Snort Analyser
First select your Wireshark trace:
Trace name: /log/hydra_ftp.zip
Snort Output
Click here for the Pcap file. The Snort output is:
Portscan.log: alert.ids: [**] [1:491:5] FTP Bad login [**] [Priority: 0] 01/04-10:19:34.252082 192.168.75.132:21 -> 192.168.75.1:18163 TCP TTL:128 TOS:0x0 ID:1743 IpLen:20 DgmLen:82 DF ***AP*** Seq: 0xFACD9194 Ack: 0x4E2AB853 Win: 0xFADA TcpLen: 32 TCP Options (3) => NOP NOP TS: 13957 7457681 [**] [1:491:5] FTP Bad login [**] [Priority: 0] 01/04-10:19:34.255330 192.168.75.132:21 -> 192.168.75.1:18164 TCP TTL:128 TOS:0x0 ID:1744 IpLen:20 DgmLen:82 DF ***AP*** Seq: 0x5F3D1C86 Ack: 0x94A27AAC Win: 0xFADA TcpLen: 32 TCP Options (3) => NOP NOP TS: 13957 7457681 [**] [1:491:5] FTP Bad login [**] [Priority: 0] 01/04-10:19:34.256494 192.168.75.132:21 -> 192.168.75.1:18162 TCP TTL:128 TOS:0x0 ID:1745 IpLen:20 DgmLen:83 DF ***AP*** Seq: 0x76C91E0B Ack: 0x68B77C72 Win: 0xFAD5 TcpLen: 32 TCP Options (3) => NOP NOP TS: 13958 7457681 [**] [1:491:5] FTP Bad login [**] [Priority: 0] 01/04-10:19:34.264285 192.168.75.132:21 -> 192.168.75.1:18161 TCP TTL:128 TOS:0x0 ID:1746 IpLen:20 DgmLen:83 DF ***AP*** Seq: 0xB4C5B598 Ack: 0x941BCFEF Win: 0xFAD4 TcpLen: 32 TCP Options (3) => NOP NOP TS: 13958 7457681 [**] [1:491:5] FTP Bad login [**] [Priority: 0] 01/04-10:19:34.265182 192.168.75.132:21 -> 192.168.75.1:18159 TCP TTL:128 TOS:0x0 ID:1747 IpLen:20 DgmLen:83 DF ***AP*** Seq: 0x8BC570C9 Ack: 0x446B6EF2 Win: 0xFAD9 TcpLen: 32 TCP Options (3) => NOP NOP TS: 13958 7457681 [**] [1:491:5] FTP Bad login [**] [Priority: 0] 01/04-10:19:34.265906 192.168.75.132:21 -> 192.168.75.1:18157 TCP TTL:128 TOS:0x0 ID:1748 IpLen:20 DgmLen:82 DF ***AP*** Seq: 0x93FDAA7F Ack: 0xE9CEC231 Win: 0xFAD8 TcpLen: 32 TCP Options (3) => NOP NOP TS: 13958 7457681 [**] [1:491:5] FTP Bad login [**] [Priority: 0] 01/04-10:19:34.266581 192.168.75.132:21 -> 192.168.75.1:18158 TCP TTL:128 TOS:0x0 ID:1749 IpLen:20 DgmLen:83 DF ***AP*** Seq: 0x16A54E76 Ack: 0x96993667 Win: 0xFAD9 TcpLen: 32 TCP Options (3) => NOP NOP TS: 13958 7457681 [**] [1:491:5] FTP Bad login [**] [Priority: 0] 01/04-10:19:34.267310 192.168.75.132:21 -> 192.168.75.1:18160 TCP TTL:128 TOS:0x0 ID:1750 IpLen:20 DgmLen:83 DF ***AP*** Seq: 0x6757B772 Ack: 0x998782BF Win: 0xFAD9 TcpLen: 32 TCP Options (3) => NOP NOP TS: 13958 7457681 [**] [1:491:5] FTP Bad login [**] [Priority: 0] 01/04-10:19:34.372935 192.168.75.132:21 -> 192.168.75.1:18171 TCP TTL:128 TOS:0x0 ID:1759 IpLen:20 DgmLen:82 DF ***AP*** Seq: 0x2CD487CD Ack: 0xC1BE3165 Win: 0xFADA TcpLen: 32 TCP Options (3) => NOP NOP TS: 13959 7457689 [**] [1:491:5] FTP Bad login [**] [Priority: 0] 01/04-10:19:34.378276 192.168.75.132:21 -> 192.168.75.1:18169 TCP TTL:128 TOS:0x0 ID:1760 IpLen:20 DgmLen:82 DF ***AP*** Seq: 0x60A3216A Ack: 0x91857346 Win: 0xFAD5 TcpLen: 32 TCP Options (3) => NOP NOP TS: 13959 7457689 [**] [1:491:5] FTP Bad login [**] [Priority: 0] 01/04-10:19:34.379110 192.168.75.132:21 -> 192.168.75.1:18170 TCP TTL:128 TOS:0x0 ID:1761 IpLen:20 DgmLen:83 DF ***AP*** Seq: 0x1ABCC12C Ack: 0xE37C8EA Win: 0xFAD7 TcpLen: 32 TCP Options (3) => NOP NOP TS: 13959 7457689 [**] [1:491:5] FTP Bad login [**] [Priority: 0] 01/04-10:19:34.379838 192.168.75.132:21 -> 192.168.75.1:18168 TCP TTL:128 TOS:0x0 ID:1762 IpLen:20 DgmLen:82 DF ***AP*** Seq: 0x83A559E Ack: 0x181F088C Win: 0xFADA TcpLen: 32 TCP Options (3) => NOP NOP TS: 13959 7457689 [**] [1:491:5] FTP Bad login [**] [Priority: 0] 01/04-10:19:34.380494 192.168.75.132:21 -> 192.168.75.1:18167 TCP TTL:128 TOS:0x0 ID:1763 IpLen:20 DgmLen:83 DF ***AP*** Seq: 0x7E0E58D4 Ack: 0xACA12D0C Win: 0xFAD9 TcpLen: 32 TCP Options (3) => NOP NOP TS: 13959 7457689 [**] [1:491:5] FTP Bad login [**] [Priority: 0] 01/04-10:19:34.381792 192.168.75.132:21 -> 192.168.75.1:18166 TCP TTL:128 TOS:0x0 ID:1764 IpLen:20 DgmLen:83 DF ***AP*** Seq: 0x592A9176 Ack: 0x9BD76405 Win: 0xFAD9 TcpLen: 32 TCP Options (3) => NOP NOP TS: 13959 7457689 [**] [1:491:5] FTP Bad login [**] [Priority: 0] 01/04-10:19:34.382623 192.168.75.132:21 -> 192.168.75.1:18165 TCP TTL:128 TOS:0x0 ID:1765 IpLen:20 DgmLen:83 DF ***AP*** Seq: 0x25B6D61B Ack: 0x99745087 Win: 0xFAD7 TcpLen: 32 TCP Options (3) => NOP NOP TS: 13959 7457689 [**] [1:491:5] FTP Bad login [**] [Priority: 0] 01/04-10:19:34.402937 192.168.75.132:21 -> 192.168.75.1:18172 TCP TTL:128 TOS:0x0 ID:1773 IpLen:20 DgmLen:82 DF ***AP*** Seq: 0xBF5B4C45 Ack: 0xDA331273 Win: 0xFAD6 TcpLen: 32 TCP Options (3) => NOP NOP TS: 13959 7457689 [**] [1:491:5] FTP Bad login [**] [Priority: 0] 01/04-10:19:34.406112 192.168.75.132:21 -> 192.168.75.1:18163 TCP TTL:128 TOS:0x0 ID:1774 IpLen:20 DgmLen:83 DF ***AP*** Seq: 0xFACD91D4 Ack: 0x4E2AB86A Win: 0xFAC3 TcpLen: 32 TCP Options (3) => NOP NOP TS: 13959 7457688 [**] [1:491:5] FTP Bad login [**] [Priority: 0] 01/04-10:19:34.410141 192.168.75.132:21 -> 192.168.75.1:18161 TCP TTL:128 TOS:0x0 ID:1776 IpLen:20 DgmLen:83 DF ***AP*** Seq: 0xB4C5B5D9 Ack: 0x941BD006 Win: 0xFABD TcpLen: 32 TCP Options (3) => NOP NOP TS: 13959 7457694 [**] [1:491:5] FTP Bad login [**] [Priority: 0] 01/04-10:19:34.412618 192.168.75.132:21 -> 192.168.75.1:18162 TCP TTL:128 TOS:0x0 ID:1778 IpLen:20 DgmLen:83 DF ***AP*** Seq: 0x76C91E4C Ack: 0x68B77C89 Win: 0xFABE TcpLen: 32 TCP Options (3) => NOP NOP TS: 13959 7457694 [**] [1:491:5] FTP Bad login [**] [Priority: 0] 01/04-10:19:34.416751 192.168.75.132:21 -> 192.168.75.1:18160 TCP TTL:128 TOS:0x0 ID:1781 IpLen:20 DgmLen:83 DF ***AP*** Seq: 0x6757B7B3 Ack: 0x998782DA Win: 0xFABE TcpLen: 32 TCP Options (3) => NOP NOP TS: 13959 7457694 [**] [1:491:5] FTP Bad login [**] [Priority: 0] 01/04-10:19:34.418909 192.168.75.132:21 -> 192.168.75.1:18164 TCP TTL:128 TOS:0x0 ID:1782 IpLen:20 DgmLen:83 DF ***AP*** Seq: 0x5F3D1CC6 Ack: 0x94A27AC8 Win: 0xFABE TcpLen: 32 TCP Options (3) => NOP NOP TS: 13959 7457689 [**] [1:491:5] FTP Bad login [**] [Priority: 0] 01/04-10:19:34.468487 192.168.75.132:21 -> 192.168.75.1:18157 TCP TTL:128 TOS:0x0 ID:1788 IpLen:20 DgmLen:82 DF ***AP*** Seq: 0x93FDAABE Ack: 0xE9CEC247 Win: 0xFAC2 TcpLen: 32 TCP Options (3) => NOP NOP TS: 13960 7457695 [**] [1:491:5] FTP Bad login [**] [Priority: 0] 01/04-10:19:34.469455 192.168.75.132:21 -> 192.168.75.1:18158 TCP TTL:128 TOS:0x0 ID:1789 IpLen:20 DgmLen:82 DF ***AP*** Seq: 0x16A54EB6 Ack: 0x9699367F Win: 0xFAC1 TcpLen: 32 TCP Options (3) => NOP NOP TS: 13960 7457695 [**] [1:491:5] FTP Bad login [**] [Priority: 0] 01/04-10:19:34.473143 192.168.75.132:21 -> 192.168.75.1:18159 TCP TTL:128 TOS:0x0 ID:1790 IpLen:20 DgmLen:82 DF ***AP*** Seq: 0x8BC57109 Ack: 0x446B6F08 Win: 0xFAC3 TcpLen: 32 TCP Options (3) => NOP NOP TS: 13960 7457695 [**] [1:491:5] FTP Bad login [**] [Priority: 0] 01/04-10:19:34.493255 192.168.75.132:21 -> 192.168.75.1:18166 TCP TTL:128 TOS:0x0 ID:1794 IpLen:20 DgmLen:82 DF ***AP*** Seq: 0x592A91B6 Ack: 0x9BD7641B Win: 0xFAC3 TcpLen: 32 TCP Options (3) => NOP NOP TS: 13960 7457700 [**] [1:491:5] FTP Bad login [**] [Priority: 0] 01/04-10:19:34.494762 192.168.75.132:21 -> 192.168.75.1:18165 TCP TTL:128 TOS:0x0 ID:1795 IpLen:20 DgmLen:82 DF ***AP*** Seq: 0x25B6D65B Ack: 0x997450A1 Win: 0xFABD TcpLen: 32 TCP Options (3) => NOP NOP TS: 13960 7457700 [**] [1:491:5] FTP Bad login [**] [Priority: 0] 01/04-10:19:34.507888 192.168.75.132:21 -> 192.168.75.1:18171 TCP TTL:128 TOS:0x0 ID:1798 IpLen:20 DgmLen:82 DF ***AP*** Seq: 0x2CD4880C Ack: 0xC1BE317B Win: 0xFAC4 TcpLen: 32 TCP Options (3) => NOP NOP TS: 13960 7457700 [**] [1:491:5] FTP Bad login [**] [Priority: 0] 01/04-10:19:34.521801 192.168.75.132:21 -> 192.168.75.1:18167 TCP TTL:128 TOS:0x0 ID:1801 IpLen:20 DgmLen:82 DF ***AP*** Seq: 0x7E0E5914 Ack: 0xACA12D27 Win: 0xFABE TcpLen: 32 TCP Options (3) => NOP NOP TS: 13960 7457700 [**] [1:491:5] FTP Bad login [**] [Priority: 0] 01/04-10:19:34.529547 192.168.75.132:21 -> 192.168.75.1:18168 TCP TTL:128 TOS:0x0 ID:1803 IpLen:20 DgmLen:84 DF ***AP*** Seq: 0x83A55DF Ack: 0x181F08A4 Win: 0xFAC2 TcpLen: 32 TCP Options (3) => NOP NOP TS: 13960 7457700 [**] [1:491:5] FTP Bad login [**] [Priority: 0] 01/04-10:19:34.552446 192.168.75.132:21 -> 192.168.75.1:18169 TCP TTL:128 TOS:0x0 ID:1818 IpLen:20 DgmLen:84 DF ***AP*** Seq: 0x60A321AB Ack: 0x9185735E Win: 0xFABD TcpLen: 32 TCP Options (3) => NOP NOP TS: 13961 7457700 [**] [1:491:5] FTP Bad login [**] [Priority: 0] 01/04-10:19:34.553536 192.168.75.132:21 -> 192.168.75.1:18170 TCP TTL:128 TOS:0x0 ID:1819 IpLen:20 DgmLen:84 DF ***AP*** Seq: 0x1ABCC16E Ack: 0xE37C904 Win: 0xFABD TcpLen: 32 TCP Options (3) => NOP NOP TS: 13961 7457700 [**] [1:491:5] FTP Bad login [**] [Priority: 0] 01/04-10:19:34.570539 192.168.75.132:21 -> 192.168.75.1:18172 TCP TTL:128 TOS:0x0 ID:1824 IpLen:20 DgmLen:84 DF ***AP*** Seq: 0xBF5B4C86 Ack: 0xDA33128B Win: 0xFABE TcpLen: 32 TCP Options (3) => NOP NOP TS: 13961 7457701 [**] [1:491:5] FTP Bad login [**] [Priority: 0] 01/04-10:19:34.571736 192.168.75.132:21 -> 192.168.75.1:18163 TCP TTL:128 TOS:0x0 ID:1825 IpLen:20 DgmLen:84 DF ***AP*** Seq: 0xFACD9216 Ack: 0x4E2AB886 Win: 0xFAA7 TcpLen: 32 TCP Options (3) => NOP NOP TS: 13961 7457702 [**] [1:491:5] FTP Bad login [**] [Priority: 0] 01/04-10:19:34.587189 192.168.75.132:21 -> 192.168.75.1:18161 TCP TTL:128 TOS:0x0 ID:1830 IpLen:20 DgmLen:84 DF ***AP*** Seq: 0xB4C5B61B Ack: 0x941BD01E Win: 0xFAA5 TcpLen: 32 TCP Options (3) => NOP NOP TS: 13961 7457702 [**] [1:491:5] FTP Bad login [**] [Priority: 0] 01/04-10:19:34.588047 192.168.75.132:21 -> 192.168.75.1:18162 TCP TTL:128 TOS:0x0 ID:1831 IpLen:20 DgmLen:84 DF ***AP*** Seq: 0x76C91E8E Ack: 0x68B77CA6 Win: 0xFAA1 TcpLen: 32 TCP Options (3) => NOP NOP TS: 13961 7457702 [**] [1:491:5] FTP Bad login [**] [Priority: 0] 01/04-10:19:34.601831 192.168.75.132:21 -> 192.168.75.1:18160 TCP TTL:128 TOS:0x0 ID:1836 IpLen:20 DgmLen:91 DF ***AP*** Seq: 0x6757B7FC Ack: 0x998782F9 Win: 0xFA9F TcpLen: 32 TCP Options (3) => NOP NOP TS: 13961 7457703 [**] [1:491:5] FTP Bad login [**] [Priority: 0] 01/04-10:19:34.605207 192.168.75.132:21 -> 192.168.75.1:18157 TCP TTL:128 TOS:0x0 ID:1839 IpLen:20 DgmLen:91 DF ***AP*** Seq: 0x93FDAB06 Ack: 0xE9CEC266 Win: 0xFAA3 TcpLen: 32 TCP Options (3) => NOP NOP TS: 13961 7457708 [**] [1:491:5] FTP Bad login [**] [Priority: 0] 01/04-10:19:34.606151 192.168.75.132:21 -> 192.168.75.1:18158 TCP TTL:128 TOS:0x0 ID:1840 IpLen:20 DgmLen:91 DF ***AP*** Seq: 0x16A54EFE Ack: 0x9699369E Win: 0xFAA2 TcpLen: 32 TCP Options (3) => NOP NOP TS: 13961 7457708 [**] [1:491:5] FTP Bad login [**] [Priority: 0] 01/04-10:19:34.607306 192.168.75.132:21 -> 192.168.75.1:18159 TCP TTL:128 TOS:0x0 ID:1841 IpLen:20 DgmLen:91 DF ***AP*** Seq: 0x8BC57151 Ack: 0x446B6F2B Win: 0xFAA0 TcpLen: 32 TCP Options (3) => NOP NOP TS: 13961 7457708 [**] [1:491:5] FTP Bad login [**] [Priority: 0] 01/04-10:19:34.617737 192.168.75.132:21 -> 192.168.75.1:18166 TCP TTL:128 TOS:0x0 ID:1848 IpLen:20 DgmLen:91 DF ***AP*** Seq: 0x592A91FE Ack: 0x9BD7643A Win: 0xFAA4 TcpLen: 32 TCP Options (3) => NOP NOP TS: 13961 7457711 [**] [1:491:5] FTP Bad login [**] [Priority: 0] 01/04-10:19:34.619308 192.168.75.132:21 -> 192.168.75.1:18165 TCP TTL:128 TOS:0x0 ID:1849 IpLen:20 DgmLen:91 DF ***AP*** Seq: 0x25B6D6A3 Ack: 0x997450C5 Win: 0xFA99 TcpLen: 32 TCP Options (3) => NOP NOP TS: 13961 7457711 |
Rules file
# ARP Spoofing preprocessor arpspoof preprocessor arpspoof_detect_host: 192.168.47.200 00:0C:29:0F:71:A3 # Signature Detection alert tcp any any -> any any (content:"GIF89a"; msg:"GIF";sid:10000) alert tcp any any -> any any (content:"%PDF"; msg:"PDF";sid:10001) alert tcp any any -> any any (content:"|89 50 4E 47|"; msg:"PNG";sid:10002) alert tcp any any -> any any (content:"|50 4B 03 04|"; msg:"ZIP";sid:10003) # Signature Detection preprocessor sfportscan:\ proto { all } \ scan_type { all } \ sense_level { high } \ logfile { portscan.log } # Converted Format Detection alert tcp any any -> any 25 (content:"/9j/4AAQSkZJRgABAQEA"; msg:"Ehealth graphic";sid:10005) alert tcp any any -> any 25 (content:"image/gif"; msg:"GIF in email";sid:10006) # DoS Flood Detection alert tcp any any -> any 80 (msg:"DOS flood denial of service attempt";flow:to_server; \ detection_filter:track by_dst, count 60, seconds 60; \ sid:25101; rev:1;) # Bad FTP Login Detection alert tcp any 21 -> any any (msg:"FTP Bad login"; content:"530 User "; nocase; flow:from_server,established; sid:491; rev:5;) # Detecting email addresses in an email alert tcp any any <> any 25 (pcre:"/[a-zA-Z0-9._%+-]+@[a-zA-Z0-9._%+-]/"; \ msg:"Email in message";sid:9000000;rev:1;) # Detecting credit card details alert tcp any any <> any any (pcre:"/5\d{3}(\s|-)?\d{4}(\s|-)?\d{4}(\s|-)?\d{4}/"; \ msg:"MasterCard number detected in clear text";content:"number";nocase;sid:9000003;rev:1;) alert tcp any any <> any any (pcre:"/3\d{3}(\s|-)?\d{6}(\s|-)?\d{5}/"; \ msg:"American Express number detected in clear text";content:"number";nocase;sid:9000004;rev:1;) alert tcp any any <> any any (pcre:"/4\d{3}(\s|-)?\d{4}(\s|-)?\d{4}(\s|-)?\d{4}/"; \ msg:"Visa number detected in clear text";content:"number";nocase;sid:9000005;rev:1;) # Some additional pre-processor things preprocessor stream5_global: track_tcp yes, \ track_udp yes, \ track_icmp no, \ max_tcp 262144, \ max_udp 131072, \ max_active_responses 2, \ min_response_seconds 5 preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs 180, \ overlap_limit 10, small_segments 3 bytes 150, timeout 180, \ ports client 21 22 23 25 42 53 70 79 109 110 111 113 119 135 136 137 139 143 \ 161 445 513 514 587 593 691 1433 1521 1741 2100 3306 6070 6665 6666 6667 6668 6669 \ 7000 8181 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779, \ ports both 80 81 82 83 84 85 86 87 88 89 90 110 311 383 443 465 563 591 593 631 636 901 989 992 993 994 995 1220 1414 1830 2301 2381 2809 3037 3057 3128 3443 3702 4343 4848 5250 6080 6988 7907 7000 7001 7144 7145 7510 7802 7777 7779 \ 7801 7900 7901 7902 7903 7904 7905 7906 7908 7909 7910 7911 7912 7913 7914 7915 7916 \ 7917 7918 7919 7920 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180 8222 8243 8280 8300 8500 8800 8888 8899 9000 9060 9080 9090 9091 9443 9999 10000 11371 34443 34444 41080 50000 50002 55555 preprocessor stream5_udp: timeout 180
Examples
You can use Snort as a stand-alone analyser using the "-r" option. The following are the traces that can be used in Snort:
- Trace with Hydra FTP crack/Bad Login: here Test.
- Trace with Hydra Telnet crack: here Test.
- Trace with Port Scan: here Test.
- Trace with SYN Flood (DoS): here Test.
- Trace with FIN Flood (DoS): here Test.
- Trace with PDF file: here Test.
- Trace with GIF file: here Test.
- Trace with PNG file: here Test.
- Trace with email attachments (MIME): here Test.
- Trace with email addresses: here Test.
- Trace with credit card details: here Test.
- Trace with DNS: here Test.
- Trace with Ping sweep: here Test.
- Trace with SNMP: here Test.
- Trace with ARP Spoof: here Test.
- Trace with Heartbleed: here Test.
- Teardrop DoS: here Test.
- Bittorrent: here Test.