Skip to main content
Room Banner
Back to all walkthroughs
Room Icon

Detection Engineering With Snort

Premium room

Build production-ready Snort detections: behaviour rules, tuning, suppression, and IOC lifecycle.

medium

60 min

761

User profile photo.
User profile photo.

To access material, start machines and answer questions login.

The Alert That Never Fired

In the first room of the Advanced Traffic Analysis Module, Traffic Analysis Pitfalls, we ended on a detection gap we could not close. The Nexus Financial Group watched 847 MB of Q4 finance data walk out over QUIC, and the sensors showed nothing. There was also another miss. For 48 hours before the exfiltration, WKST-FINANCE-04 was beaconing to 194.165.16.56 every 60 seconds. It was the same destination, the same interval, and a handful of bytes each time. A rule written for that pattern would have fired on day one, but nobody wrote it.

This room is about writing that rule, along with the rest of the rules we should have had in place.

Detection Engineering With Snort

The Snort room covered the basics of running Snort, including loading a config, reading a PCAP, and writing rule syntax. That is the starting point, and this room builds on it.

Detection engineering is the work that begins after the tool is running. We write rules that fire on what matters, keep them silent on what does not, tune them as the network changes, and validate that they still work next week. This is what separates a SOC that runs a downloaded ruleset from one that defends its own network on purpose.

Learning Objectives

In this room, we walk the intrusion chain phase by phase and write a detection rule for each one. By the end, our ruleset covers the following:

  • A behaviour-based C2 beacon rule
  • A DNS tunnelling rule that works on encrypted payloads
  • Thresholds and suppression to keep the ruleset quiet
  • A reputation blocklist loaded with Operation SILENT TRANSFER IOCs
  • A tested local.rules file ready to ship

Prerequisites

Before starting, we assume familiarity with the following rooms and topics:

A note on versions: the Snort room teaches Snort 2.9, whereas this room uses Snort 3. The rule syntax carries over. The config file is now snort.lua instead of snort.conf, and preprocessors are called inspectors. Task 2 covers the differences where it matters.

Lab Setup

The VM comes with Snort 3 installed, the config already in place, and the per-task lab files staged under /home/ubuntu/lab/. Each task adds a rule to the detection pack we are building, and by the end, we have a complete ruleset for the incident.

Set up your virtual environment

To successfully complete this room, you'll need to set up your virtual environment. This involves starting the Target Machine, ensuring you're equipped with the necessary tools and access to tackle the challenges ahead.
Lab machine
Status:Off

Deploy the , give it a minute to initialise, and we are ready to start.

Answer the questions below

I have deployed the VM, and I am ready to engineer detections.