Lab 2: Boleto Malware Snort Rule Writing and PCAP Analysis

Jesse Kurrus, M.S., OSCP, CEH, Security+, Linux+, Network+, CISSP
A free video tutorial from Jesse Kurrus, M.S., OSCP, CEH, Security+, Linux+, Network+, CISSP
Senior Penetration Tester and Technical Trainer
4.6 instructor rating • 7 courses • 42,676 students

Lecture description

Lab 2 will show you how to write effective Snort rules for indicators derived from a packet capture. Please refer to the attached "Boleto Snort Rules" file for all of the rules written within this lab. There may be issues with copying and pasting them due to formatting, so it's recommended that you type it in yourself. Tcpreplay will be used to test the Snort rules by replaying the PCAP through the sniffing interface. If there's any issues completing this lab, please let me know in the questions section.

Download PCAP:

https://www.malware-traffic-analysis.net/2016/12/17/index.html

Learn more from the full course

Snort Intrusion Detection, Rule Writing, and PCAP Analysis

Learn how to write Snort rules from a real cybersecurity professional with lectures and hands-on lab exercises.

02:20:14 of on-demand video • Updated April 2020

  • Write Snort Rules
  • Analyze PCAPS using Wireshark and Tcpdump
  • Create Virtual Machines using VirtualBox
  • Configure Security Onion
  • Test Snort rules using automated scripts
  • Analyze Snort NIDS alerts using Squert
  • Configure Kali Linux
  • Test exploits and analyze resulting network traffic
English [Auto] This video will show you how to create custom support rules based on malicious traffic. The signatures we will focus upon are related to network traffic, which was derived from malware, traffic analysis, dot net involving Balletto themed malicious spam. First step, open a Web browser. Typing malware hyphen, traffic hyphen, analysis, dot net, click here for the training exercises. The Peekapoo are going to use for this exercise is your holiday present. Click to download the app. Go to the download folder, right, click extract here. The password is infected and all lowercase. Open the up. Next, I'm going to make some changes to the default column display, this is optional, but it's much more convenient if you set up this way for analysis. So first step, go to edit. Go to preferences. Columns. I'm going to uncheck No. Protocol and length had two new columns. Rename this source Port and Desperate. Type. Searsport, unresolved, desperate, unresolved. Go ahead and type in HTTP, not request to filter for HTP traffic, click apply. Now drill down in the hypertext transfer protocol section here, click on any one of the hosts headers, right, click apply as column. Good, go back to preferences. Collins. Make sure to check Sauce Port and Dysport click apply. OK. Click view. Time display format, choose the top selection. Click view again, time display format. Change from automatic two seconds. All right, that's it, we're all good to go now. This network Traffic is from a user named Matthew Frogman that clicked on a malicious link in an e-mail and had their system infected as a result. So let's go over the chain of events. So make this a little bit bigger here. All right, so this right here is the host name, the top top level domain here in the sum, looks like a domain generated algorithm created this this name here. But this git request is the root cause of the infection. They clicked on a link from an e-mail. Just go ahead and follow the TCP stream. And as a result of that. There was a redirection to a Vehbi file, so I'll show you that as well, this is this is just the initial request from clicking the link in the email. It's clear that. OK. Here's the next step, so just follow the Tsipi stream here. So this follow Tsipi stream here. We'll show you the file, which was the cause of the infection, a downloaded this file here. So visual basic script. So that's the cause of the infection. OK. So the post infection, traffic or these get requests, these Bye-Bye and these texts, Tife Zip and DLO files, that is indicative of the post infection as well as we scroll down a little bit here. There it is. Get VSP infects from this this Russian host right here. This is another indicator of post infection. Keep going down. And right here, this top domain here. Another indicator of post infection, so we're going to go ahead and use these indicators in support roles first, SMARTWOOL is going to be. An indicator which will detect the phishing email link click and then the other four rules are going to show post infection. Let's go ahead and open up a terminal. Just minimize this for now. Type in pseudo V.I. for slash, C for slash a.m. for slash rules, for slash local dot rules. OK, the first rule here, alert on Tsipi traffic coming from any IP in the home, that variable in any port, going to any IP address in the extranet variable over HTP ports, prompting a message probable successful phishing attack flow will be established to the server. The content match of get limited to HTP method. OK, so let's just go back to Wireshark. All right. As you recall, this right here indicates the click of the link on the phishing email. So let's just follow TCP stream and I am going to copy that. All the way to. P p question mark, because the rest of it can be random, this is this is a static indicator that will always occur as a result of this bullet or malware. So let's go back to our terminal. All right. And I'm going to limit that to the you or I so. If that occurs anywhere in the payload, we will not get a content match just just limited to the you or I give it a class type Trojan activity, it said if the revision of that rule is good to go. Next rule is going to focus on post infection, so we're going to alert on TCP traffic, same thing, and the IP from the home, that variable going to any IP in the external net variable with HTP ports, prompting a message probable post infection. Miletto themed malicious spam first indicator flow is established to server again. Content of get. Limited to the HGP method. Now let's go back to Wireshark. Close out of this, we need to take a look at the other indicators here, HTP method. Sorry about that and should request. All right, back up here. OK, so here is a bunch of post infection traffic. We have a string of four slash Bibi Ford slash and then we have a bunch of file extensions so we can combine those two to create a rule that will detect if any one of these occur. So let's go back to the terminal. I'm going to use. Content match. For Bye-Bye, Forward Slash. Limit that to the urai and I'm going to use Perl compatible regular expressions, so this will match on any of the aforementioned file extensions, the DOT text default zip deal. And so get started on that first. Fekri Colon, you're going to go ahead and group these together. So this right here escapes the dots, so it's a literal dot and will match on text, then the pipe means or so it's going to be dot text or dot TFF or dot zip or DL or XY. That's it. We're going to have a class knife, same thing, Trojan activity. Give the city a revision. Good under the next rule. So. All right, to save us some time, I'm going to copy portion of this rule because it's going to be pretty similar. So just copy that. Go ahead and change that, because it's the second indicator. Everything else is going to be the same. All right, so same thing is the previous rule, except for obviously the content match is going to be different because we have a different indicator that we're going to use so content and go back to Wireshark. The indicator we're going to want to use here is BSB effects, so let's take a look right here. OK, just follow up stream. And this has the other indicator that we're going to use as well. So. First off, copy this to the AP, questionmark. Only to HTP or I. And we can give it a class type, give it a SCID revision. OK, that looks good to go. Same thing here, we can go ahead and copy it all the way to HTP method, pace that in, it's doing a string search for a second because I want to change that a third. So we have all the same stuff here, except we're going to change the content, match back to our TCBY stream because we have the other content match here as well, which is going to be this BSB Debug and Owasso Index P Questionmark. Limit that to keep your eye, can give it a class type, said or visual. It's good to go. All right, I'm going to do the same thing as before, copy a portion of this rule, save us some time. I'm going to make a couple of changes here, though. First off, obviously, I'm going to change third to fourth and the content get needs to be changed as well, because this is going to be a post request, not a get request. So with those two changes, I can move on to the content match. Let's go back to Wireshark. We're going to have to close that out. HTP request filter for that. Our fourth indicator is MERS admin X P. There it is, so just right, click it and follow TCBY stream to get it easily content match, it's going to be limited to HDB or as well of the class type of Trojan activity. Give the SID no vision. OK, let's take a little while to carefully look through each one of your rules. Make sure that you have. A semicolon separating each statement that's very important. Make sure you have a colon after each keyword. It's very important if you miss any one of those. The rule will not function. So you've got to be very careful, make sure that your kids are different from one another. If they're the same, it causes issues as well. So let's go ahead and give this a shot. Test them out. Go ahead and save and quit out of that, I want to type pseudo rule, hyphen update. Next, let's go to the download folder. You have this picture up here that we got all the indicators from. We want to run that through our sniffing interface, which is one to do that, we can use TCP replay. So pseudo TCP replay, hyphen, t hyphen I one the name of the Peka. It's going to run it a couple of times, you can use the elsewhere or you can just run it a bunch of times, running through the interface five times with Python L5. All right. And then we could get rid of that open up squirt. Let's go ahead and sort it by signature, all right, looks like we have all of our rules here, the probable successful phishing attack, the first, second, third and fourth indicator. OK, so looks like our rules are functioning properly. Take a quick look at them. Here's a get request see pattern match we have in the content keyword here. Here's the third indicator, it's working properly. Second indicator here. Here it is. Fourth indicator post infection. OK, here's the PCORI rule. It was a deal. The EXI. Urtext. TFF. And. Very good, so. This rule here. Is going to match on a content match of four. Bye-Bye and any one of these file extensions, so that's also working properly. If you don't see these alerts right away, just wait a few minutes. Sometimes it takes a little while to actually generate the alerts. As always, if you have any questions or issues running this lab, please let me know via message or the Q&A section.