Lab 2: Boleto Malware Snort Rule Writing and PCAP Analysis

Jesse Kurrus, M.S., OSCP, CEH, Security+, Linux+, Network+, CISSP
A free video tutorial from Jesse Kurrus, M.S., OSCP, CEH, Security+, Linux+, Network+, CISSP
Senior Penetration Tester and Technical Trainer
4.6 instructor rating • 7 courses • 35,235 students

Lecture description

Lab 2 will show you how to write effective Snort rules for indicators derived from a packet capture. Please refer to the attached "Boleto Snort Rules" file for all of the rules written within this lab. There may be issues with copying and pasting them due to formatting, so it's recommended that you type it in yourself. Tcpreplay will be used to test the Snort rules by replaying the PCAP through the sniffing interface. If there's any issues completing this lab, please let me know in the questions section.

Download PCAP:

https://www.malware-traffic-analysis.net/2016/12/17/index.html

Learn more from the full course

Snort Intrusion Detection, Rule Writing, and PCAP Analysis

Learn how to write Snort rules from a real cybersecurity professional with lectures and hands-on lab exercises.

02:20:14 of on-demand video • Updated April 2020

  • Write Snort Rules
  • Analyze PCAPS using Wireshark and Tcpdump
  • Create Virtual Machines using VirtualBox
  • Configure Security Onion
  • Test Snort rules using automated scripts
  • Analyze Snort NIDS alerts using Squert
  • Configure Kali Linux
  • Test exploits and analyze resulting network traffic
English [Auto] This video we'll show you how to create custom snort rules based on malicious traffic the signatures. We will focus upon a related to network traffic which was derived from malware traffic analysis dot net involving Balado themed malicious spam first step open a web browser type in malware haif in traffic analysis dot net. Click here for the training exercises the peak hour we're going to use for this exercise is your holiday present. Click to download the peak app. Go to the download folder right click extract here. The password is infected in all lowercase open The Picaxe next I'm going to make some changes to the default column display. This is optional but it's much more convenient if you set up this way for analysis. So first step go to Edit go to preferences columns going to uncheck number protocol and length. Add two new columns. Rename this. Source for. Just for field type source port unresolved does for unresolved go ahead and type in H TTP don't request to filter for a CTP traffic. Click Apply now drill down in the hypertext Transfer Protocol section here click on any one of the host HTP headers right click apply as column good. Go back to preferences columns make sure to check source for it and does it click apply. OK. Click View time display format. Choose the top selection could you again time display format change from automatic to seconds. All right that's it. We're all good to go now. This network traffic is from a user named Matthew frogmen that clicked on a malicious link in an email and had their system infected as a result. So let's go over the chain of events make this a little bit bigger here. All right. So this right here is the hostname the dot top top of the domain here and this looks like a domain generated algorithm created this this name here but this get request is the root cause of the infection. They clicked on a link from an e-mail. Just go ahead and follow the TCAP Stream. And as a result of that there is a redirection to a vb file. So I'll show you that as well. This is this is just the initial GET request from clicking the link in the email. It's clear that K here's the next step. So just follow the TCAP stream here. So this follow TCAP stream here. We'll show you the file which was the cause of the infection. A downloaded this file here. So a visual basic script. So that's the cause of the infection. OK. So the post infection TB traffic or these get requests these VBI and these tests tiff Ziph and dl files that is indicative of the post infection as well as we scroll down a little bit here. There it is. Get BSBA and facts from this. This Russian host right here this is another indicator of post infection keep going down. Right here the top domain here another indicator of post infection. So we're going to go ahead and use these indicators and snort rules. First smart rule is going to be an indicator which will detect the phishing e-mail link click and then the other four rules are going to show post infection. Just go ahead and open up a terminal just minimize this for now. Type in pseudo vi for Slash UDC for Slash and asem for Slash rules for Slash local DOT rules. The first rule here. Alert on TCAP traffic coming from any IP in the home that variable in any port going to any IP address in the external net variable over HTP ports prompting a message probably successful phishing attack flow will be established to the server the content match can get limited to a TV method. OK. So let's just go back to our shark All right. As you recall this right here indicates the click of the link on the phishing e-mails so let's just follow TCAP stream and I am going to copy that. All the way to PH P question mark because the rest of it can be random. This is this is a static indicator that will always occur as a result of this volatile malware. So go back to our terminal. Right. You know I'm going to limit that to the you or I. So if that occurs anywhere in the payload we will not get a content match just just limited to you or I give it a class type Trojan activity. It has said give the revision right. That rule is good to go. Next rule is going to focus on post infection. So we're going to alert on TCAP traffic same thing and the IP from the home that variable going to any the external net variable with reports prompting a message probable post infection. FLATOW seemed malicious spam. First indicator flows are established to server and the content of get limited to the HCB method. Now let's go back to wireshark close out of this. We need to take a look at the other indicators here. HTP method or rather sheepy request back up here OK. So here's a bunch of post infection traffic. We have a string of four slash be-I be-I for Slash. And then we have a bunch of file extensions so we can combine those two to create a rule that will detect if any one of these occur. So let's go back to the terminal. I'm going to use content match Pforzheim VBI for limit that the you are I not going to use Perl compatible regular expressions so this will match on any of the aforementioned file extensions. The DOT takes the dot TFF dot zip dot deal and Adi SC. So get started on that first piece already. We're going to go ahead and group this together. So this right here escapes the dot So it's a literal dot and will match on t XTi then the pipe means or so it's going to be text or TFF or God Ziff or DL or dahi X-C that's it. We're going to have a class type same thing Trojan activity and a revision good on the next roll try to save us some time ago and a copy portion of this rule because it's going to be pretty similar. So just copy that and then go ahead and change that Mark is this a second indicator. Everything else is going to be the same and so same thing as the previous rule was except for obviously the content match is going to be different because we have a different indicator that we're going to use. So content and go back to wireshark the indicator we're going to want to use here is BSB effects. So let's take a look right here. OK. Just follow TZP stream and this has the other indicator that we're going to use as well. So first off copy this to the PH p. Question mark limited to your iPhone and we can give it a class type give it a SID vision OK. That rule looks good to go. Same thing here we can go ahead and copy it all the way to the method. Paste that in just doing a string search for second because I want to change that to third. So we have all the same stuff here except going to change the content match back to our TCAP stream as we have the other content match here as well which is going to be this BSB de-bug. And no SS No index stop DHP question mark then add that to your class type said the original. It's good to go or I I'm going to do the same thing as before. Copy a portion of this rule say it was some time I'm going to make a couple of changes here though. First off obviously I'm going to change third to fourth and the content get needs to be changed as well because this is going to be a post request not a get request. So with those two changes I can move on to the content match. Go back to Wireshark. We're going to have to close that out. You keep the request filter for that fourth indicator. Is M E S T R E admin X ph p. There it is. So just right click and follow TZP stream to get it easily content match. It's going to be limited to ACD you are right as well. I'm the class type of Trojan activity the SID number revision. OK let's take a little while to carefully look through each one of your rules make sure that you have a semi-colon separating each statement. That's very important. Make sure you have a colon after each key word. It's very important if you miss any one of those. The rule will not function. So I got to be very careful to make sure that your sins are different from one another. If they're the same it causes issues as well. So go ahead and give these a shot. Test them out. Go ahead and save and quit out of that or want to type pseudo rule hyphen all day Nexus go to the downloads folder you have this pick app here that we got all the indicators from. We want to run that through our sniffing interface which is each one to do that we can use TCAP replay so pseudo TC if you replay Ifan t hyphen I keep it VH 1 the name of the Piqua is going to run it a couple of times. You can use the else switch or you can just run into a bunch of times run through the interface five times with haif and L5 write them we get rid of that and open up squirt. Go ahead and sort it by signature. All right. Looks like we have all of our rules here though probably successful phishing attack the first second third and fourth indicator. So looks like our rules are functioning properly. Take a quick look at them. Here's a get request see pattern match we have in the content keyword here. Here's the third indicator. It's working properly. Second indicator here. Here it is. Fourth indicator posting function OK here's the PCR rule. It is a deal. You see the T-Rex t TFF. Very good so this rule here is going to match on a content match. Of course lasht PBI and any one of these file extensions. So that's also working properly. If you don't see these alerts right away just wait a few minutes sometimes it takes a little while to actually generate the alerts. As always if you have any questions or issues running this lab please let me know via message or the Q&A section.