i have created snort rules and displayed them on ... #5: • snort alert rule i’ve created. alert...
TRANSCRIPT
Randall Lewis
SNORT Lab
Snort® is an open source network intrusion prevention and detection system (IDS/IPS)
developed by Sourcefire. Combining the benefits of signature, protocol, and anomaly-based
inspection, Snort is the most widely deployed IDS/IPS technology worldwide.
I have created Snort Rules and Displayed them on Screenshots along with Explanations.
What does each of the flags in this snort command line do?
snort -r Read process tcpdump file
snort.out
-P Set explicit snaplen of packet
5000
-c Use rules file
csec640.rules
-e Display the second layer heading info
-X Dump the raw packet data starting at the link layer
-v be verbose
–k checksum mode
none
-l Log to directory
log
alert
The report should include the following information:
Rule #1:
• Snort alert rule I’ve created.
alert tcp 192.168.1.47 22 -> any any (msg:"Traffic from 192.168.1.47";sid:)
• Explain how rule #1 works.
This will generate an alert for traffic that comes from 192.168.1.47 on port 22 and will be
forwarded to any IP address or port
This was an example of a rule that did not generate any alerts
• Snort alert output: the result obtained from c:\snort\bin\log\alert.ids by running rule #1.
Rule #2:
• Snort alert rule I’ve created.
alert icmp !192.168.10.0/24 edit -> 192.168.10.2 any (msg:”Traffic from 192.168.10.0”;
sid:777;)
• Explain how rule #2 works.
This rule will generate an icmp alert that reads the IP PACKET from 192.168.10.2 to anytime
and all IP addresses except IP address 192.168.10.0 to 192.168.10.24. The network with any
port number is forwarded to 192.168.10.2 with any port number.
• Snort alert output: the result obtained from c:\snort\bin\log\alert.ids by running rule #2.
Rule #3:
• rt alert rule I’ve created.
alert icmp any 192.168.10.0/24 -> 192.168.10.0/24 any (msg:"UDP Detected";sid:878;)
• Explain how rule #3 works.
This will send out an alert anytime there is a ping from 192.168.10.0 to 192.168.10.24and it
will be forwarded to IP address 192.168.10.0 to 192.168.10.24 on any port
• Snort alert output: the result obtained from c:\snort\bin\log\alert.ids by running rule #3.
Rule #4:
• Snort alert rule I’ve created.
log udp any any -> 192.168.1.0/24 1:1024 (msg:”udp alert”; sid:999;)
• Explain how rule #4 works.
This rule will alert for any udp that comes from any IP or Port and will be send ti IP 192.168.10.0
to 192.168.10.24 within ports of 1 to 1024.
• Snort alert output: the result obtained from c:\snort\bin\log\alert.ids by running rule #4.
Rule #5:
• Snort alert rule I’ve created.
alert tcp 192.168.1.5 42069 -> 192.168.1.2 22 (msg:”tpc Traffic”; sid:456)
• Explain how rule #5 works.
This rule will log any tcp alerts that come from IP 192.168.1.5 at port number 42069 to the IP
192.168.1.2 at port number 22.
• Snort alert output: the result obtained from c:\snort\bin\log\alert.ids by running rule #5.
Rule #6:
• Snort alert rule I’ve created.
alert udp 192.168.1.0/24 0:6000 -> any any (msg:”UDP traffic detected”; sid:222;)
• Explain how rule #6 works.
This rule will log any alert from UDP that is from IP 92.168.1.0 to 192.168.1.24 from any port
between 0 and 6000 that can go to any IP and any port.
• Snort alert output: the result obtained from c:\snort\bin\log\alert.ids by running rule #6.
Trojan Horse
My interpretation of the quote is that the trojan horse is one that goes after and specifically
attacks the network. It then sends out a function that is similar to the RPC DCOM network aware
worm. This then attacks other host in the network. It seems to be complicated and very
sophisticated.
This code could impact a network by getting all the passwords and codes and then a hacker could
hijack the network. This code could virtually be used to destroy a network or for a hacker to spy
on the network and get all kinds of information from the network without the administrator
knowing.
The best way to detect this is by using warning indicators. If files such as “vista.exe,,
mrosconfig.exe, and qqq.sys in the \Documents and Settings\%User%\Local Settings\Temp”
exist this this most likely will be a sign that this exploit is in the system. (Cisco, 2008). Also
firewalls that are configured accordingly can display messages when the Gimmiv.A exports files
when it is trying to infect systems.
The snort rules that may detect this attack may be:
alert
Alert udp any 1923 -> any 9 (msg:”UDP traffic detected”; sid:888;)
or
alert tcp any 122 -> any 3 (msg:”TCP traffic detected”; sid:777;)
Covert Channels
Because of the nature of the covert channels, IDS can not easily detect them. This detection is
more indirectly focused on traffic patterns, IDS signatures and other protocol detection
techniques. (SANS Institute, 2010). The SANS institute did research into the detection by
looking at the characteristics of the SSH protocol because this can be used over covert channels
and search for non standard SSH ports.
Snort alerts can then be setup to search for DNS tunnels that use certain byte contents which are
found in packet flows. This is how the SNORT signatures can be set up to find covert channels.
A Snort rule to prevent any information leak through a covert channel could be:
“alert udp any any -> any 53 (content:"|01 00 00 01 00 00 00 00 00 01|"; offset: 2; depth: 10;
content:"|00 00 29 10
00 00 00 80 00 00 00|"; \ msg: "covert iodine tunnel request"; threshold: type limit, track by_src,
count 1, seconds 300; sid: 5619500;)”(SANS Institute, 2010)
This rule will alert for any UDP traffic coming through on any IP address or Port and it will be
sent to any IP address on port 53. Port 53 is for DNS traffic in which the covert channels can be
leaked through.
Cisco. (2008, Oct 24). Malicious code alert. Retrieved from
https://tools.cisco.com/security/center/viewAlert.x?alertId=16947
SANS Institute. (2010). Covert channels. Retrieved from
http://www.sans.org/reading_room/whitepapers/detection/covert-channels_33413