TCPdump & Snort - Intrusion Detection Systems

More documents

Recommendations

Info

Examples I alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ⤦ (msg:"Suspicious User-Agent (Trojan.Hijack.IrcBot.457 ⤦ related)"; flow:established,to_server; content:"|0d 0a| ⤦ User-Agent\: Mozilla/1.0 (compatible\; MSIE 8.0\;"; ⤦ classtype:trojan-activity; sid:2008913; rev:4;) Checks for HTTP traffic with suspicious user agent string alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"HELO ⤦ Non-Displayable Characters"; flow:established,to_server; ⤦ content:"HELO "; nocase; depth:60; pcre:"/ˆ[ˆ\n]*[\x00- ⤦ \x08\x0e-\x1f]/R"; reference:cve,2006-3277; sid:2098; rev:7;) Search for non-displayable bytes in HELO line TCPdump & Snort Thomas Fischer February 3, 2010 Page 32
Examples II alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ⤦ (msg:"SQL Injection Attempt"; flow:established,to_server; ⤦ uricontent:"/default.asp?"; nocase; uricontent:"id="; nocase; ⤦ uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; ⤦ classtype:web-application-attack; reference:cve,CVE-2007-2803; ⤦ sid:20996; rev:5;) Checks for access to web servers querying for an ASP page containing a SQL statement with ‘DELETE’ (simple rules like ‘flow’ first, complex like ‘pcre’ last) TCPdump & Snort Thomas Fischer February 3, 2010 Page 33
Page 1 and 2: TCPdump & Snort Intrusion Detection
Page 3 and 4: Starting with TCPdump TCPdump is a
Page 5 and 6: Wireshark Previously know as Ethere
Page 7 and 8: Writing TCPdump Filters II Bitmask
Page 9 and 10: About Snort Network Intrusion Detec
Page 11 and 12: Configuring Snort Central configura
Page 13 and 14: Preprocessors II Stream5 tracks ses
Page 15 and 16: Snort Rules I General syntax of rul
Page 17 and 18: Internal Rule Options msg: "some lo
Page 19 and 20: Rule Options for Payload II Modifie
Page 21 and 22: Rule Options for Non-Payload I frag
Page 23 and 24: Rule Options after Detection I logt
Page 25 and 26: Tips for Writing Rules Rules should
Page 27 and 28: Output II Logging to Unix socket ou
Page 29 and 30: Inline Mode with IPtables Inline Mo
Page 31 and 32: Visual Examples FTP security proble
Page 37 and 38: Visual Example: Byte Jump content:"
Page 45: Visual Example: Byte Jump content:"
Page 49 and 50: Examples IV alert tcp $EXTERNAL_NET

TCPdump & Snort - Intrusion Detection Systems

Create successful ePaper yourself

Delete template?

Save as template?