The ip part shows that this rule will be applied on all IP packets The first

The ip part shows that this rule will be applied on

This preview shows page 3 - 6 out of 55 pages.

• The “ip” part shows that this rule will be applied on all IP packets. • The first “any” is used for source IP address and shows that the rule will be applied to all packets. • The second “any” is used for the port number. Since port numbers are irrelevant at the IP layer, the rule will be applied to all packets. • The -> sign shows the direction of the packet. • The third “any” is used for destination IP address and shows that the rule will be applied to all packets irrespective of destination IP address. • The fourth “any” is used for destination port. Again it is irrelevant because this rule is for IP packets and port numbers are irrelevant.
Image of page 3
78 Chapter 3 Working with Snort Rules • The last part is the rule options and contains a message that will be logged along with the alert. The next rule isn’t quite as bad. It generates alerts for all captured ICMP packets. Again, this rule is useful to find out if Snort is working. alert icmp any any -> any any (msg: "ICMP Packet found";) If you want to test the Snort machine, send a ping packet (which is basically ICMP ECHO REQUEST packet on UNIX machines). Again, you can use this rule when you install Snort to make sure that it is working well. As an example, send an ICMP packet to your gateway address or some other host on the network using the following command: ping 192.168.2.1 Note that 192.168.2.1 is the IP address of gateway/router or some other host on the same network where the Snort machine is present. This command should be exe- cuted on the machine where you installed Snort. The command can be used both on UNIX and Microsoft Windows machines. T I P I use a slightly modified version of this rule to continuously monitor multiple Snort sensors just to make sure everybody is up and running. This rule is as follows: alert icmp 192.168.1.4 any -> 192.168.1.1 any (msg: "HEARTBEAT";) My Snort sensor IP address is 192.168.1.4 and gateway address is 192.168.1.1. I run the following command through cron daemon on the Linux machine to trigger this rule every 10 minutes. ping -n 1 192.168.1.1 The command sends exactly one ICMP packet to the gateway machine. This packet causes an alert entry to be created. If there is no alert every 10 minutes, there is something wrong with the sensor. 3.3 CIDR Classless Inter-Domain Routing or CIDR is defined in RFC 1519. It was intended to make better use of available Internet addresses by eliminating different classes (like class A and class B). With the CIDR, you can define any number of bits in the netmask field, which was not possible with class-based networking where the number of bits was fixed. Using CIDR, network addresses are written using the number of bits in the netmask at the end of the IP address. For example, 192.168.1.0/24 defines a network with network address 192.168.1.0 with 24 bits in the netmask. A netmask with 24 bits is
Image of page 4
Structure of a Rule 79 equal to 255.255.255.0. An individual host can be written using all of the netmask bits, i.e., 32. The following rule shows that only those packets that go to a single host with IP address192.168.2.113 will generate an alert: alert icmp any any -> 192.168.1.113/32 any \
Image of page 5
Image of page 6

You've reached the end of your free preview.

Want to read all 55 pages?

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture