Writing Snort Rulesby Kishin Fatnani
Snort, as you would know, is a tool used to detect intrusions on a network. Though the tool can also be used for packet logging, sniffing or as an IPS, however in this article we will look more into the concept of rules by which Snort detects interesting traffic for us, basically the kind of traffic we are looking for, like a network attack, a policy violation or may be traffic from a network application or device that you are troubleshooting. For instance, if someone is doing XMAS port scan to our network using nmap with the -sX option, Snort will give us the following alert message.
[**] [1:2000546:6] ET SCAN NMAP -f -sX [**]
[Classification: Attempted Information Leak] [Priority: 2]
10/15-08:51:46.970325 192.168.0.111:62202 -> 192.168.0.1:132
TCP TTL:53 TOS:0x0 ID:28031 IpLen:20 DgmLen:40
**U*P**F Seq: 0xD70FB1F3 Ack: 0x0 Win: 0x800 TcpLen: 20 UrgPtr: 0x0
[Xref => http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_NMAP][Xref => http://doc.emergingthreats.net/2000546]
If the use of P2P or IM applications is against the corporate policy, Snort can detect their use on the network and provide alerts with messages similar to these:
To read the complete article, download the magazine from here:
http://hakin9.org/magazine/1576-hakin9-starterkit-snort-exposed
Posts
No comments:
Post a Comment