Security Videos

Entries in Snort (2)


Network Challenge - 001 - Linux

One of my favorite sites is "Malware Traffic Analysis" where the author routinely posts network challenges. In the spirit of contributing to this effort of providing material for analysts to sharpen their skills, I developed a challenge focused around a popular scenario I often come across in research and other analysis efforts. As a heads up, any malware you may come across in the analysis of this PCAP is in fact real malware. Please take care in how you analyze. 

When reviewing this PCAP and writing your response please keep in mind what you would really want in an investigation. The questions I ask at the end of this article are intentionally vague, as I didn't want to give too much away with the questions. What I am hoping to see in responses is that the analysts are able to adequately tell a story of what likely occurred, identify network and host indicators that can help further scope this incident, and write detection rules in the detection languages of their choice to find future instances of this activity. 


The due date for submissions is September 25, 2016. Enjoy!


Client provides a PCAP involving all traffic they have from a victim Linux server.  A snort signature alerted for files downloaded from an HFS server. The client does not have any other context to provide. Other than the following is the Snort Signature that was alerted on:

alert tcp any any -> any any (msg:"HFS [File Download]";flow:to_client,established; content:"HFS 2.";distance:0; content:"HFS_SID="; classtype:suspicious; sid:999999; rev:1;)


  1. Determine what likely occurred based on the evidence from the PCAP.
  2. Identify any network and/or host artifacts that could be used to scope this incident further.
  3. If applicable, write detection signatures (snort/suricata/yara) to increase coverage for this type of activity. 


Feel free to submit your responses directly to NetChallenge[at]tekdefense.com or comment on this blog post with a link to your own article with a response. I'll review responses, and perhaps give out a few prizes to those with great writeups.


TekTip ep9 - Network Defense with The Security Onion

The Security Onion: created by Doug Burks
Description: Security Onion is a Linux distro for IDS (Intrusion Detection) and NSM (Network Security Monitoring). It's based on Xubuntu 10.04 and contains Snort, Suricata, Sguil, Squert, Snorby, Bro, NetworkMiner, Xplico, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes!
Security Onion is THE distro for Network Monitoring in the same way that Backtrack is for pentesting.
Uses:  Malware analysis, signature developement, honeynet/lab, home or small office.
1. Download iso and install.
*Need a GB of RAM per interface you are monitoring
**Installation is quick.  Less then 10 minutes
***Currently based off of 10.04.  Roadmap shows 64 bit based on 12.04 should be out soon.
2. If using Quick Mode installaion, TSO will monitor all interfaces
3. Monitor a network, or generate traffic.  You can find tons of pcaps to replay at: https://code.google.com/p/security-onion/wiki/Pcaps
tcpreplay -i eth0 -t /tmp/bittorent.pcap
-i :  use this option to select the interface to replay the traffic to.
-t:  use this option to replay the packets as fast as possible
then select your pcap, cap, dump, or log