Creating Snort Rules, Free Essay on Computer Science

Complete this rule which would be deployed to detect incoming TCP traffic on port 31337: alert _____ $EXTERNAL_NET _____ -> $HOME_NET _____ (msg:"__________________"; flow:to_client,established; classtype:Suspicious-Traffic; sid:2011010; rev:1;)

Is your time best spent reading someone else’s essay? Get a 100% original essay FROM A CERTIFIED WRITER!

Order now

Answer

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Java Deployment Toolkit CSLID Command Execution Attempt"; flow:to_client,established; classtype:Suspicious-Traffic; sid:2011010; rev:1;)

If you made a change to this rule what would you do the "rev" field? Why would this be important?

Answer

Rev keyword uniquely gives identity revisions to Snort rule, thus if the rule is changed, the position of rev field should be changed together with Snort rule id since they allow refining and replacement of descriptions and signatures with newly updated information(Hart,2017).

Complete the rule below to check for the text string "malware" in the payload section of a TCP packet which starts after 32 bytes:alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Malware String Detected"; content:"malware"; _____:32; nocase; flow:to_client,established; classtype:Suspicious-Traffic; sid:2011010; rev:1;)Answer

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Malware String Detected"; content: "malware"; bytes:32; no case; flow:to_client,established; classtype:Suspicious-Traffic; sid:2011010; rev:1;)

In question #3, why would using this option or similar options be beneficial to creating a good rule?

Answer

It is very important for organizations to secure data and network systems in order to minimize risk from malware attacks. Snort Intrusion Detection System is a great tool for security network and has been widely used to protect networks by various organizations. Snort-IDS use rules to match data packets traffic and if some of them matches the rules, it automatically generates alert messages which are useful in network protection (Water, 2018).

What would be some of the options you as the signature writer could add to your rule to give other users some insight as to why a rule was created?

Answer

The snort rules designed for a system should be fully compatible for effective action on the type of intrusion. Snorts, by default consider the order below:

Alert rules - Generates alerts by use of alert method

Log rules - Logs the packet once the alert has been generated

Pass rules - Ignores and drops the packet

IP is a unique address for every computer used to transfer data or even packet over internet via different networks. Each packet carries a message, source, data, destination address and many more. Snorts support three major IP protocols regarding suspicious behavior and they are as follows:

TCP - used in connecting two different hosts in order to exchange data between them, for instance FTO, HTTP, SMTO

UDP - used in broadcasting messages via internet, for example DNS Traffic

ICMP - used in windows in sending network error communication messages, for instance Traceroute, Ping and others ("Understanding and Configuring Snort Rules", 2018).

What is the name of the file that contains the configuration of Snort? Where is it usually located in the Linux build? Answer

At start up time, Snorp makes use of a configuration file called 'snort.conf' which is distributed with Snort. Any name can be used though by use of the '-c' command line switch and specify the configuration file name.

In Linux build, configuration file is located inside the Snort tarball directory and is a snapshot at the time of releasing the tarball. It is good practice to occasionally update the file to make use of the different preprocessors settings add new rule files too (Rehman, 2012).

Can two rules share the same SID? Why or Why not?Answer

No. each snort rule must have its SID since they cause errors particularly in the latest version 2.8.5.2. However, it can work with the old version 2.6.1

Pick one of the Snort preprocessors and explain what its function is. Why are they important to rule writing?

Answer

Frag3 processor

It is a target-based address IP defragmentation Snort module which is designed for both fast execution with minimal data management and target-based host modeling anti-evasion techniques.

They are important to rule writing in that, it is capable to detect up to eight unique types of anomalies and its output event packed-based thus capable to work with all output Snort modes("2.2 Preprocessors", 2018) .

Why was this Emerging Threats rule written? (hint: look at the reference option) alert ip 207.178.145.229 any -> $HOME_NET any (msg:"ET RBN Known Malvertiser IP (11)"; flowbits:set,ET.RBN.Malvertiser; flowbits:set,ET.Evil; reference:url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork; threshold: type limit, track by_src, seconds 60, count 1; sid:2408020; rev:297;)

Answer

Emerging threats rule was born out of great demand due to increasing number of epidemic client-side threats and the tremendous rise in malware and accompanying variants. The rule is therefore meant to control the dynamic malware developed by hackers which bypasses security controls including anti-virus. IDS used by the Threat rule provide the best protection particularly for malware attacks.

Explain the difference between the DROP, LOG, and ALERT options.

Answer

In the rule actions, the header carries information defining who, where and what of the packet and also what the next course of action in case a packet containing the attributes which are indicated in the rule emerge.

Among the five default actions in Snort; DROP blogs and log the packet, LOG is meant to log the packet and ALERT generates an alert by use of selected alert method then log the packet too ("3.2 Rules Headers", 2018).

References

2.2 Preprocessors. (2018). Manual-snort-org.s3-website-us-east-1.amazonaws.com. Retrieved 23 March 2018, from http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node17.html

3.2 Rules Headers. (2018). Manual-snort-org.s3-website-us-east-1.amazonaws.com. Retrieved 23 March 2018, from http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node29.html

Hart, J. (2017). 3.4 General Rule Options. Manual-snort-org.s3-website-us-east-1.amazonaws.com. Retrieved 23 March 2018, from http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node31.html

Rehman, R. (2012). The Snort Configuration File | Working with Snort Rules | InformIT. Informit.com. Retrieved 23 March 2018, from http://www.informit.com/articles/article.aspx?p=101171&seqNum=7

Understanding and Configuring Snort Rules. (2018). Rapid7 Blog. Retrieved 23 March 2018, from https://blog.rapid7.com/2016/12/09/understanding-and-configuring-snort-rules/

Water, C. (2018). Improving Intrusion Detection System based on Snort rules for network probe attack detection - IEEE Conference Publication. Ieeexplore.ieee.org. Retrieved 23 March 2018, from http://ieeexplore.ieee.org/document/6914042/?reload=true