Snort Deployment for NIDS (final)
180 Questions
4 Views

Choose a study mode

Play Quiz
Study Flashcards
Spaced Repetition
Chat to lesson

Podcast

Play an AI-generated podcast conversation about this lesson

Questions and Answers

What is a limitation of Snort in regards to encrypted traffic?

  • It can check for intrusion by checking SSL Proxies
  • It cannot check for intrusion (correct)
  • It cannot detect SSL Proxies
  • It can decrypt encrypted traffic
  • What is the name of the program that can connect Snort to a database?

  • SnortDB
  • SensorConnect
  • Barnyard2 (correct)
  • Barnyard
  • Why might someone choose to use a Linux-based operating system for their Snort sensor?

  • Because Snort is only available on Linux
  • Because Linux is more user-friendly than Windows
  • Because Linux is more secure than Windows
  • Because the Windows version of Snort is no longer supported (correct)
  • What is an important consideration when choosing the base operating system for a Snort sensor?

    <p>Supportability</p> Signup and view all the answers

    What is one way to ensure the security of a Snort sensor?

    <p>Disable Unnecessary Services</p> Signup and view all the answers

    What is the purpose of Interface Pairing and SPAN in a Snort sensor?

    <p>To facilitate monitoring and detection</p> Signup and view all the answers

    What is a limitation of using open-source software like Snort?

    <p>Limited documentation and community support</p> Signup and view all the answers

    What is the primary function of a NIDS like Snort?

    <p>To detect and alert on potential intrusions</p> Signup and view all the answers

    Why is it recommended to not place a NIDS inline with network connections?

    <p>To prevent loss of network speed</p> Signup and view all the answers

    What is a Snort Sensor?

    <p>A NIDS placed in a network topology</p> Signup and view all the answers

    Why is it important to prioritize which systems to watch with a NIDS?

    <p>Because it's impossible to watch all systems and connections</p> Signup and view all the answers

    What is the purpose of a SPAN port on Cisco hardware?

    <p>To output all information on a single port</p> Signup and view all the answers

    What is a limitation of using modern switches with a NIDS?

    <p>They do not allow promiscuous mode by default</p> Signup and view all the answers

    Why is it recommended to use a hub to create a listening point in a network?

    <p>It allows promiscuous mode</p> Signup and view all the answers

    What is the benefit of using Cisco hardware with Snort?

    <p>Snort is built into many Cisco devices, making it easier to setup a Snort sensor</p> Signup and view all the answers

    What is the purpose of manual user intervention in a NIDS like Snort?

    <p>To stop an intrusion from continuing</p> Signup and view all the answers

    What is a crucial step in deploying Snort effectively?

    <p>Creating rules for Snort to function properly</p> Signup and view all the answers

    Why is Snort not a plug and watch solution?

    <p>Because it requires constant monitoring and troubleshooting</p> Signup and view all the answers

    What is the primary purpose of a NIDS like Snort?

    <p>To detect and respond to threats</p> Signup and view all the answers

    Why is it important to have a plan in place when using a NIDS like Snort?

    <p>To respond appropriately to identified attacks</p> Signup and view all the answers

    What should Snort be used in conjunction with?

    <p>Other security systems</p> Signup and view all the answers

    What is a limitation of Snort?

    <p>It does not provide comprehensive security</p> Signup and view all the answers

    Why are there commented out rules in the community rules?

    <p>Because they are not commonly needed rules and can be skipped.</p> Signup and view all the answers

    What is the purpose of community rules?

    <p>To provide alerting for common exploits that exist in networks.</p> Signup and view all the answers

    Why are not all active rules needed?

    <p>Because the rules that are active by default are the suggested rules to run on what is considered to be the most common network structure.</p> Signup and view all the answers

    What is the purpose of commenting out rules in community rules?

    <p>To leave them in the community rules in case the cyber security professional needs to use those rules.</p> Signup and view all the answers

    What should you do before implementing community rules?

    <p>Read the messages to get a better understanding of the purpose of the rule.</p> Signup and view all the answers

    Why are some rules not commonly used?

    <p>Because they are not needed for most networks.</p> Signup and view all the answers

    What is the purpose of the Attack-response.rules set?

    <p>To detect when a host is sending known responses to a successful attack</p> Signup and view all the answers

    Where can you download rules from the Snort.org Rule set?

    <p><a href="https://www.snort.org/downloads/#rule-downloads">https://www.snort.org/downloads/#rule-downloads</a></p> Signup and view all the answers

    What is the purpose of the Ddos.rules set?

    <p>To alert on traffic known for use in distributed denial of service attacks</p> Signup and view all the answers

    What is the purpose of the Experimental.rules set?

    <p>To include new type of rules</p> Signup and view all the answers

    What command is used to extract the rules from the Snort.org Rule set?

    <p>tar -xf</p> Signup and view all the answers

    What is the purpose of the Deleted.rules set?

    <p>To store old rules</p> Signup and view all the answers

    What is the purpose of the icmp-info.rules file?

    <p>Used when troubleshooting ICMP issues</p> Signup and view all the answers

    Which of the following rule categories is disabled by default and used to detect traffic sent from peer to peer services?

    <p>p2p.rules</p> Signup and view all the answers

    What is the minimum requirement for a Snort rule?

    <p>The sid option</p> Signup and view all the answers

    What is the purpose of the info.rules file?

    <p>Alerting on normal traffic found on a healthy, secure network</p> Signup and view all the answers

    What is the purpose of the rpc.rules file?

    <p>Alerting on known attacks against RPC services</p> Signup and view all the answers

    What is the purpose of the local.rules file?

    <p>Holding all custom rules created</p> Signup and view all the answers

    What is the purpose of the web-iis.rules file?

    <p>Alerting on known attacks against Microsoft Internet Information Server services</p> Signup and view all the answers

    What is the purpose of the imap.rules file?

    <p>Alerting on known attacks against IMAP email services</p> Signup and view all the answers

    What is the purpose of the misc.rules file?

    <p>Holding rules that are not included in other categories</p> Signup and view all the answers

    What is the purpose of the smtp.rules file?

    <p>Alerting on known attacks against SMTP mail services</p> Signup and view all the answers

    What is the purpose of the Backdoor.rules set?

    <p>To detect traffic generated by a backdoor network connection</p> Signup and view all the answers

    What is the purpose of the Bad-traffic.rules set?

    <p>To watch for illegal packet header settings</p> Signup and view all the answers

    What is the purpose of the Dns.rules set?

    <p>To alert on attacks against DNS services</p> Signup and view all the answers

    Where can you download rules from the Snort.org Rule set?

    <p><a href="https://www.snort.org/downloads/#rule-downloads">https://www.snort.org/downloads/#rule-downloads</a></p> Signup and view all the answers

    What is the purpose of the Experimental.rules set?

    <p>This is where new type of rules are included</p> Signup and view all the answers

    What command is used to extract the rules from the Snort.org Rule set?

    <p>tar -xf</p> Signup and view all the answers

    What is the main purpose of the icmp-info.rules file?

    <p>To troubleshoot icmp issues</p> Signup and view all the answers

    What is the minimum requirement for a Snort rule?

    <p>The 'sid' option only</p> Signup and view all the answers

    What does the 'Activate' rule action do?

    <p>Alerts then activates a dynamic rule</p> Signup and view all the answers

    What is the purpose of the p2p.rules file?

    <p>To detect traffic sent from peer to peer services</p> Signup and view all the answers

    What is the purpose of the oracle.rules file?

    <p>To detect known attacks against oracle database servers</p> Signup and view all the answers

    What does the 'Pass' rule action do?

    <p>Ignores or drops the packet</p> Signup and view all the answers

    What is the purpose of the web-misc.rules file?

    <p>To detect known attacks against common web attacks</p> Signup and view all the answers

    What is the purpose of the rpc.rules file?

    <p>To detect known attacks against RPC services</p> Signup and view all the answers

    What is the purpose of the sql.rules file?

    <p>To detect known attacks against MSSQL database servers</p> Signup and view all the answers

    What is the purpose of the local.rules file?

    <p>To hold all custom rules created</p> Signup and view all the answers

    What is the first step in writing your first snort rule?

    <p>Navigate to the /etc/snort/rules folder</p> Signup and view all the answers

    What is the purpose of the rule 'alert icmp any any any (msg:"ICMP detected";sid: 10001)'?

    <p>To detect ping requests</p> Signup and view all the answers

    How do you test your snort rule after creating it?

    <p>By sending 5 packets to google.com using the ping command</p> Signup and view all the answers

    What command is used to start Snort in console mode?

    <p>sudo snort -A console -c snort.conf</p> Signup and view all the answers

    What do you need to do to the community.rules file in snort.conf?

    <p>Comment it out</p> Signup and view all the answers

    What is the minimum requirement for a Snort rule?

    <p>An action and a protocol</p> Signup and view all the answers

    What is the purpose of the provided Python script?

    <p>To test and validate TCP and UDP rules</p> Signup and view all the answers

    What command can be used to verify the Python version?

    <p>python --version</p> Signup and view all the answers

    How many values are required to run a TCP packet test using the Python script?

    <p>2</p> Signup and view all the answers

    What is the recommended Python version to use with the script?

    <p>2.7.5</p> Signup and view all the answers

    How do you start the Python script?

    <p>By running <code>python checkrule.py</code></p> Signup and view all the answers

    What type of protocol transactions can the Python script generate?

    <p>Both TCP and UDP</p> Signup and view all the answers

    What type of IP should be entered for IP/URL in a TCP call?

    <p>IPv4</p> Signup and view all the answers

    What happens if no open port is found at the entered IP/URL?

    <p>The program will timeout after 1 minute</p> Signup and view all the answers

    What is the purpose of running checkrule.py?

    <p>To test each rule individually</p> Signup and view all the answers

    How many values need to be entered for a UDP packet call test?

    <p>3</p> Signup and view all the answers

    What is the consequence of not testing each rule individually?

    <p>You may be testing the wrong rule</p> Signup and view all the answers

    What is not required to be entered in the URL for a TCP call?

    <p>HTTP or HTTPS</p> Signup and view all the answers

    What is the primary purpose of checking the flag in a TCP rule?

    <p>To filter the rule to only capture packets that are ACK</p> Signup and view all the answers

    What is the result of not specifying the flag in a TCP rule?

    <p>The rule will alert or log every transaction between the source and host</p> Signup and view all the answers

    What type of communication is captured by a basic TCP rule without a filter?

    <p>Any communication that is sent or received via TCP protocol</p> Signup and view all the answers

    Why are the rules being written against outgoing packets?

    <p>To test the rule against outgoing packets, so you don't have to configure an additional Virtual Machine (VM) to test your rules</p> Signup and view all the answers

    What is the purpose of a TCP rule?

    <p>To alert or log connection-oriented communications between a source and destination</p> Signup and view all the answers

    How many transactions occurred in the example of the TCP rule without a filter?

    <p>Seven transactions</p> Signup and view all the answers

    What is the purpose of applying a filter to a TCP rule?

    <p>To eliminate false positives and reduce the number of alerts</p> Signup and view all the answers

    What is the main difference between a UDP rule and a TCP rule?

    <p>UDP rules are connection-less protocols, unlike TCP rules</p> Signup and view all the answers

    What is the purpose of the 'content' option in a UDP rule?

    <p>To filter out specific UDP transactions based on content</p> Signup and view all the answers

    What is the purpose of the 'revision' option in a rule?

    <p>To mark the version of the rule</p> Signup and view all the answers

    What is the purpose of the 'nocase' option in a rule?

    <p>To make the uricontent and content options case-insensitive</p> Signup and view all the answers

    What is the purpose of the 'session' option in a rule?

    <p>To capture TCP session information</p> Signup and view all the answers

    What is the purpose of the 'stateless' option in a rule?

    <p>To send an alert once the TCP session is completed</p> Signup and view all the answers

    What is the result of applying a filter to a TCP rule?

    <p>Fewer alerts are generated</p> Signup and view all the answers

    What is the benefit of using options in a rule?

    <p>To eliminate false positives and reduce the number of alerts</p> Signup and view all the answers

    What is the purpose of creating a basic TCP rule with an applied filter?

    <p>To eliminate false positives and reduce the number of alerts</p> Signup and view all the answers

    What is the primary function of Session Interception in an Intrusion Prevention System (IPS)?

    <p>Terminating TCP connections by sending a reset packet</p> Signup and view all the answers

    What is the risk associated with IPS identification?

    <p>Exploit beating the attempted block</p> Signup and view all the answers

    What is the purpose of the flexresp plugin in Snort?

    <p>To allow Snort to act as a session interception IPS</p> Signup and view all the answers

    What is the primary function of Gateway Intrusion Detection in Snort?

    <p>Blocking hostile traffic using Snort Inline</p> Signup and view all the answers

    What is the risk associated with altering access lists in Snort?

    <p>Self-inflicted Denial of Service</p> Signup and view all the answers

    What is the primary function of SnortSAM in Snort?

    <p>Sending messages to routers' access lists</p> Signup and view all the answers

    What is the purpose of the 'react' response rule option?

    <p>To block access to the session if the rule is triggered</p> Signup and view all the answers

    What is the function of the 'replace' rule option in Snort Inline?

    <p>To change the content of the packet to allow the packet to be sent without affecting the content in an adverse way</p> Signup and view all the answers

    What is the function of SnortSAM?

    <p>To provide an IPS like action for snort</p> Signup and view all the answers

    What is the function of the 'sdrop' action in Snort Inline?

    <p>To drop the packet without generating an alert</p> Signup and view all the answers

    What is the purpose of the 'flexresp' plugin?

    <p>To send reset packets to the sender or recipient</p> Signup and view all the answers

    What is the difference between the 'drop' and 'sdrop' actions in Snort Inline?

    <p>The 'drop' action generates an alert while the 'sdrop' action does not</p> Signup and view all the answers

    What is a limitation of SnortSAM?

    <p>It is not widely used</p> Signup and view all the answers

    What is the purpose of the 'rst_snd' keyword in the 'flexresp' plugin?

    <p>To send a reset packet to the sender</p> Signup and view all the answers

    What is the purpose of Snort Inline?

    <p>To add new functionality to snort</p> Signup and view all the answers

    What is the requirement to enable flex response?

    <p>Compile snort from source</p> Signup and view all the answers

    What is the primary function of Session Interception in an IPS?

    <p>Terminating TCP connections by sending a reset packet</p> Signup and view all the answers

    What is the risk associated with altering access lists in Snort?

    <p>Self-inflicted Denial of Service</p> Signup and view all the answers

    What is the purpose of the flexresp plugin in Snort?

    <p>To allow Snort to act as a session interception IPS</p> Signup and view all the answers

    What can happen when Snort detects an attack and ends the TCP connection using RST?

    <p>Session Interception IPS identification</p> Signup and view all the answers

    What is the primary function of SnortSAM in Snort?

    <p>To send messages to routers access lists to prevent hostile traffic</p> Signup and view all the answers

    What can happen during the lag between the detect and the attack when SnortSAM is used?

    <p>Exploit beating the attempted block</p> Signup and view all the answers

    What is the purpose of the 'resp' rule option?

    <p>To send a reset packet to the sender or recipient</p> Signup and view all the answers

    Which of the following plugins require changes to the Snort configuration?

    <p>Flex response, Snort Inline, and SnortSAM</p> Signup and view all the answers

    What is the purpose of the 'react' rule option?

    <p>To send a message back to the browser or to send a warning to the client browser</p> Signup and view all the answers

    What is the purpose of the 'replace' rule option in Snort Inline?

    <p>To change the content of the packet to allow it to be sent without affecting the content</p> Signup and view all the answers

    What is the purpose of SnortSAM?

    <p>To provide an IPS like action for Snort</p> Signup and view all the answers

    What is the difference between the 'drop' and 'sdrop' actions in Snort Inline?

    <p>The 'drop' action generates an alert, while the 'sdrop' action does not</p> Signup and view all the answers

    What is required to enable flex response?

    <p>Building Snort from source with the flexresp plugin</p> Signup and view all the answers

    What is the limitation of using SnortSAM?

    <p>It requires running another program on top of Snort</p> Signup and view all the answers

    What is the purpose of the 'proxy' keyword in the react option?

    <p>To indicate the proxy port if the system runs on a proxy</p> Signup and view all the answers

    What is the requirement for using the react option?

    <p>Using the react option only with TCP protocol rules</p> Signup and view all the answers

    What is the purpose of the react rule option in Snort?

    <p>To block the TCP session</p> Signup and view all the answers

    What happens when the content of a TCP packet matches the 'verybadthings' pattern in the Snort rule?

    <p>The packet is blocked and the session is terminated</p> Signup and view all the answers

    What is required to test the Snort rule with the react option?

    <p>A TCP transmission with a message that contains 'verybadthings'</p> Signup and view all the answers

    What is the purpose of the modified checkrule.py script?

    <p>To add a message to TCP packets</p> Signup and view all the answers

    What is the purpose of the sid field in the Snort rule?

    <p>To identify the rule in the Snort database</p> Signup and view all the answers

    What is the result of adding the rule to the local.rules file?

    <p>The rule is applied to the TCP packets in real-time</p> Signup and view all the answers

    What is a false positive indicator?

    <p>When a rule generates an unexpected alert or more alerts than expected</p> Signup and view all the answers

    Why might you need to tune your IDS?

    <p>To alert and log more information than needed</p> Signup and view all the answers

    What is a potential cause of a false negative?

    <p>All of the above</p> Signup and view all the answers

    What is the purpose of the flow preprocessor?

    <p>To monitor port scans</p> Signup and view all the answers

    What should you do when verifying a rule that generates an unexpected alert?

    <p>Verify the rule and any equipment that is part of the rule</p> Signup and view all the answers

    What is the purpose of uncommenting the decoder configurations?

    <p>To tailor decoders and preprocessors</p> Signup and view all the answers

    What should you do with rule sets that are not needed?

    <p>Comment them out</p> Signup and view all the answers

    What is the problem with using pass rules?

    <p>They can make it difficult to detect attacks</p> Signup and view all the answers

    What is the purpose of the http_inspector preprocessor?

    <p>To troubleshoot and find false positives</p> Signup and view all the answers

    What is the advantage of suppression rules over thresholding rules?

    <p>Suppression rules are more flexible</p> Signup and view all the answers

    What should you do with individual rules in a rule set that do not cover operations in your system?

    <p>Comment them out</p> Signup and view all the answers

    What is the purpose of setting the reassemble to 'noalerts'?

    <p>To prevent false positives</p> Signup and view all the answers

    What is the term for when a rule generates an unexpected alert or more alerts than expected?

    <p>False Positive</p> Signup and view all the answers

    Why is it necessary to tune your IDS?

    <p>To reduce the number of false positives</p> Signup and view all the answers

    What is the primary function of the flow preprocessor?

    <p>To detect port scans</p> Signup and view all the answers

    What can be disabled if monitoring portscans is not important to your system?

    <p>Flow preprocessor</p> Signup and view all the answers

    What is a potential cause of a false negative?

    <p>All of the above</p> Signup and view all the answers

    What is the purpose of uncommenting decoder configurations?

    <p>To tailor decoders and preprocessors</p> Signup and view all the answers

    What is the purpose of tailoring decoders and preprocessors in Snort?

    <p>To reduce false positives</p> Signup and view all the answers

    Why should you disable the flow-portscan preprocessor if not tracking portscans?

    <p>To prevent unnecessary alerts</p> Signup and view all the answers

    What is the problem with using pass rules in Snort?

    <p>They make it nearly impossible to detect attacks</p> Signup and view all the answers

    What is the advantage of suppression rules over thresholding rules?

    <p>They are more flexible</p> Signup and view all the answers

    Why should you comment out individual rules in a rule set that do not cover operations in your system?

    <p>To reduce false positives</p> Signup and view all the answers

    What is the purpose of setting the reassemble to 'noalerts' in Snort?

    <p>To disable alerts for non-security related issues</p> Signup and view all the answers

    What should you do when performing tuning?

    <p>Use the no_alerts option to remove unnecessary data</p> Signup and view all the answers

    What is the purpose of tailoring the rule set?

    <p>To uncomment/comment out rules that are needed or not needed in your Snort configuration</p> Signup and view all the answers

    Why should you avoid using pass rules?

    <p>Because they are not specific enough to handle exceptions to rules</p> Signup and view all the answers

    What should you consider when tuning individual rules?

    <p>Making rules as specific as possible</p> Signup and view all the answers

    What is the purpose of tuning individual rules?

    <p>To avoid false positives</p> Signup and view all the answers

    Why should decoder configurations be commented out when developing rules?

    <p>To verify that rules are still sending alerts</p> Signup and view all the answers

    What should you do with rules that are not specific enough?

    <p>Use thresholding to limit the number of alerts produced</p> Signup and view all the answers

    What is the purpose of the flow preprocessor?

    <p>To provide service to the flow-portscan preprocessor</p> Signup and view all the answers

    When can the frag 3 preprocessor be disabled?

    <p>If your snort sensor is behind a firewall or router that does fragment reassembly</p> Signup and view all the answers

    What information does the http_inspector preprocessor provide?

    <p>Value information that can generate a lot of data</p> Signup and view all the answers

    What is the benefit of making a backup of your snort.conf file?

    <p>To ensure that changes can be reversed if needed</p> Signup and view all the answers

    Why should changes to the snort.conf file be made one at a time?

    <p>To test the configuration before making additional changes</p> Signup and view all the answers

    What is the purpose of commenting out the decoder configurations?

    <p>To disable alerts on certain rules</p> Signup and view all the answers

    When can the frag 3 preprocessor be disabled?

    <p>When a firewall or router does fragment reassembly</p> Signup and view all the answers

    What is the purpose of the flow preprocessor?

    <p>To provide service to the flow-portscan preprocessor</p> Signup and view all the answers

    What happens when the decoder configurations are uncommented?

    <p>Alerts on certain rules are disabled</p> Signup and view all the answers

    What information does the http_inspector preprocessor provide?

    <p>Value information that can generate a lot of data</p> Signup and view all the answers

    Why is it recommended to make changes to the snort.conf file one at a time?

    <p>To test the configuration before making additional changes</p> Signup and view all the answers

    What is the purpose of using the no_alerts option when performing tuning?

    <p>To remove noise data that provides no benefit</p> Signup and view all the answers

    What should you do with rules that are not common services run on a network?

    <p>Comment them out</p> Signup and view all the answers

    What is the purpose of pass rules?

    <p>To remove false positives</p> Signup and view all the answers

    What is a recommended approach when a rule cannot be specific enough?

    <p>Using thresholding</p> Signup and view all the answers

    Why is it recommended to avoid using pass rules?

    <p>Because they should be replaced by thresholding</p> Signup and view all the answers

    What is the purpose of tuning individual rules?

    <p>To make rules more specific to avoid false positives</p> Signup and view all the answers

    Study Notes

    Snort Tuning and Thresholding

    False Positives: Unexpected alerts or more alerts than expected, requiring rule verification to ensure it's not a real intrusion attempt. • False Negatives: Undetected intrusions, caused by traffic encryption, network configuration problems, day zero attacks, faulty signatures, poor change management, and Snort sensor administration problems.

    Initial Configuration and Tuning

    Decoders and Preprocessors: + Uncomment decoder configurations + Disable unnecessary preprocessors (e.g., flow, frag, stream) based on system requirements + Set reassemble to "noalerts" for stream preprocessor • Tailoring Decoders and Preprocessors: + http_inspector preprocessor: set with no_alerts when not used for troubleshooting + flow-portscan preprocessor: disable if not tracking portscans • Tailoring the Rule Set: + Comment out unnecessary rule sets and individual rules + Restrict rule sets to only use web technology and database used in the system

