SNORT and TCPDump
What does alert do?
Generate an alert using the selected alert method, and then log the packet
Example of network variable
HOME_NET = [( 172.16.80.0/24)]
What does the keyword include do?
It allows other rules files to be included within the rules file indicated on the SNORT command line. The include tells SNORT which of the rule set files to use.
What does the reference keyword do?
It allows rules to include references to external attack identification systems
What does pass do?
It ignores the packet
What is a SNORT rule?
It is a set of instructions designed to pick out network traffic that matches a specified pattern, then it takes a chosen action when it sees traffic that matches
What does the rev keyword do?
It is used to identify unique revisions of SNORT rules. Revisions, along with sid allow signatures and descriptions to be refined and replaced with updated info
What is the keyword sid for?
It is used to uniquely identify SNORT rules
What does drop do?
It makes iptables drop the packet and log the packet
What does the msg rule option do?
It tells the logging and alerting engine the message to print along with a packet dump or to an alert
What does log do?
Logs the packet
What does Sdrop do?
Makes iptables drop the packet but does not log it
What does reject do?
Makes iptables drop the packet, log it, and then send a TCP reset if the protocol is TCP or an ICMP port unreachable message if the protocol is UDP
Example of filepath variable
RULES_PATH = '/etc/snort/rules'
Why is setting correct values in the variables important?
Reduces "False-Positive" alerts
How are SNORT rules separated?
Rule options are separated from each other using the semicolon (;), rule options keywords are separated from their arguments with a colon (:)
How does SNORT Packet Logger Mode work?
SNORT has the ability to log (save) packets to different loggers. It has multi-mode packet logging options available like Flat ASCII, tcpdump, XML, database. etc. It logs all data and post-process to look for anomalous activity.
Example of port variable
SSH_PORT = [(22)]
What type of language do SNORT rules use?
Simple, descriptive language that is flexible and powerful. Most SNORT rules are written in a single line. Rules may span multiple lines by adding a "\" to the end of the line
What is snort.lua?
The snort.lua file is used to set the operation configuration of SNORT. The default path is /etc/snort/snort.lua
What is a Bugtraq identifier (BID) or a Common Vulnerabilities and Exposures (CVE) identifier?
They are external attack identification systems, either system may be used, depending on who wrote the signature, to identify the vulnerability. Details of the vulnerability can then be researched further using the identifier.
True or false, variables must be suffixed with a tag corresponding to the type of variable?
True, variables must be suffixed with _PATH, _NET, or _PORT
How does SNORT NIDS mode work?
Uses all phases of SNORT + plug-ins to analyze traffic for both misuse detection and anomalous activity It can perform portscan detection, IP defragmentation, TCP stream reassembly, application layer analysis, etc.
What is included in the configurations for SNORT?
What to log, what to alert on, what rules to include, where rule files are located, setting substitution variables, and other variables.
How does SNORT sniffer mode work?
Works much like tcpdump and it's built on it, it decodes packets and dumps them to stdout".
What is the rule structure for SNORT?
action protocol source direction destination (options)
x -> y
from x to y
x <> y
from x to y or from y to x (bidirectional)
"[number]:"
greater than or equal to the number
":[number]"
less than or equal to the number
"[number1]:[number2]"
range between number 1 and number 2
What are the ranges for sid?
1. < 100 - Reserved for future use 2. 100-1,000,000 - Rules included with the SNORT distribution 3. >1,000,000 - Used for local rules
What are the SNORT 3.0 rule actions?
1. Alert 2. Log 3. Pass 4. Drop 5. Reject 6. Sdrop
How can TCPDump filter?
1. By host 2. By source 3. By destination 4. By network 5. By port 6. By layer 4 protocol
What are the SNORT rule operators?
1. Direction operators (->, <>) 2. Range operator (":")
What are the types of snort.lua variables?
1. Filepath 2. Network 3. Port
What are the four major categories of rule options
1. General options provide info about the rule but do not have any affect during detection 2. Payload options all look for data inside the packet payload and can be inter-related 3. Non-payload options look for non-payload data 4. Post-detection options are rule specific triggers that happen after a rule had "fired"
What are some SNORT Rule rules?
1. No host lookup available, must use UP address 2. Must use CIDR 3. The negation operator is (!) 4. The ($) operator is used when you put a variable to use
Where should you place SNORT?
1. Place in particular areas that you are interested in looking such as the Internet Interface, DMZ, Server Farms, Inter-Subnet Connections, etc. 2. SNORT needs to be inline with the traffic if you plan to use Deny, Drop, and Sdrop rule actions (NIPS) 3. It can be off SPAN ports if all your interested in is listening (NIDS)
What logical sections are SNORT rules divided into?
1. Rule Header 2. Rule Options (optional)
What are the three main operational modes for SNORT?
1. Sniffer 2. Packet Logger 3. Network Intrusion Detection System (NIDS) Default given to NIDS mode if no command line switches are given
What are Rule Options?
1. identifies which parts of the packet are inspected to determine if the rule action should be taken 2. Alert messages
What is SNORT?
A Network Intrusion Detection System (NIDS) that can also be used as an IPS and its rule based (aka signature based)
What is TCPDump?
A free software for command line packet capture that works on or is part of most Linux and Unix based systems
What is a Rule Header?
Action, protocol, source and destination ports and IP addresses