snort-log

snort-log

Challenge Text

• Let's just say: we are absolutely screwed. The company network administrator recently deployed Snort on our network and immediately received 575 alerts in the log file. To put it lightly, every attack out there is infecting the network. Did you take the required Information Security training? Anyways, the company is going to file for bankruptcy because of this :(. We might as well do SOMETHING so that we can get hired elsewhere. The network administrator mentions to you that after finishing reviewing the log file, she also noticed the web server CPU load and memory usage were abnormally high. Also, what's up with all of this network traffic? Manual analysis stinks, but let's find out what this attack is and take action...
• Put your answer in the flag format: jctf{INSERT STRING}

Hint

• Seems like the extra network traffic is primarily inbound, not outbound.

Solution

• Note the attack symptoms and determine it is a DDoS botnet being alerted in Snort. (Botnet indicators - https://www.altexsoft.com/blog/botnet-detection/)
• Search through the alerts for the keyword DDoS - "ET TROJAN Drive DDoS Tool byte command received key=aut0m@t1on1sb3tt3r"
• Flag: jctf{aut0m@t1on1sb3tt3r}

Credit

• Log file was generated by https://github.com/SubtleScope/logfile-generators
• Developed by Logan