This is a policy violation and it can allow malicious users to circumvent the

This is a policy violation and it can allow malicious

This preview shows page 21 - 24 out of 24 pages.

This is a policy violation and it can allow malicious users to circumvent the protection offered by a network firewallWe have to generate an alert for a tcp packet coming from “any” source to your home network through port “1863” and checking for content “MSG” in the first “4” bytes of the payload and after this match checking for content “Content-Type|3A|” regardless of the case and after this match checking for content “text/plain” within “1” byte of the previous match.
Background image
Exercise #5aLearning ObjectiveChecking the size of the payloadCheck the state of the protocolHow to generate an alert when someone want to start skype?alert tcp any any -> any any (msg:"P2P Skype client login startup"; flow:to_server,established; dsize:5; content:"|16 03 01 00|"; depth:4; flowbits:set,skype.login; classtype:policy-violation; sid:5998; )This rule is used in conjunction with other rules to either reduce the possibility of false positives from occurring or to track the state of a connectionIn the above rule there are two new keywords used“dsize” of “5”bytes is checking for the packet payload size“flowbits” set indicates that it will set the specified state for the current flow and skype.login is the user defined name
Background image
Exercise #5bHow to generate an alert when network traffic that indicates Skype is being used?This event indicates that Skype is being used on the protected network and this is a possible policy violationWe have to generate an alert for tcp packets coming from any source to any destination with flow to-client with established tcp connectionPayload should be of the size 5 bytes and flowbits should check if skype.login is setIt should check for the content :"|17 03 01 00|“ with in the first 4 bytes
Background image
Exercise #6aLearning ObjectiveKeep track of the number of packets coming in a time frameUse “threshold” option in snortChecking the flags in the packetHow to generate an alert when “syn flood” happens?alert tcp any any -> any any (msg:"Syn Flooding"; flags:S; flow:to_server; threshold: type threshold, track by_src, count 10, seconds 1; priority:3; sid:1000002;) The above rule is checking for tcp packets coming from any source to any destination with synchronization flags are set and the flow of traffic is towards the serverKeyword “threshold” checks to see if more than 10 synchronized packets are coming from the same source in 1 secondPriority indicates the priority level of the attack
Background image

You've reached the end of your free preview.

Want to read all 24 pages?

  • Spring '19
  • Transmission Control Protocol

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture