LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Other *NIX Forums > *BSD
User Name
Password
*BSD This forum is for the discussion of all BSD variants.
FreeBSD, OpenBSD, NetBSD, etc.

Notices



Reply
 
Search this Thread
Old 06-08-2007, 08:00 PM   #1
romafiel
LQ Newbie
 
Registered: Jun 2007
Posts: 1

Rep: Reputation: 0
How to write two snort detection rules to alert on packets to those rules


Hi i am new to this fantastic world of linux, and i need to do one assignment on snort and would appreciate any help with the following:
I need to write two snort detection rules, and configure Snort to alert on packets corresponding to the two rules. Snort's log and alert file should be in ASCII (plain text).
The first rule will have to fire an alert on a packet from a client using TCP source port 9999, to a server using TCP destination port 8888. The payload content for this rule should be the ASCII string "serverattack", but should be case insensitive, so e.g. it will also fire on "SeRvErAtTaCk", etc.

NB. The distinction between a client and a server is well defined in TCP, and is important that i make that clear for this assignment. The alert should not fire on a packet from a server using TCP source port 9999 and a client using TCP destination port 8888.

Moreover, the alert should NOT fire on a packet that is not part of an ESTABLISHED TCP session. It will not do to merely use the flow: established option. For that option will match RST packets, and also the 3rd part of a 3-way handshake. For this (most difficult) I will need to use the flowbits: and flags: keywords.

The second rule is analogous: it will need to fire an alert on a packet from a server using TCP source port 8888, to a client using TCP destination port 9999. The payload content for this rule should be the ASCII string "clientattack", and this time should be case sensitive.

NB. As above, the distinction between client and server is important, and this packet must be sent within the confines of an ESTABLISHED TCP session.

For this i need to use two machines. On one machine, i have to set up a netcat server, listening on TCP port 8888. On the other machine, i have to connect to that server using netcat as a client, with the TCP source port 9999. (For simplicity, one of these two machines can be the machine snort is running on.)

Once connected, i need to use the session to cause Snort to fire both the alerts described by the mentioned rules.

So basically i will need how to write the two rules, the alert file, and the log file.
I would greatly appreciate any insights and help on how to actually write those rules.
I tried using the echo 'alert tcp......., but i keep not being able to fire or get it working
PS: I am running freebsd from wmware and i don't know if that affects anything.
Thanks
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
free snort rules? true_atlantis Linux - Security 3 04-14-2006 02:12 PM
Snort, Rules Tredo Linux - Security 1 12-20-2004 01:36 AM
Snort rules> priority linuxtommy Linux - Security 1 09-12-2004 10:35 PM
updating snort rules zuessh Linux - Security 2 11-26-2003 02:11 PM
Snort Rules Canadian_2k2 Linux - Security 5 11-01-2002 11:24 PM


All times are GMT -5. The time now is 04:44 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration