Snort is an open source network intrusion prevention and detection system (IDS/IPS) developed by Sourcefire. Combining the benefits of signature, protocol and anomaly-based inspection, Snort is the most widely deployed IDS/IPS technology worldwide.
Act as IDS, Packet Logger, Sniffer
./snort -dev -l ./log -->run snort in packet logger mode
Snort rules
========
Snort rules must be completely contained on a single line, the Snort rule parser doesn't know how to handle rules on multiple lines.
Snort rules are divided into two logical sections, the rule header and the rule options. The rule header contains the rule's action, protocol, source and destination IP addresses and netmasks, and the source and destination ports information. The rule option section contains alert messages and information on which parts of the packet should be inspected to determine if the rule action should be taken.
Here is an example rule: alert tcp any any -> 192.168.1.0/24 111 (content:"|00 01 86 a5|"; msg: "mountd access";)
The text up to the first parenthesis is the rule header and the section enclosed in parenthesis is the rule options. The words before the colons in the rule options section are called option keywords.
Rule Headers
1)Rule Actions:
There are three available actions in Snort, alert, log, and pass.
There are three IP protocols that Snort currently analyzes for suspicious behavior, tcp, udp, and icmp.
3)IP Addresses:
The keyword "any" may be used to define any address.
Like alert tcp any any -> 192.168.1.0/24 111 -->the source IP address was set to match for any computer talking, and the destination address was set to match on the 192.168.1.0 Class C network.
4)Port Numbers
Port numbers may be specified in a number of ways, including "any" ports, static port definitions, ranges, and by negation.
"Any" ports are a wildcard value, meaning literally any port.
Static ports are indicated by a single port number, such as 111 for portmapper, 23 for telnet, or 80 for http, etc.
Port ranges are indicated with the range operator ":". The range operator may be applied in a number of ways to take on different meanings, such as -->
log udp any any -> 192.168.1.0/24 1:1024
log udp traffic coming from any port and destination ports ranging from 1 to 1024
log tcp any 500: -> 192.168.1.0/24 :6000
log tcp traffic from ports greater than or equal to 500 to ports less than or equal to 6000
Port negation is indicated by using the negation operator "!"
log tcp any any -> 192.168.1.0/24 !6000:6010 -->log everything except the X Windows ports(6000)
5)The Direction Operator
The direction operator "->" indicates the orientation, or "direction", of the traffic that the rule applies to. The IP address and port numbers on the left side of the direction operator is considered to be the traffic coming from the source host, and the address and port information on the right side of the operator is the destination host. There is also a bidirectional operator, which is indicated with a "<>" symbol. This tells Snort to consider the address/port pairs in either the source or destination orientation. This is handy for recording/analyzing both sides of a conversation, such as telnet or POP3 sessions
Rule Options
Rule options form the heart of Snort's intrusion detection engine.
(msg:"BACKDOOR ATTEMPT-Backorifice";flags:S;)
All Snort rule options are separated from each other using the semicolon ";" character. Rule option keywords are separated from their arguments with a colon ":" character. As of this writing, there are fifteen rule option keywords available for Snort
Act as IDS, Packet Logger, Sniffer
./snort -dev -l ./log -->run snort in packet logger mode
Snort rules
========
Snort rules must be completely contained on a single line, the Snort rule parser doesn't know how to handle rules on multiple lines.
Snort rules are divided into two logical sections, the rule header and the rule options. The rule header contains the rule's action, protocol, source and destination IP addresses and netmasks, and the source and destination ports information. The rule option section contains alert messages and information on which parts of the packet should be inspected to determine if the rule action should be taken.
Here is an example rule: alert tcp any any -> 192.168.1.0/24 111 (content:"|00 01 86 a5|"; msg: "mountd access";)
The text up to the first parenthesis is the rule header and the section enclosed in parenthesis is the rule options. The words before the colons in the rule options section are called option keywords.
Rule Headers
1)Rule Actions:
There are three available actions in Snort, alert, log, and pass.
- alert - generate an alert using the selected alert method, and then log the packet
- log - log the packet
- pass - drop (ignore) the packet
There are three IP protocols that Snort currently analyzes for suspicious behavior, tcp, udp, and icmp.
3)IP Addresses:
The keyword "any" may be used to define any address.
Like alert tcp any any -> 192.168.1.0/24 111 -->the source IP address was set to match for any computer talking, and the destination address was set to match on the 192.168.1.0 Class C network.
4)Port Numbers
Port numbers may be specified in a number of ways, including "any" ports, static port definitions, ranges, and by negation.
"Any" ports are a wildcard value, meaning literally any port.
Static ports are indicated by a single port number, such as 111 for portmapper, 23 for telnet, or 80 for http, etc.
Port ranges are indicated with the range operator ":". The range operator may be applied in a number of ways to take on different meanings, such as -->
log udp any any -> 192.168.1.0/24 1:1024
log udp traffic coming from any port and destination ports ranging from 1 to 1024
log tcp any 500: -> 192.168.1.0/24 :6000
log tcp traffic from ports greater than or equal to 500 to ports less than or equal to 6000
Port negation is indicated by using the negation operator "!"
log tcp any any -> 192.168.1.0/24 !6000:6010 -->log everything except the X Windows ports(6000)
5)The Direction Operator
The direction operator "->" indicates the orientation, or "direction", of the traffic that the rule applies to. The IP address and port numbers on the left side of the direction operator is considered to be the traffic coming from the source host, and the address and port information on the right side of the operator is the destination host. There is also a bidirectional operator, which is indicated with a "<>" symbol. This tells Snort to consider the address/port pairs in either the source or destination orientation. This is handy for recording/analyzing both sides of a conversation, such as telnet or POP3 sessions
Rule Options
Rule options form the heart of Snort's intrusion detection engine.
(msg:"BACKDOOR ATTEMPT-Backorifice";flags:S;)
All Snort rule options are separated from each other using the semicolon ";" character. Rule option keywords are separated from their arguments with a colon ":" character. As of this writing, there are fifteen rule option keywords available for Snort
No comments:
Post a Comment