Allows user to assign an appropriate message to the output of a triggered rule

Allows user to assign an appropriate message to the

This preview shows page 39 - 50 out of 50 pages.

Allows user to assign an appropriate message to the output of a triggered rule. Alert or log entries only give the packet, not the rule that was triggered.
Image of page 39
Snort Rules Rule Options Msg Option alert udp any any -> 129.210.18.0 / 24 31337 \ (msg: “Back Orifice”;) [**] Back Orifice [**] 05/10-08:44:26.398345 192.120.81.5:60256 -> 129.210.18.34:31337 UDP TTL:41 TOS:0x0 ID:49951 Len: 8 Rule: Log:
Image of page 40
Snort Rules Rule Options Logto Option Specifies filename to which to log the activity. Allows to separate the annoyances from the truly dangerous. alert udp any any -> 129.210.18.0 / 24 31335 \ (msg: “trinoo port”; logto “DDoS”)
Image of page 41
Snort Rules Rule Options TTL option Allows to use the time to live field in packet Format: ttl: number alert udp any any -> 129.210.18.0 / 24 33000;34000 \ (msg: “Unix traceroute”; ttl: 1;)
Image of page 42
Snort Rules Rule Options ID option 16-bit value found in the IP header of each datagram. alert udp any any -> 129.210.18.0 / 24 33000;34000 \ (msg: “Suspicious IP Identification”; ID: 0;)
Image of page 43
Snort Rules Rule Options Dsize option Size of payload alert icmp any any -> 129.210.18.0 / 24 any \ (msg: “Large ICMP payload”; dsize: >1024;)
Image of page 44
Snort Rules Rule Options Sequence Option Value of tcp sequence number Ack option Value of ack number in tcp alert tcp any any -> any any \ (msg: “Possible Shaft DDoS”; seq: 0x28374839;) alert tcp any any -> any any \ (msg: “nmap tcp ping”; flags: A; ack: 0;)
Image of page 45
Snort Rules Rule Options Itype and Icode Options Select ICMP message type and operations code alert icmp 1.1.1.0/24 any -> 129.210.18.0 / 24 any \ (msg: “port unreachable”; itype: 3; icode: 3;)
Image of page 46
Snort Rules Rule Options Flags option alert tcp any any -> any any \ (msg: “null scan”; flags: 0;)
Image of page 47
Snort Rules Rule Options Content Option alert udp $EXTERNAL_NET any -> $HOME_NET 53 \ (msg: “Exploit bind tsig Overflow attempt”; \ content: “|00 FA 00 FF|”; content: “/bin/sh”;)
Image of page 48
Snort Rules Rule Options Offset option Specifies offset of content Depth option Specifies how far into packet to search for content Nocase option Makes content searches case insensitive Regex Option Allows wildcards in content searches
Image of page 49
Snort Rules Rule Options Session Options Allows to capture TCP session. Rest Option Allows an automatic active response Tag Option Allows to dynamically capture additional packages after a rule triggers.
Image of page 50

You've reached the end of your free preview.

Want to read all 50 pages?

  • Spring '20
  • Transmission Control Protocol

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture