Home> Schools> Del Mar College> Comp Science/Info Tech (ITSY) > ITSY 2430> Writing Snort Rules
DOC PREVIEW
DMC ITSY 2430 - Writing Snort Rules
School name Del Mar College
Course Itsy 2430- Intrusion Detection
Pages 69

This preview shows page 1-2-3-4-5-32-33-34-35-65-66-67-68-69 out of 69 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 69 pages.
Access to all documents
Download any document
Ad free experience
Subscribe for instant access Get instant access
View full document
Premium Document
Do you want full access? Go Premium and unlock all 69 pages.
Access to all documents
Download any document
Ad free experience
Subscribe for instant access Get instant access
View full document
Premium Document
Do you want full access? Go Premium and unlock all 69 pages.
Access to all documents
Download any document
Ad free experience
Subscribe for instant access Get instant access
View full document
Premium Document
Do you want full access? Go Premium and unlock all 69 pages.
Access to all documents
Download any document
Ad free experience
Subscribe for instant access Get instant access
View full document
Premium Document
Do you want full access? Go Premium and unlock all 69 pages.
Access to all documents
Download any document
Ad free experience
Subscribe for instant access Get instant access
View full document
Premium Document
Do you want full access? Go Premium and unlock all 69 pages.
Access to all documents
Download any document
Ad free experience
Subscribe for instant access Get instant access
View full document
Premium Document
Do you want full access? Go Premium and unlock all 69 pages.
Access to all documents
Download any document
Ad free experience
Subscribe for instant access Get instant access
View full document
Premium Document
Do you want full access? Go Premium and unlock all 69 pages.
Access to all documents
Download any document
Ad free experience
Subscribe for instant access Get instant access
View full document
Premium Document
Do you want full access? Go Premium and unlock all 69 pages.
Access to all documents
Download any document
Ad free experience
Subscribe for instant access Get instant access
View full document
Premium Document
Do you want full access? Go Premium and unlock all 69 pages.
Access to all documents
Download any document
Ad free experience
Subscribe for instant access Get instant access
View full document
Premium Document
Do you want full access? Go Premium and unlock all 69 pages.
Access to all documents
Download any document
Ad free experience
Subscribe for instant access Get instant access
View full document
Premium Document
Do you want full access? Go Premium and unlock all 69 pages.
Access to all documents
Download any document
Ad free experience
Subscribe for instant access Get instant access
View full document
Premium Document
Do you want full access? Go Premium and unlock all 69 pages.
Access to all documents
Download any document
Ad free experience
Subscribe for instant access Get instant access
View full document
Premium Document
Do you want full access? Go Premium and unlock all 69 pages.
Access to all documents
Download any document
Ad free experience
Subscribe for instant access Get instant access
Premium Document
Do you want full access? Go Premium and unlock all 69 pages.
Access to all documents
Download any document
Ad free experience
Subscribe for instant access Get instant access

Unformatted text preview:

