Creating basic rules in Snort

I'll be creating rules in Snort to detect HTTP traffic. All of this is provided by the tryhack.com platform.

The platform gives us a virtual machine or us to complete the tasks

The first task requires us to write a rule to detect all TCP port 80 traffic. To accomplish this, I created 2 simple rule sets. One to detect inbound port 80 traffic and the other for outbound port 80 traffic

Inbound: alert tcp any 80 <> any any (msg: "port 80 traffic"; sid: 100001; rev: 1;)

Outbound: alert tcp any any <> any 80 (msg: "port 80 traffic"; sid: 100002; rev: 1;)

The next task requires us to find the dst address of packet 63. To do this, I used the command 'sudo snort -n 63 -r snort.log.1690614119' to read the log file and capture 63 packets

Since the next question wants us to get the ACK number of packet number 4, all I did was use the same command and just change the number of capture packets to 64. I also used the -X switch to display full packet details.

Here's the full command:

sudo snort -n 64 -r snort.log.1690614119 -X

Same thing for packet number 62 and 65

Pretty simple and fun!