Tolkien Ring - Suricatta Regatta Walkthrough

"Help detect this kind of malicious activity in the future by writing some Suricata rules. Work with Dusty Giftwrap in the Tolkien Ring to get some hints."

Challenge Difficulty: 3/5 

Progressing further with the challenge after completing Windows Event Logs, we speak to Fitzy shortstacks and we are being asked to write sruicatta rules which will alert on specific traffic. If this is your first introduction to suricatta rules, below is a quick primer before we get to the solutions. Based on the learning from the suricatta site, below is the rule schema


<action>

alert, pass, reject…… - defines the action you would like the system to take when you rule hits the condition

<protocol>

dns, snmp…… - defines on which protocol you would like this rule to be active on

<source>

can be a specific source IP or any

<port>

can be a specific source Port or any

<direction>

 -> -< <>    -defines the direction of the traffic

<destination>

can be a specific source IP or any

<port>

can be a specific source Port or any

<Rule Options>

( msg:"blah", Allows you to define the alert msg

<query object> content:"app.php", allows you to match a specific content in the traffic

Sid – allows to give a signature id to the rule written 

nocase – allows us to not differentiate between uppercase lowercase characters

) 


Now lets answer the questions asked in the terminal.

Red box highlights on the question, where the rest of the note help us with on how to add Suricata rules by using any file editor on suricatta.rules files and after adding validate by running ./rule_checker to see if the added rule is accepted.

 

Terminal question has given us the first rule’s requirements where we can pick DNS traffic towards adv.epostoday.uk, Alert msg “known bad DNS lookup, possible Dridex infection” and there is not specific IP or port numbers given. Using our data schema for suricatta rules, below is the rule for this question.

 

alert dns any any -> any any (msg:”Known bad DNS lookup, possible Dridex infection”; dns.query; content:”adv.epostoday.uk”; nocase; sid:1000;)

 

Question2: 


Highlighted red box contains question 2, where this time we have been asked to write an alert rule for HTTP traffic from specific IP address 192.185.57.242 with a custom msg as indicated in red font. Based on the requirements given, below is the rule for question 2

 

alert http 192.185.57.242 any <> any any (msg:”Investigate suspicious connections, possible Dridex infection”;sid:1001;)

 

Question 3: 


Now the 3rd rule is to match and alert on SSL certificate “heardbellith[.]Icanwepeh[.]nagoya” and provide the msg given as per red font in above screenshot for the TLS protocol. And based on the requirement there is no specific port or IP address that needs to be matched. Based on the given requirements, below is the rule for question 3

 

alert tls any any -> any any (msg:”Investigate bad certificates, possible Dridex infection”; tls.cert_subject; content:”heardbellith.Icanwepeh.nagoya”; nocase;sid:1002;)

 

Question 4:


4th rule request being to Match and alert on HTTP traffic, looking for one line from Javascript “let byteCharacters = atob”, alert with a custom msg as indicated by the red font. Again, no specific IP or ports numbers given. Following is the rule for question 4

 

alert http any any -> any any (msg:”Suspicious JavaScript function, possible Dridex infection”; http.response_body;content:”let byteCharacters = atob”;sid:1003;)


Reference

  • https://suricata.readthedocs.io/en/suricata-6.0.0/rules/intro.html
  • https://suricata.readthedocs.io/en/suricata-6.0.0/rules/http-keywords.html#rules-http-uri-normalization

Tolkien Ring Level Full map



Ring Unlocked !


Tolkien Ring – since this part of the challenge was network based, guess where the names came from – Token ring ;)



Comments

Popular posts from this blog

SANS Kringlecon 2022 Introduction

Sans Kringlecon 2022 - Christmas CTF Finale

Web Ring - Boria PCAP Mining Walkthrough