100%(1)1 out of 1 people found this document helpful
This preview shows page 21 - 24 out of 24 pages.
–This is a policy violation and it can allow malicious users to circumvent the protection offered by a network firewall–We have to generate an alert for a tcp packet coming from “any” source to your home network through port “1863” and checking for content “MSG” in the first “4” bytes of the payload and after this match checking for content “Content-Type|3A|” regardless of the case and after this match checking for content “text/plain” within “1” byte of the previous match.
Exercise #5a•Learning Objective–Checking the size of the payload–Check the state of the protocol•How to generate an alert when someone want to start skype?–alert tcp any any -> any any (msg:"P2P Skype client login startup"; flow:to_server,established; dsize:5; content:"|16 03 01 00|"; depth:4; flowbits:set,skype.login; classtype:policy-violation; sid:5998; )–This rule is used in conjunction with other rules to either reduce the possibility of false positives from occurring or to track the state of a connection–In the above rule there are two new keywords used–“dsize” of “5”bytes is checking for the packet payload size–“flowbits” set indicates that it will set the specified state for the current flow and skype.login is the user defined name
Exercise #5b•How to generate an alert when network traffic that indicates Skype is being used?–This event indicates that Skype is being used on the protected network and this is a possible policy violation–We have to generate an alert for tcp packets coming from any source to any destination with flow to-client with established tcp connection–Payload should be of the size 5 bytes and flowbits should check if skype.login is set–It should check for the content :"|17 03 01 00|“ with in the first 4 bytes
Exercise #6a•Learning Objective–Keep track of the number of packets coming in a time frame•Use “threshold” option in snort–Checking the flags in the packet•How to generate an alert when “syn flood” happens?–alert tcp any any -> any any (msg:"Syn Flooding"; flags:S; flow:to_server; threshold: type threshold, track by_src, count 10, seconds 1; priority:3; sid:1000002;) –The above rule is checking for tcp packets coming from any source to any destination with synchronization flags are set and the flow of traffic is towards the server–Keyword “threshold” checks to see if more than 10 synchronized packets are coming from the same source in 1 second–Priority indicates the priority level of the attack