All Products

Sign In

Snort IDS for Hackers, Part 06: Configuring Snort to Detect the SolarWinds/Sunburst Backdoor

Welcome back, my aspiring cyberwarriors!

In recent weeks I’m certain you have heard about the SolarWinds/Sunburst hack. Just to review, Russian state-sponsored actors hacked into the SolarWinds update server and installed malware into the software updates. As a result, everyone who received the March 2020 update, now has a Russian backdoor on their system. This includes nearly every US government department and many major corporations.

The concept of using a software update for installing malware is not new. When the US hacked the Iranian uranium enrichment facility in 2010 with Stuxnet, they used software updates to install the malware. For more on using software updates for installing malware, check out my tutorial on EvilGrade here.

Now that many of us are addressing this Russian backdoor on our networks, we probably want to at least be able to detect it. Snort is an IDS for detecting and alerting on suspicious activity on your network. Let’s use it to detect whether you have a Russian backdoor from the SolarWinds hack on your network.

Step #1: Install Snort on Your System

If you don’t already have Snort installed on your network, you can download it from nearly any of the Linux repositories. In addition, you can download it directly from Snort here. If you are installing snort for the first time, follow my tutorial here.

Step #2 Open the Snort Rules File

Next, we need to open the Snort rules file. You can find it at etc/snort/rules/community.rules. You can use any test editor.

Step #3: Copy this Rule to Your Rules File

With you community rules file open, copy the following rule into this file.

alert tcp any any -> any any (msg:”APT.Backdoor.MSIL.Sunburst”; content:”deftsecurity.com”; sid:77600853; rev:1;)

Now, save your community.rules file and close your text editor.

Step #4: Re-Start Snort

Finally, restart snort and your rule will be activated and looking for activity of this Russian backdoor on your system!

 

Summary

The SolarWinds hack is among the most dangerous hacks in history! If you suspect you might be a victim of this compromise, you can use Snort to detect the backdoor.

OTW
OTW
Articles: 516

Related Posts

DON’T MISS OUT – The best training package for aspiring hackers JUST GOT BETTER

BE THE FIRST TO READ MASTER OTW’S NEW RELEASE Linux Basics for Hackers 2nd eDITION

TAKE COMMAND OF YOUR FUTURE

all the books and training videos you need to start hacking for just $169 NOW INCLUDES the brand new second edition of Linux Basics for Hackers

Discover why thousands of hackers began their journey with Linux Basics for Hackers and why it is rated 4.7 stars with over 2,700 reviews on Amazon.

Learn Linux, Networking, Sec+ 701 certification, Radio Basics, Python, Wi-Fi Hacking, Remaining Anonymous, Cryptography, Wireshark, and Nmap – all in one bundle!

This bundle also includes Master OTW’s highly anticipated upcoming book, Python Basics for Hackers, and bestselling Network Basics for Hackers.

Plus, every month, one lucky purchaser will win

A FREE 3-YEAR TRAINING PACKAGE