    Thresholding and Suppression

    Threshold Rules: + Limit: alert only the first X number of events + Threshold: alert every X times + Both: alert only the X number of thresholds • Global Thresholds: use sig_id set to 0, meaning all rules • Suppression Rules: similar to threshold rules, can suppress by signature, source or destination address, or CIDR network block

    Using Snort as an IPS

    React Rule Option: used to block TCP sessions, e.g., blocking TCP packets containing "verybadthings"

    Snort Limitations and Considerations

    Open Source: may have limited documentation and require troubleshooting • Configuration: only the first step, requiring manual user intervention and a plan to stop intrusions • NIDS: one layer in network security, should be used in conjunction with other layers (IPS, Firewall, VPN) • Initial Configuration: essential to success, consider systems, topography, and network environment • Sensor Placement: prioritize systems to watch, use natural bottlenecks, and enable port mirroring or use a hub

    Deploying Snort

    Important Key Points: + Snort is not a plug-and-watch solution + Understand what protections Snort provides and how it affects network and defense systems + Snort can't check encrypted traffic, but can check SSL Proxies • Securing the Sensor: harden the sensor, disable unnecessary services, apply patches and updates, and utilize robust authentication • Connecting Sensors: connect Snort to a database to save alerts and tie them to a sensor### Snort Rules

    • Snort rules are used to detect and alert on various types of network traffic
    • There are different types of rule sets available, including:
      • Exploit rules: detect known exploits
      • Finger rules: detect known types of finger attacks
      • FTP rules: detect known file transfer protocol attacks
      • ICMP-info rules: detect ICMP issues (not enabled by default)
      • IMAP rules: detect attacks against IMAP email services
      • Info rules: detect normal traffic on a healthy, secure network (not enabled by default)
      • Local rules: holds all custom rules created
      • Misc rules: holds rules that are not included in other categories
      • Multimedia rules: detect multimedia that is against company policy (not enabled by default)
      • MySQL rules: detect attacks against MySQL servers
      • Netbios rules: detect attacks against Windows systems using the NetBIOS protocol
      • NNTP rules: detect attacks against the Network Time Protocol
      • Oracle rules: detect attacks against Oracle database servers
      • Other-IDS rules: detect traffic from other IDS services
      • P2P rules: detect traffic sent from peer-to-peer services (disabled by default)
      • Policy rules: detect traffic sent from security policy violating services (disabled by default)
      • Pop2 rules: detect attacks against POP2 email services
      • Pop3 rules: detect attacks against POP3 email services
      • Porn rules: detect a variety of off-color packets (disabled by default)
      • RPC rules: detect attacks against remote procedure call (RPC) services
      • Rservices rules: detect attacks against remote services (rsh, rlogin, rexec)
      • Scan rules: detect attacks against a variety of network and service scans
      • Shellcode rules: detect shell code in packet payloads (disabled by default)
      • SMTP rules: detect attacks against SMTP mail services
      • SQL rules: detect attacks against MSSQL Database servers
      • Telnet rules: detect attacks against telnet services
      • TFTP rules: detect attacks against TFTP Services
      • Virus rules: detect viruses (disabled by default, not used or maintained)
      • Web-attack rules: detect web attacks (disabled by default, not used or maintained)
      • Web-cgi rules: detect attacks against Common Gateway Interface (CGI) services
      • Web-client rules: detect attacks against mainly Microsoft Outlook services
      • Web-coldfusion rules: detect attacks against ColdFusion web application services
      • Web-frontpage rules: detect attacks against Microsoft FrontPage web authoring services
      • Web-iis rules: detect attacks against Microsoft Internet Information Server (IIS) web services
      • Web-misc rules: detect attacks against common web attacks
      • Web-php rules: detect attacks against webservers running PHP application services
      • X11 rules: detect attacks against remote X-Windows services

    Creating Your Own Rules

    • To create your own rule, you need to add it to any of the existing rules packs
    • The syntax for creating a rule includes:
      • "sid" option: the rule ID
      • "msg" option: a unique message describing what the rule has detected
    • Rule actions:
      • Alert: alerts and logs the packet when triggered
      • Log: only logs the packet when triggered
      • Pass: ignores or drops the packet
      • Activate: alerts and then activates a dynamic rule/rules
      • Dynamic: ignores until started by an activate rule, then acts as a log rule
    • Rule protocols:
      • TCP
      • UDP
      • IP
      • ICMP
      • Possible protocols in the future: ARP, IGRP, GRE, OSPF, RIP

