top of page
Search
  • Writer's pictureotw

Snort Basics for Hackers, Part 6: Configuring Snort to Detect the SolarWinds/Sunburst Backdoor

Updated: Dec 28, 2022

Welcome back, my aspiring cyberwarriors!


In recent weeks I'm certain you have heard about the SolarWinds/Sunburst hack. Just to review, Russian state-sponsored actors hacked into the SolarWinds update server and installed malware into the software updates. As a result, everyone who received the March 2020 update, now has a Russian backdoor on their system. This includes nearly every US government department and many major corporations.



The concept of using a software update for installing malware is not new. When the US hacked the Iranian uranium enrichment facility in 2010 with Stuxnet, they used software updates to install the malware. For more on using software updates for installing malware, check out my tutorial on EvilGrade here.


Now that many of us are addressing this Russian backdoor on our networks, we probably want to at least be able to detect it. Snort is an IDS for detecting and alerting on suspicious activity on your network. Let's use it to detect whether you have a Russian backdoor from the SolarWinds hack on your network.


Step #1: Install Snort on Your System


If you don't already have Snort installed on your network, you can download it from nearly any of the Linux repositories. In addition, you can download it directly from Snort here. If you are installing snort for the first time, follow my tutorial here.


Step #2 Open the Snort Rules File


Next, we need to open the Snort rules file. You can find it at etc/snort/rules/community.rules. You can use any test editor.




Step #3: Copy this Rule to Your Rules File


With you community rules file open, copy the following rule into this file.


alert tcp any any -> any any (msg:"APT.Backdoor.MSIL.Sunburst"; content:"deftsecurity.com"; sid:77600853; rev:1;)


Now, save your community.rules file and close your text editor.


Step #4: Re-Start Snort


Finally, restart snort and your rule will be activated and looking for activity of this Russian backdoor on your system!





Summary


The SolarWinds hack is among the most dangerous hacks in history! If you suspect you might be a victim of this compromise, you can use Snort to detect the backdoor.

704 views1 comment

Recent Posts

See All

1 Comment


astriddavina54
astriddavina54
Jan 03, 2023

Do you suspect your spouse of cheating, are you being overly paranoid or seeing signs of infidelity…Then he sure is cheating: I was in that exact same position when I met Henry through my best friend James who helped me hack into my boyfriend’s phone, it was like a miracle when he helped me clone my boyfriend’s phone and I got first-hand information from his phone. Now I get all his incoming and outgoing text messages, emails, call logs, web browsing history, photos and videos, instant messengers(facebook, whatsapp, bbm, IG etc) , GPS locations, phone taps to get live transmissions on all phone conversations. if you need help contact his gmail on , Henryclarkethicalhacker@gmail.com, and you can also , whatsap…


Like
bottom of page