100%(1)1 out of 1 people found this document helpful
This preview shows page 3 - 6 out of 55 pages.
• The “ip” part shows that this rule will be applied on all IP packets.• The first “any” is used for source IP address and shows that the rule will beapplied to all packets.• The second “any” is used for the port number. Since port numbers are irrelevantat the IP layer, the rule will be applied to all packets.• The -> sign shows the direction of the packet.• The third “any” is used for destination IP address and shows that the rule willbe applied to all packets irrespective of destination IP address.• The fourth “any” is used for destination port. Again it is irrelevant because thisrule is for IP packets and port numbers are irrelevant.
78Chapter 3 • Working with Snort Rules• The last part is the rule options and contains a message that will be loggedalong with the alert.The next rule isn’t quite as bad. It generates alerts for all captured ICMP packets.Again, this rule is useful to find out if Snort is working.alert icmp any any -> any any (msg: "ICMP Packet found";)If you want to test the Snort machine, send a ping packet (which is basically ICMPECHO REQUEST packet on UNIX machines). Again, you can use this rule when youinstall Snort to make sure that it is working well. As an example, send an ICMP packet toyour gateway address or some other host on the network using the following command:ping 192.168.2.1Note that 192.168.2.1 is the IP address of gateway/router or some other host onthe same network where the Snort machine is present. This command should be exe-cuted on the machine where you installed Snort. The command can be used both onUNIX and Microsoft Windows machines.T I P I use a slightly modified version of this rule to continuously monitor multipleSnort sensors just to make sure everybody is up and running. This rule is as follows:alert icmp 192.168.1.4 any -> 192.168.1.1 any (msg: "HEARTBEAT";)My Snort sensor IP address is 192.168.1.4 and gateway address is 192.168.1.1. Irun the following command through cron daemon on the Linux machine to triggerthis rule every 10 minutes.ping -n 1 192.168.1.1The command sends exactly one ICMP packet to the gateway machine. This packetcauses an alert entry to be created. If there is no alert every 10 minutes, there issomething wrong with the sensor.3.3 CIDRClassless Inter-Domain Routing or CIDR is defined in RFC 1519. It was intended tomake better use of available Internet addresses by eliminating different classes (likeclass A and class B). With the CIDR, you can define any number of bits in the netmaskfield, which was not possible with class-based networking where the number of bitswas fixed. Using CIDR, network addresses are written using the number of bits in thenetmask at the end of the IP address. For example, 192.168.1.0/24 defines a networkwith network address 192.168.1.0 with 24 bits in the netmask. A netmask with 24 bits is
Structure of a Rule79equal to 255.255.255.0. An individual host can be written using all of the netmask bits,i.e., 32. The following rule shows that only those packets that go to a single host with IPaddress192.168.2.113 will generate an alert: alert icmp any any -> 192.168.1.113/32 any \