Writing Snort Rules

Writing Snort Rules
by Kishin Fatnani

Snort, as you would know, is a tool used to detect intrusions on a network. Though the tool can also be used for packet logging, sniffing or as an IPS, however in this article we will look more into the concept of rules by which Snort detects interesting traffic for us, basically the kind of traffic we are looking for, like a network attack, a policy violation or may be traffic from a network application or device that you are troubleshooting. For instance, if someone is doing XMAS port scan to our network using nmap with the -sX option, Snort will give us the following alert message.

[**] [1:2000546:6] ET SCAN NMAP -f -sX [**]

[Classification: Attempted Information Leak] [Priority: 2]

10/15-08:51:46.970325 192.168.0.111:62202 -> 192.168.0.1:132

TCP TTL:53 TOS:0x0 ID:28031 IpLen:20 DgmLen:40

**U*P**F Seq: 0xD70FB1F3 Ack: 0x0 Win: 0x800 TcpLen: 20 UrgPtr: 0x0

[Xref => http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_NMAP][Xref => http://doc.emergingthreats.net/2000546]

If the use of P2P or IM applications is against the corporate policy, Snort can detect their use on the network and provide alerts with messages similar to these:

To read the complete article, download the magazine from here:
http://hakin9.org/magazine/1576-hakin9-starterkit-snort-exposed

Interest in information security or may be hacking seems to be really growing in India. Immediately after the first malware conference ended in Mumbai, another conference 'ClubHack' commenced in Pune. ClubHack is not new, it is India's first hacking convention and this was their 4th year. It's one of my favourite events and I make sure to attend every year, however this year I could just attend the technical briefings and missed the workshops and panel discussions.

The briefings surely had enough of good quality stuff to make it worth travelling all the way to Pune. It was great to learn about Android issues from an expert who has developed the most popular Android app 'Antivirus Free'. The session on Firefox security was also an eye-opener making us understand how easy it was to write a malicious extension for the browser and even easier was their installation. Another interesting presentation was about cloud computing for forensics in which it was demonstrated how to make the time consuming tasks in forensic analysis quicker and that to at a highly reduced cost.

Rohit and his team have been doing a fabulous job of conducting the conference each year and regularly publishing the ClubHack Magazine.

'Malcon' that is the name of the first ever malware conference which was held in Mumbai in Dec 2010. I was very excited when I heard about this conference and immediately decided to attend this. The number of people that showed up for this conference were beyond my expectation and surprised me a lot, though it can in no way be compared with the crowd I've seen at DefCon, however as a new comer it was a great success. The audience was a mix of students, security pros, government officials, teachers, cops and may be the real bad guys too. There were a couple of pre-conference workshops, of which I attended the malware analysis by Atul Alex. It was good to hear all the low level stuff like assembly instructions, opcodes, interrupts etc and see a demonstration of writing malware.

Atul Alex also presented a paper in the conference which was about taking over control of Symbian phones which was an eye opener. The other presentations were also quite good and so was the panel discussion at the end of the conference. One of the panelists was Alok Vijayant, Director NTRO who has been backing the organizers of most of the security conferences and encouraging the young Indian hackers. He believes that having the best protection is not just enough but we also need to have the capability to attack back. The conference has done a good job of making people aware of the malware capabilities and how it is created, there is also a threat of people getting the wrong message or misusing their skills. It is actually debatable whether such conferences will help the nation by spreading awareness and have better skills or creating more malware making it difficult for the entire world to cope with. Well I would hope for the better but it will have some kind of side effects too.

During the panel discussion, a teacher stood up and said that now she can give a Green signal to her students to GO AND HACK, though the panelists explained her the right way to go about it. There was another interesting question about reporting a vulnerability on some government website, if someone finds a vulnerability on a website that means he might be trying to attack the site or must have done something which he was not supposed to be doing, in that case will he be arrested for the misconduct or awarded for reporting the bug. An example of the EVM machines was given by the participant. Taking the case of downloading data using SQL injection, which was mentioned by the participant, the panelist answered that if he downloads the data then he is at fault so he can just report the SQL injection vulnerability. This seemed perfectly fine to me while i was there but then I thought if he was testing a DoS attack, it can be detected only if there is actually a denial of some service, unlike SQL injection where an alert message will prove that the vulnerability exists. What will happen in that case?

Well to end this note, I would just say Malcon was great, I enjoyed being there and I hope we see it happening every year and growing always. I also hope that the government always supports such events and hope Alok is always part of it.