TCPdump & Snort - Intrusion Detection Systems

More documents

Recommendations

Info

Rule Options for Payload I content: "text" filter for packets containing the text Example: content: "GET " For hex-strings: content: "|20 bf ff ff 20|" Combined & negated: content: !"GET|09|" uricontent "text" restrict filtering to URIs pcre: "regexp" use Perl-compatible regular expression content-list: "filename" points to list with patterns patterns are enclosed in " , comments start with # TCPdump & Snort Thomas Fischer February 3, 2010 Page 18
Rule Options for Payload II Modifiers thereafter, apply only to single preceding option nocase ignores case for content and uricontent offset: n start only n bytes into payload depth: m stop after m bytes distance: n start searching n bytes after previous content match within: n distance between this content match and previous is at most n bytes isdataat: n [,relative] payload data at position n, optionally relative to previous content match rawbytes look at raw bytes instead of decoded traffic http_client_body restrict search to HTTP body http_header restrict search to HTTP header TCPdump & Snort Thomas Fischer February 3, 2010 Page 19
Page 1 and 2: TCPdump & Snort Intrusion Detection
Page 3 and 4: Starting with TCPdump TCPdump is a
Page 5 and 6: Wireshark Previously know as Ethere
Page 7 and 8: Writing TCPdump Filters II Bitmask
Page 9 and 10: About Snort Network Intrusion Detec
Page 11 and 12: Configuring Snort Central configura
Page 13 and 14: Preprocessors II Stream5 tracks ses
Page 15 and 16: Snort Rules I General syntax of rul
Page 17: Internal Rule Options msg: "some lo
Page 21 and 22: Rule Options for Non-Payload I frag
Page 23 and 24: Rule Options after Detection I logt
Page 25 and 26: Tips for Writing Rules Rules should
Page 27 and 28: Output II Logging to Unix socket ou
Page 29 and 30: Inline Mode with IPtables Inline Mo
Page 31 and 32: Visual Examples FTP security proble
Page 37 and 38: Visual Example: Byte Jump content:"
Page 47 and 48: Examples II alert tcp $EXTERNAL_NET
Page 49 and 50: Examples IV alert tcp $EXTERNAL_NET

TCPdump & Snort - Intrusion Detection Systems

Create successful ePaper yourself

Delete template?

Save as template?