How to write two snort detection rules to alert on packets to those rules
Hi i am new to this fantastic world of linux, and i need to do one assignment on snort and would appreciate any help with the following:
I need to write two snort detection rules, and configure Snort to alert on packets corresponding to the two rules. Snort's log and alert file should be in ASCII (plain text).
The first rule will have to fire an alert on a packet from a client using TCP source port 9999, to a server using TCP destination port 8888. The payload content for this rule should be the ASCII string "serverattack", but should be case insensitive, so e.g. it will also fire on "SeRvErAtTaCk", etc.
NB. The distinction between a client and a server is well defined in TCP, and is important that i make that clear for this assignment. The alert should not fire on a packet from a server using TCP source port 9999 and a client using TCP destination port 8888.
Moreover, the alert should NOT fire on a packet that is not part of an ESTABLISHED TCP session. It will not do to merely use the flow: established option. For that option will match RST packets, and also the 3rd part of a 3-way handshake. For this (most difficult) I will need to use the flowbits: and flags: keywords.
The second rule is analogous: it will need to fire an alert on a packet from a server using TCP source port 8888, to a client using TCP destination port 9999. The payload content for this rule should be the ASCII string "clientattack", and this time should be case sensitive.
NB. As above, the distinction between client and server is important, and this packet must be sent within the confines of an ESTABLISHED TCP session.
For this i need to use two machines. On one machine, i have to set up a netcat server, listening on TCP port 8888. On the other machine, i have to connect to that server using netcat as a client, with the TCP source port 9999. (For simplicity, one of these two machines can be the machine snort is running on.)
Once connected, i need to use the session to cause Snort to fire both the alerts described by the mentioned rules.
So basically i will need how to write the two rules, the alert file, and the log file.
I would greatly appreciate any insights and help on how to actually write those rules.
I tried using the echo 'alert tcp......., but i keep not being able to fire or get it working
PS: I am running freebsd from wmware and i don't know if that affects anything.
Thanks
|