Writing Snort Rules A quick guideThe life of a packet through Snort’s detection engineWriting Snort RulesMore processEven more processRule Format - basic ruleRule Format – ActionRule Format – Custom ActionsRule Format – ProtocolRule Format - IP AddressRule Format - PortRule Format - DirectionRule Format - ... Oh yeah, variablesRule Format – BodyMeta-Data keywordsPayloadComplicated Payload OptionsBroken Payload KeywordsNon-Payload options:More non-payload optionsEven more non-payload options:Even more non-payload options (again)The complicated optionsDistanceSlide 25Slide 26Slide 27WithinSlide 29Slide 30Slide 31IsdataatSlide 33Slide 34Slide 35Byte TestSlide 37Slide 38Slide 39Slide 40Slide 41Byte JumpSlide 43Slide 44Slide 45Slide 46Slide 47Slide 48Slide 49PCREPCRE FormatPCRE basic optionsPCRE options PCRE specificPCRE options Snort specificPCRE Regex metacharactersPCRE patternsmore PCRE patternsEven more PCRE patternsPCRE QuantifiersPCRE ExamplePCRE Example (regex)PCRE Example (character classes)PCRE Example (remove command)PCRE Example (remove : and ;)PCRE Example (remove evasion)PCRE Example (remove false positives)PCRE completed exampleThe required bitsA few notesWriting Snort RulesA quick guideWriting Snort RulesA quick guideBrian CaswellBrian Caswell2The life of a packet through Snort’s detection engineThe life of a packet through Snort’s detection engine3Writing Snort RulesWriting Snort Rules•Figure out what is "bad"•Capture traffic that includes the "bad stuff"•Learn the protocol•Figure out why the "bad stuff" is bad•Write a rule•Test the rule•Figure out what is "bad"•Capture traffic that includes the "bad stuff"•Learn the protocol•Figure out why the "bad stuff" is bad•Write a rule•Test the rule4More processMore process•Rewrite the rule•Test the rule•Rewrite the rule•Test the rule•Rewrite the rule•Test the rule•Rewrite the rule•Test the rule•Rewrite the rule•Test the rule•Rewrite the rule•Test the rule•Rewrite the rule•Test the rule•Rewrite the rule•Test the rule5Even more processEven more process•Rewrite the rule•Test the rule•Rewrite the rule•Test the rule•Rewrite the rule•Test the rule•Rewrite the rule•Test the rule•Rewrite the rule•Test the rule•Rewrite the rule•Test the rule•Rewrite the rule•Test the rule•Rewrite the rule•Test the rule6Rule Format - basic ruleRule Format - basic rulealert tcp 10.1.1.1 any -> 10.1.1.2 80 (msg:"foo"; content:"bar";)alert tcp 10.1.1.1 any -> 10.1.1.2 80 (msg:"foo"; content:"bar";)7Rule Format – ActionRule Format – Actionalert tcp 10.1.1.1 any -> 10.1.1.2 80 (msg:"foo"; content:"bar";)•Tells snort what the rule does –In our product•alert pass–In snort •alert log pass activate dynamic–In snort-inline•alert log pass activate dynamic drop sdrop alert tcp 10.1.1.1 any -> 10.1.1.2 80 (msg:"foo"; content:"bar";)•Tells snort what the rule does –In our product•alert pass–In snort •alert log pass activate dynamic–In snort-inline•alert log pass activate dynamic drop sdrop8Rule Format – Custom ActionsRule Format – Custom Actions•not supported in productruletype suspicious{type log outputlog_tcpdump: suspicious.log}suspicious tcp 10.1.1.1 any -> 10.1.1.2 80 (msg:"foo"; content:"bar";)•not supported in productruletype suspicious{type log outputlog_tcpdump: suspicious.log}suspicious tcp 10.1.1.1 any -> 10.1.1.2 80 (msg:"foo"; content:"bar";)9Rule Format – ProtocolRule Format – Protocol•alert tcp 10.1.1.1 any -> 10.1.1.2 80 (msg:"foo"; content:"bar";)•Tells snort to look for a specific protocol•Acceptable protocols:–TCP–UDP–ICMP–IP•alert tcp 10.1.1.1 any -> 10.1.1.2 80 (msg:"foo"; content:"bar";)•Tells snort to look for a specific protocol•Acceptable protocols:–TCP–UDP–ICMP–IP10Rule Format - IP AddressRule Format - IP Address•alert tcp 10.1.1.1 any -> 10.1.1.2 80 (msg:"foo"; content:"bar";)•Examples10.1.1.1•duh10.1.1.0/24•10.1.1.0 through 10.1.1.255!10.1.1.0/24•anything but 10.1.1.0 through 10.1.1.255[10.1.0.0/24,10.2.0.0./24]•10.1.0.0 through 10.1.0.255 or 10.2.0.0 through 10.2.0.255![10.1.0.0/24,10.2.0.0./24] •anything but 10.1.0.0 through 10.1.0.255 or 10.2.0.0 through 10.2.0.255•alert tcp 10.1.1.1 any -> 10.1.1.2 80 (msg:"foo"; content:"bar";)•Examples10.1.1.1•duh10.1.1.0/24•10.1.1.0 through 10.1.1.255!10.1.1.0/24•anything but 10.1.1.0 through 10.1.1.255[10.1.0.0/24,10.2.0.0./24]•10.1.0.0 through 10.1.0.255 or 10.2.0.0 through 10.2.0.255![10.1.0.0/24,10.2.0.0./24] •anything but 10.1.0.0 through 10.1.0.255 or 10.2.0.0 through 10.2.0.25511Rule Format - PortRule Format - Port•alert tcp 10.1.1.1 any -> 10.1.1.2 80 (msg:"foo"; content:"bar";) •Examples:any801:1023•1 through 1023 (inclusive):1023•less than or equal to 102310:•greater than or equal to 10!53•not 53!53:100•not 53 through 100 (inclusive)NOTE: NO PORT LISTS. 80,8080 IS NOT VALID!!!!•alert tcp 10.1.1.1 any -> 10.1.1.2 80 (msg:"foo"; content:"bar";) •Examples:any801:1023•1 through 1023 (inclusive):1023•less than or equal to 102310:•greater than or equal to 10!53•not 53!53:100•not 53 through 100 (inclusive)NOTE: NO PORT LISTS. 80,8080 IS NOT VALID!!!!12Rule Format - DirectionRule Format - Direction•alert tcp 10.1.1.1 any -> 10.1.1.2 80 (msg:"foo"; content:"bar";)->–From the first IP/Port to the second IP/Port<>•From either the first IP/Port to the second IP/PortOR•From either the first IP/Port to the second IP/Port•alert tcp 10.1.1.1 any -> 10.1.1.2 80 (msg:"foo"; content:"bar";)->–From the first IP/Port to the second IP/Port<>•From either the first IP/Port to the second IP/PortOR•From either the first IP/Port to the second IP/Port13Rule Format - ... Oh yeah, variablesRule Format - ... Oh yeah, variablesvar EXTERNAL_NET anyvar HTTP_PORTS 80var SMTP_SERVERS 10.1.1.1alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS $HTTP_PORTSvar EXTERNAL_NET anyvar HTTP_PORTS 80var SMTP_SERVERS 10.1.1.1alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS $HTTP_PORTS14Rule Format – BodyRule Format – Body•alert tcp 10.1.1.1 any -> 10.1.1.2 80 (msg:"foo"; content:"bar";) •meat of the detection capabilities•key value pairs (key:value;)•types of keywords•meta-data•Payload•non-payload•post-detection•alert tcp 10.1.1.1 any -> 10.1.1.2 80 (msg:"foo"; content:"bar";) •meat of the detection capabilities•key value pairs (key:value;)•types of

