Randall Lewis

SNORT Lab

Snort® is an open source network intrusion prevention and detection system (IDS/IPS)

developed by Sourcefire. Combining the benefits of signature, protocol, and anomaly-based

inspection, Snort is the most widely deployed IDS/IPS technology worldwide.

I have created Snort Rules and Displayed them on Screenshots along with Explanations.

What does each of the flags in this snort command line do?

snort -r Read process tcpdump file

snort.out

-P Set explicit snaplen of packet

5000

-c Use rules file

csec640.rules

-e Display the second layer heading info

-X Dump the raw packet data starting at the link layer

-v be verbose

–k checksum mode

none

-l Log to directory

log

alert

The report should include the following information:

Rule #1:

• Snort alert rule I’ve created.

alert tcp 192.168.1.47 22 -> any any (msg:"Traffic from 192.168.1.47";sid:)

• Explain how rule #1 works.

This will generate an alert for traffic that comes from 192.168.1.47 on port 22 and will be

forwarded to any IP address or port

This was an example of a rule that did not generate any alerts

• Snort alert output: the result obtained from c:\snort\bin\log\alert.ids by running rule #1.

Rule #2:

• Snort alert rule I’ve created.

alert icmp !192.168.10.0/24 edit -> 192.168.10.2 any (msg:”Traffic from 192.168.10.0”;

sid:777;)

• Explain how rule #2 works.

This rule will generate an icmp alert that reads the IP PACKET from 192.168.10.2 to anytime

and all IP addresses except IP address 192.168.10.0 to 192.168.10.24. The network with any

port number is forwarded to 192.168.10.2 with any port number.

• Snort alert output: the result obtained from c:\snort\bin\log\alert.ids by running rule #2.

Rule #3:

• rt alert rule I’ve created.

alert icmp any 192.168.10.0/24 -> 192.168.10.0/24 any (msg:"UDP Detected";sid:878;)

• Explain how rule #3 works.

This will send out an alert anytime there is a ping from 192.168.10.0 to 192.168.10.24and it

will be forwarded to IP address 192.168.10.0 to 192.168.10.24 on any port

• Snort alert output: the result obtained from c:\snort\bin\log\alert.ids by running rule #3.

Rule #4:

• Snort alert rule I’ve created.

log udp any any -> 192.168.1.0/24 1:1024 (msg:”udp alert”; sid:999;)

• Explain how rule #4 works.

This rule will alert for any udp that comes from any IP or Port and will be send ti IP 192.168.10.0

to 192.168.10.24 within ports of 1 to 1024.

• Snort alert output: the result obtained from c:\snort\bin\log\alert.ids by running rule #4.

Rule #5:

• Snort alert rule I’ve created.

alert tcp 192.168.1.5 42069 -> 192.168.1.2 22 (msg:”tpc Traffic”; sid:456)

• Explain how rule #5 works.

This rule will log any tcp alerts that come from IP 192.168.1.5 at port number 42069 to the IP

192.168.1.2 at port number 22.

• Snort alert output: the result obtained from c:\snort\bin\log\alert.ids by running rule #5.

Rule #6:

• Snort alert rule I’ve created.

alert udp 192.168.1.0/24 0:6000 -> any any (msg:”UDP traffic detected”; sid:222;)

• Explain how rule #6 works.

This rule will log any alert from UDP that is from IP 92.168.1.0 to 192.168.1.24 from any port

between 0 and 6000 that can go to any IP and any port.

• Snort alert output: the result obtained from c:\snort\bin\log\alert.ids by running rule #6.

Trojan Horse

My interpretation of the quote is that the trojan horse is one that goes after and specifically

attacks the network. It then sends out a function that is similar to the RPC DCOM network aware

worm. This then attacks other host in the network. It seems to be complicated and very

sophisticated.

This code could impact a network by getting all the passwords and codes and then a hacker could

hijack the network. This code could virtually be used to destroy a network or for a hacker to spy

on the network and get all kinds of information from the network without the administrator

knowing.

The best way to detect this is by using warning indicators. If files such as “vista.exe,,

mrosconfig.exe, and qqq.sys in the \Documents and Settings\%User%\Local Settings\Temp”

exist this this most likely will be a sign that this exploit is in the system. (Cisco, 2008). Also

firewalls that are configured accordingly can display messages when the Gimmiv.A exports files

when it is trying to infect systems.

The snort rules that may detect this attack may be:

alert

Alert udp any 1923 -> any 9 (msg:”UDP traffic detected”; sid:888;)

or

alert tcp any 122 -> any 3 (msg:”TCP traffic detected”; sid:777;)

Covert Channels

Because of the nature of the covert channels, IDS can not easily detect them. This detection is

more indirectly focused on traffic patterns, IDS signatures and other protocol detection

techniques. (SANS Institute, 2010). The SANS institute did research into the detection by

looking at the characteristics of the SSH protocol because this can be used over covert channels

and search for non standard SSH ports.

Snort alerts can then be setup to search for DNS tunnels that use certain byte contents which are

found in packet flows. This is how the SNORT signatures can be set up to find covert channels.

A Snort rule to prevent any information leak through a covert channel could be:

“alert udp any any -> any 53 (content:"|01 00 00 01 00 00 00 00 00 01|"; offset: 2; depth: 10;

content:"|00 00 29 10

00 00 00 80 00 00 00|"; \ msg: "covert iodine tunnel request"; threshold: type limit, track by_src,

count 1, seconds 300; sid: 5619500;)”(SANS Institute, 2010)

This rule will alert for any UDP traffic coming through on any IP address or Port and it will be

sent to any IP address on port 53. Port 53 is for DNS traffic in which the covert channels can be

leaked through.

Cisco. (2008, Oct 24). Malicious code alert. Retrieved from

https://tools.cisco.com/security/center/viewAlert.x?alertId=16947

SANS Institute. (2010). Covert channels. Retrieved from

http://www.sans.org/reading_room/whitepapers/detection/covert-channels_33413