SNORT and TCPDump

Ace your homework & exams now with Quizwiz!

What does alert do?

Generate an alert using the selected alert method, and then log the packet

Example of network variable

HOME_NET = [( 172.16.80.0/24)]

What does the keyword include do?

It allows other rules files to be included within the rules file indicated on the SNORT command line. The include tells SNORT which of the rule set files to use.

What does the reference keyword do?

It allows rules to include references to external attack identification systems

What does pass do?

It ignores the packet

What is a SNORT rule?

It is a set of instructions designed to pick out network traffic that matches a specified pattern, then it takes a chosen action when it sees traffic that matches

What does the rev keyword do?

It is used to identify unique revisions of SNORT rules. Revisions, along with sid allow signatures and descriptions to be refined and replaced with updated info

What is the keyword sid for?

It is used to uniquely identify SNORT rules

What does drop do?

It makes iptables drop the packet and log the packet

What does the msg rule option do?

It tells the logging and alerting engine the message to print along with a packet dump or to an alert

What does log do?

Logs the packet

What does Sdrop do?

Makes iptables drop the packet but does not log it

What does reject do?

Makes iptables drop the packet, log it, and then send a TCP reset if the protocol is TCP or an ICMP port unreachable message if the protocol is UDP

Example of filepath variable

RULES_PATH = '/etc/snort/rules'

Why is setting correct values in the variables important?

Reduces "False-Positive" alerts

How are SNORT rules separated?

Rule options are separated from each other using the semicolon (;), rule options keywords are separated from their arguments with a colon (:)

How does SNORT Packet Logger Mode work?

SNORT has the ability to log (save) packets to different loggers. It has multi-mode packet logging options available like Flat ASCII, tcpdump, XML, database. etc. It logs all data and post-process to look for anomalous activity.

Example of port variable

SSH_PORT = [(22)]

What type of language do SNORT rules use?

Simple, descriptive language that is flexible and powerful. Most SNORT rules are written in a single line. Rules may span multiple lines by adding a "\" to the end of the line

What is snort.lua?

The snort.lua file is used to set the operation configuration of SNORT. The default path is /etc/snort/snort.lua

What is a Bugtraq identifier (BID) or a Common Vulnerabilities and Exposures (CVE) identifier?

They are external attack identification systems, either system may be used, depending on who wrote the signature, to identify the vulnerability. Details of the vulnerability can then be researched further using the identifier.

True or false, variables must be suffixed with a tag corresponding to the type of variable?

True, variables must be suffixed with _PATH, _NET, or _PORT

How does SNORT NIDS mode work?

Uses all phases of SNORT + plug-ins to analyze traffic for both misuse detection and anomalous activity It can perform portscan detection, IP defragmentation, TCP stream reassembly, application layer analysis, etc.

What is included in the configurations for SNORT?

What to log, what to alert on, what rules to include, where rule files are located, setting substitution variables, and other variables.

How does SNORT sniffer mode work?

Works much like tcpdump and it's built on it, it decodes packets and dumps them to stdout".

What is the rule structure for SNORT?

action protocol source direction destination (options)

x -> y

from x to y

x <> y

from x to y or from y to x (bidirectional)

"[number]:"

greater than or equal to the number

":[number]"

less than or equal to the number

"[number1]:[number2]"

range between number 1 and number 2

What are the ranges for sid?

1. < 100 - Reserved for future use 2. 100-1,000,000 - Rules included with the SNORT distribution 3. >1,000,000 - Used for local rules

What are the SNORT 3.0 rule actions?

1. Alert 2. Log 3. Pass 4. Drop 5. Reject 6. Sdrop

How can TCPDump filter?

1. By host 2. By source 3. By destination 4. By network 5. By port 6. By layer 4 protocol

What are the SNORT rule operators?

1. Direction operators (->, <>) 2. Range operator (":")

What are the types of snort.lua variables?

1. Filepath 2. Network 3. Port

What are the four major categories of rule options

1. General options provide info about the rule but do not have any affect during detection 2. Payload options all look for data inside the packet payload and can be inter-related 3. Non-payload options look for non-payload data 4. Post-detection options are rule specific triggers that happen after a rule had "fired"

What are some SNORT Rule rules?

1. No host lookup available, must use UP address 2. Must use CIDR 3. The negation operator is (!) 4. The ($) operator is used when you put a variable to use

Where should you place SNORT?

1. Place in particular areas that you are interested in looking such as the Internet Interface, DMZ, Server Farms, Inter-Subnet Connections, etc. 2. SNORT needs to be inline with the traffic if you plan to use Deny, Drop, and Sdrop rule actions (NIPS) 3. It can be off SPAN ports if all your interested in is listening (NIDS)

What logical sections are SNORT rules divided into?

1. Rule Header 2. Rule Options (optional)

What are the three main operational modes for SNORT?

1. Sniffer 2. Packet Logger 3. Network Intrusion Detection System (NIDS) Default given to NIDS mode if no command line switches are given

What are Rule Options?

1. identifies which parts of the packet are inspected to determine if the rule action should be taken 2. Alert messages

What is SNORT?

A Network Intrusion Detection System (NIDS) that can also be used as an IPS and its rule based (aka signature based)

What is TCPDump?

A free software for command line packet capture that works on or is part of most Linux and Unix based systems

What is a Rule Header?

Action, protocol, source and destination ports and IP addresses


Related study sets

Spanish 1: -AR Verbs Present Indicative

View Set

Chapter 1 Statistics and how they are used

View Set

Astronomy Mid-term Part 4 (Chapter 1)

View Set