View Full Document

DMC ITSY 2430 - Writing Snort Rules

School: Del Mar College
Course: Itsy 2430- Intrusion Detection
Pages: 69
Documents in this Course
Simple Network Management Protocol

Simple Network Management Protocol

7 pages

PGP Desktop for Windows User’s Guide

PGP Desktop for Windows User’s Guide

184 pages

Information Security

Information Security

16 pages

The Developer’s Guide to Virtual Machines

The Developer’s Guide to Virtual Machines

21 pages

Testing Error Documentation

Testing Error Documentation

3 pages

Systems Threats and Risks

Systems Threats and Risks

40 pages

Defence in Depth on the Home Front

Defence in Depth on the Home Front

37 pages

Personal Privacy for Computer Users

Personal Privacy for Computer Users

12 pages

Inventory Form

Inventory Form

3 pages

Windows PC: Lock it down in 10 steps

Windows PC: Lock it down in 10 steps

3 pages

Version 1 March 8, 2005 The Anatomy of Windows XP’s System Information tool

Version 1 March 8, 2005 The Anatomy of Windows XP’s System Information tool

2 pages

Microsoft Solutions for Security

Microsoft Solutions for Security

11 pages

How Hackers Attack Networks

How Hackers Attack Networks

31 pages

Lesson 1 Authentication Methods

Lesson 1 Authentication Methods

213 pages

Security Protocols

Security Protocols

67 pages

Chapter Quiz 1

Chapter Quiz 1

4 pages

Sudo for Windows (sudowin)

Sudo for Windows (sudowin)

54 pages

WINDOWS SERVER HACKS

WINDOWS SERVER HACKS

4 pages

Windows 2000 Professional Service Configurations

Windows 2000 Professional Service Configurations

45 pages

Network Intrusion Detection

Network Intrusion Detection

20 pages

Tech Tips for Windows XP Professional

Tech Tips for Windows XP Professional

9 pages

Stop Hacker Attacks at the OS Level

Stop Hacker Attacks at the OS Level

4 pages

Intrusion Detection using Snort

Intrusion Detection using Snort

36 pages

Security Fundamentals

Security Fundamentals

49 pages

Review of TCP/IP Protocols

Review of TCP/IP Protocols

2 pages

Introduction to VPN (Virtual Private Networks)

Introduction to VPN (Virtual Private Networks)

4 pages

Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals

24 pages

Chapter Quiz 9

Chapter Quiz 9

5 pages

WINDOWS XP HACKS

WINDOWS XP HACKS

5 pages

Configuring Windows XP security after you install Service Pack 2

Configuring Windows XP security after you install Service Pack 2

4 pages

An Ettercap Primer

An Ettercap Primer

25 pages

Adaptive firewalls with iptables

Adaptive firewalls with iptables

4 pages

Create a slipstream CD to integrate SP2 into Windows XP install disk

Create a slipstream CD to integrate SP2 into Windows XP install disk

2 pages

Windows XP Home and Professional Service Configurations

Windows XP Home and Professional Service Configurations

64 pages

Passive OS fingerprinting: Details and Techniques (Part 2)

Passive OS fingerprinting: Details and Techniques (Part 2)

8 pages

Ten Ways Hackers Breach Security

Ten Ways Hackers Breach Security

8 pages

Chapter Quiz 2

Chapter Quiz 2

3 pages

Load more
Download Writing Snort Rules
Our administrator received your request to download this document. We will send you the file to your email shortly.

Please select your school

Login

Join to view Writing Snort Rules and access 3M+ class-specific study document.

Continue Continue
or
We will never post anything without your permission.
Don't have an account?

We couldn't create a GradeBuddy account using Facebook because there is no email address associated with your Facebook account.

Link an email address with your Facebook below or create a new account.

Sign Up

Join to view Writing Snort Rules 2 2 and access 3M+ class-specific study document.

Continue Continue
or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?

We couldn't create a GradeBuddy account using Facebook because there is no email address associated with your Facebook account.

Link an email address with your Facebook below or create a new account.