.linode.com/signup?promo=HACKER22LL //PLATFORMS BLOG ►► https://hackersploit.org/ FORUM ►► https://forum.hackersploit.org/ ACADEMY ►► https://hackersploit.academy/ //SOCIAL NETWORKS TWITTER ►► https://bit.ly/3sNKXfq DISCORD ►► https://discord.com/invite/rumzvY2Jqc INSTAGRAM ►► https://www.facebook.com/unsupportedbrowser LINKEDIN ►► https://www.linkedin.com/company/18713892 PATREON ►► https://www.patreon.com/hackersploit MERCHANDISE ►► https://hackersploitofficial.creator-spring.com/ //BOOKS Privilege Escalation Techniques ►► https://www.amazon.com/Privilege-Escalation-Techniques-exploiting-Windows/dp/1801078874 Docker Security Essentials (FREE) ►► https://www.linode.com/content/hackersploit-docker-security-essentials-ebook/ //SUPPORT THE CHANNEL NordVPN Affiliate Link (73% Off) ►► https://nordvpn.com/creator/?coupon=hacker Get $100 In Free Linode Credit ►► https://login.linode.com/signup?promo=HACKER22LL Get started with Intigriti: https://login.intigriti.com/account/register?ReferralCode=hackersploit //CYBERTALK PODCAST Spotify ►► https://open.spotify.com/show/6j0RhRiofxkt39AskIpwP7 Apple Podcasts ►► https://podcasts.apple.com/us/podcast/cybertalk-the-cybersecurity-podcast/id1490558117 //WE VALUE YOUR FEEDBACK We hope you enjoyed the video and found value in the content. We value your feedback, If you have any questions or suggestions feel free to post them in the comments section or contact us directly via our social platforms. //THANK YOU! Thanks for watching! Благодарю за просмотр! Kiitos katsomisesta Danke fürs Zuschauen! 感谢您观看 Merci d'avoir regardé Obrigado por assistir دیکھنے کے لیے شکریہ देखने के लिए धन्यवाद Grazie per la visione Gracias por ver شكرا للمشاهدة ----------------------------------------------------------------------------------- #Cybersecurity#BlueTeam

Preparing download options

popular icon
Popular
hd icon
HD video
audio icon
Only sound
total icon
All
* — If the video is playing in a new tab, go to it, then right-click on the video and select "Save video as..."
** — Link intended for online playback in specialized players

Questions about downloading video

mobile menu iconHow can I download "Intrusion Detection With Snort" video?mobile menu icon

  • http://unidownloader.com/ website is the best way to download a video or a separate audio track if you want to do without installing programs and extensions.

  • The UDL Helper extension is a convenient button that is seamlessly integrated into YouTube, Instagram and OK.ru sites for fast content download.

  • UDL Client program (for Windows) is the most powerful solution that supports more than 900 websites, social networks and video hosting sites, as well as any video quality that is available in the source.

  • UDL Lite is a really convenient way to access a website from your mobile device. With its help, you can easily download videos directly to your smartphone.

mobile menu iconWhich format of "Intrusion Detection With Snort" video should I choose?mobile menu icon

  • The best quality formats are FullHD (1080p), 2K (1440p), 4K (2160p) and 8K (4320p). The higher the resolution of your screen, the higher the video quality should be. However, there are other factors to consider: download speed, amount of free space, and device performance during playback.

mobile menu iconWhy does my computer freeze when loading a "Intrusion Detection With Snort" video?mobile menu icon

  • The browser/computer should not freeze completely! If this happens, please report it with a link to the video. Sometimes videos cannot be downloaded directly in a suitable format, so we have added the ability to convert the file to the desired format. In some cases, this process may actively use computer resources.

mobile menu iconHow can I download "Intrusion Detection With Snort" video to my phone?mobile menu icon

  • You can download a video to your smartphone using the website or the PWA application UDL Lite. It is also possible to send a download link via QR code using the UDL Helper extension.

mobile menu iconHow can I download an audio track (music) to MP3 "Intrusion Detection With Snort"?mobile menu icon

  • The most convenient way is to use the UDL Client program, which supports converting video to MP3 format. In some cases, MP3 can also be downloaded through the UDL Helper extension.

mobile menu iconHow can I save a frame from a video "Intrusion Detection With Snort"?mobile menu icon

  • This feature is available in the UDL Helper extension. Make sure that "Show the video snapshot button" is checked in the settings. A camera icon should appear in the lower right corner of the player to the left of the "Settings" icon. When you click on it, the current frame from the video will be saved to your computer in JPEG format.

mobile menu iconWhat's the price of all this stuff?mobile menu icon

  • It costs nothing. Our services are absolutely free for all users. There are no PRO subscriptions, no restrictions on the number or maximum length of downloaded videos.