    Testing Your Rule

    • To test your rule, you need to:
      • Configure your VM with a NAT network setup
      • Start Snort on your VM using the following command: sudo snort -A console -c snort.conf
      • Open another terminal window and send a ping call to test the rule
      • Verify that the rule worked by checking the console in the other window

    Snort Rule Syntax

    • Every rule requires at a minimum the "sid" option
    • It is also good practice to include a unique message describing what the rule has detected, "msg" option
    • When a rule is positive, the message is logged

    TCP Rules

    • TCP rules can alert or log connection-oriented communications between a source and destination
    • You can check the flag that is being sent with the packet
    • You do not need to check the flag, but you will alert/log every transaction between the source and host if you do not specify the flag

    UDP Rules

    • UDP rules can alert or log connectionless communications between a source and destination
    • You can specify the content of the packet to filter out false positives

    Non-Filtering Rule Options

    • Revision: used to mark the version of the rule
    • Nocase: removes case sensitivity for uricontent and content options
    • Session: allows the TCP session information to be captured
    • Stateless: changes when the alert is made, watching a TCP session and sending an alert once the session is completed### Flex Response
    • Flex Response is a plugin that allows Snort to act as a session interception IPS
    • Requires building Snort from source with the flexresp plugin
    • Allows Snort to send a reset packet to the sender, recipient, or both parties
    • Keywords: rst_snd, rst_rcv, rst_all, icmp_net, icmp_host, icmp_port, icmp_all

    React Response

    • The React response option is useful when blocking attacks that use the TCP session
    • Does not require compiling Snort from source
    • Only works on TCP protocol rules
    • Keywords: block, warn, msg, proxy

    Snort Inline and SnortSAM

    • Snort Inline adds new functionality to Snort, including two new actions and a new rule option
    • The two new actions are drop and sdrop, which allow Snort to drop offending packets
    • The new rule option is replace, which allows Snort to change the content of a packet
    • SnortSAM is a program that runs alongside Snort to provide IPS-like actions
    • SnortSAM requires patching Snort to provide a different output module

    Intrusion Prevention Strategies

    • Host-based memory and process protection
    • Session Interception
    • Gateway intrusion detection
    • Intrusion Prevention Risks: Session interception IPS identification, Exploit beating the attempted block, Self-inflicted Denial of service

    Tuning Snort

    • Tailor the decoder and preprocessors
    • Use the no_alerts option to remove unnecessary data
    • Tune individual rules to be as specific as possible
    • Use thresholding to limit the number of alerts produced by a single rule
    • Pass rules are used to remove false positives, but should not be used in favor of thresholding

    Decoder Configurations

    • There are six decoder configurations in the snort.conf file
    • These configurations disable alerts on certain rules
    • Should be commented out when developing rules and verified when active
    • Located under step 2 of the snort.conf file

    Preprocessors

    • Flow preprocessor provides service to the flow-portscan preprocessor
    • Frag 3 preprocessor is used for fragment reassembly
    • Http_inspector preprocessor provides valuable information, but can generate a lot of noise

    Studying That Suits You

    Use AI to generate personalized quizzes and flashcards to suit your learning preferences.

    Quiz Team

    Description

    Learn how to effectively deploy Snort as a Network Intrusion Detection System (NIDS) and configure the snort.conf file to ensure optimal performance. Understand the essential components required for successful Snort deployment. Quiz yourself on Snort setup and configuration.

    More Like This

    Descubra seu estilo de liderança em grupo!
    30 questions
    Unraveling LSTM Networks
    3 questions
    Short Stories Themes Quiz
    12 questions

    Short Stories Themes Quiz

    BeneficialThermodynamics avatar
    BeneficialThermodynamics
    Elements of the Short Story Flashcards
    14 questions
    Use Quizgecko on...
    Browser
    Browser