Thursday, May 16, 2019

Network Segmentation Plan Part-1



Background
Network Segmentation (1)
Benefits:
  • Improved Security: Network traffic can be isolated and/or filtered to limit and/or prevent access between network segments.
  • Better Access Control: Allow users to only access specific network resources.
  • Improved Monitoring: Provides an opportunity to log events, monitor allowed and denied internal connections, and detect suspicious behavior.
  • Improved Performance: With fewer hosts per subnet, local traffic is minimized. Broadcast traffic can be isolated to the local subnet.
  • Better Containment: When a network issue occurs, its effect is limited to the local subnet.
Cons:
  • The harder it can be 
    • For an attacker to compromise your sensitive systems/data.
    • To ensure users can access all of the information they require access to.
  • The more time it takes to design/manage the internal network.

Purpose
To effectively segment the network and build efficiency through the continuous monitoring and automation.

Requirements
  • Automation
    • Configuration: the ability to remotely manage the entire fleet of firewalls using an automation tool (i.e ansible, puppet, etc).
    • Updating: push out updated images using an automation tool.
  • Integration
    • Monitoring: the overall health of the firewalls and the underlying hypervisor.
    • APIs: to effectively monitor API integration and testing will be a requirement.  
  • Scalable
    •  Ability to add resources to increase usability.
  • High Availability
    •  Backup/Failover virtual firewall to ensure there is no lost in service.

Goal
Note: A principle of network segmentation is to group like resources together, to minimize security overhead: Build a fence around the car park, not a fence and gate around every car. (2) 

 To simplify the segmentation of the network by segmenting based on the following criteria (2):
  • Data Sensitivity:
    • Data Centers
  • Location:
    • Brand Offices
  • Criticality:
    • Databases

Potential Problems
  • Underlying failure of the hypervisor.
  • Available hardware is deficient in its ability to handle the required traffic bandwidth.

References
  1. The Security Benefits of Network Segmentation
  2. Network Segmentation
  3. Network Segmentation
Posted by at 30 comments:
Labels: , ,

Wednesday, June 20, 2018

YAML Fundamentals


Notes
All Ansible playbooks are written in YAML.
YAML - is a data structure format.
The # precedes all comments.
All YAML files can optionally begin with “----”
All YAML files can optionally end with “…”

Concepts
List/Array use Dictionaries to define the items within them.
Invalid number of spaces will generate an error message.


Key Value Pair
YAML’s fundamental data handlings are “Key Value Pair.”
Key - a variable.
Value - the value of the variable.
Key Value Pair = Key + Pair.
Syntax:
Key:(space)Value
A space after the semicolon is required.


How to type an Array/List
The Dash ( - ) means that the Pair that follows it is a part of an Array/List.
Syntax:
    Key:
         - (space)Key
  
Use a List/Array when it is multiple types of items of the same type of object.
For multiple List/Arrays the order of the Keys must be identical to each other.


How to type a Dictionary/Map
Syntax:
    Key:
        Key:(space)Pair
        Key: Pair

Use Dictionaries to add specific details about a specific individual item.
For multiple Dictionaries the Keys can be defined in any order as long as the values to those Keys exactly match.


List/Array with nested Dictionary
Syntax:
    Key/List_Name:
        - Key/List_Item:
            Key/Attribute_Detail: Pair
            Key/Attribute_Detail: Pair

Start your List/Array with a Key which will serve as the “Name” of the List/Array followed by a semi colon. Individual List/Array entries will follow the List/Array syntax. To add Attributes or Details to an individual item of the list nest a Dictionary under the specific List/Array entry following the Dictionary syntax.


 Additional Educational Resources
1. Official YAML documentation.
2. Official Ansible documentation.
Posted by at 4 comments:
Labels: , , , ,

Wednesday, May 2, 2018

The Best Online Tech Courses Available

Disclaimer: I am not a employee of any of the online course platforms mentioned nor an I sponsored by any of the instructors who course(s) I recommend. I have purchases all courses with my own money.



Criteria
My criteria for evaluating a course are based on:
  • Target Audience: Is there a clear explanation as to who the target audience is for the course?
  • Supplemental Content: Is there additional content to help aid in teaching or reinforcing a skill?
  • Instructor Participation: Is there interaction with the students (i.e. answer questions, etc)?
  • Update(s): Are there significant updates to the course to keep if relevant?

Study Skills
Before one embarks on their journey of learning it is best to understand the actual learning process and the variations for which it can occur. 

Website
Udemy

Course(s) Title
Improve Your Focus
Improve Memory

Price
The price of the course(s) will vary based on which promotional sale discount is in effect at the time of ones purchase.

Content
The courses might seem like they cover commonly known knowledge on the subject matter but it's taken a step further by intricacies that encompass the successes and the deficiencies of them. The author provides the why, what, and how to improve the efficiency of ones ability to Focus and to Memorize information. Each course is composed multiple sections filled with short videos, self assessment test, games, and additional websites & videos for one to consume. The author is very enthusiastic about the topics and has a smooth voice to convey his messages.

Personal Note
I found the presented information from the courses quite helpful as they have shown me where my personal deficiencies lie in regards to being able to focus on content and maintain it in memory. Everyone is different but I believe understanding where your personal deficiencies lie will aid in your ability to succeed with your studies especially for technology related studying.

Cloud Computing
With cloud computing being implemented into more organizational environments every year acquiring skills in the discipline is a requirement for future job advancement. For learning multiple skill sets and vendor specific cloud certifications the following is a great resource.

Website
Acloud.guru

Price
Subscription base with price options that vary per the length of ones choice subscription.

Content
Amazon Web Services (AWS), Microsoft Azure, and Google Cloud. The content is updated regularly to keep in line with any changes to the vendor specific certifications. The supplemental content comes by way of labs that follow up lessons to reinforce the core message of the lessons. There is a skill progression per course which recommends one takes the courses in order for maximum value. One can take comfort in knowing courses designed for beginners don't require any prerequisites cloud knowledge or experience making it a great way to break into the field.

Free 7-Day Trial
Trial

 Personal Note
I purchased their Amazon Solutions Architect Associate certification training and used it to pass my certificate exam. I have bought several other of their courses pertaining to AWS and will look to pass more certification exams in the near future.

Cyber Security
In the world of Cyber Security certifications are an important part of field. In various industries where cyber security professional are employed specific certification are required for one to even have the ability to sit for an interview let alone be employed in the position. With that being said the once expensive pay wall that separated cyber security professionals from high quality and effective training for Cyber Security certifications has been removed with the advent of multiple online arenas like Cybrary, Linux Academy, etc. 

Website
Infosec4tc

Price
The price of the course(s) will vary based on which promotional sale discount is in effect at the time of ones purchase.

Content
There are various courses on all the major technical (Linux+, OSCP, Smart Phone Forensics) and management level cyber security certifications (CISM, CISSP, CCSP). The author provides a plethora of additional material for each of the course offerings. The author has a high pass rate for the various cyber security certifications.

Free Course
Build Your Career in Information Security from Scratch

Personal Note
I have purchased and am currently working through the Ethical Hacking Bundle. It has several courses focused on teaching one the skills sets needed to pass the Offensive Security Certified Professional exam. 


Conclusion
There is a vast number of readily available and low cost online courses to allow one to take the necessary steps to advance their career in the field of cyber security. Your future development is in your hands. I will leave you with these inspirational words from Yoda, "There is no TRY, only DO." So use this information wisely, share it with others, and enjoy your educational journey.



Social Media
Facebook:
https://www.facebook.com/BDavisCS/

Twitter:
@BDavis_CyberSec
Posted by at 7 comments:
Labels: , ,

Wednesday, January 10, 2018

How To Stay Healthy While Fighting Cyber Crime

Disclaimer: I am not a doctor. Please be aware of any food allergies you might have and take precautions to avoid them.  I am not endorsed by any of the companies whose products are recommended below.


Problem
In the Information Technology field you spend a lot of time sitting in a chair. Whether it be in the car during your commute or at work, sitting long periods of time can have a negative affect on your health as stated in the reference article below. Another reason it's detrimental to your health is due to poor eating habits that one can develop. Normally you are glued to your seat because you have a lot of work to do and not enough time. This means you're most likely grab anything that is quick and readily available.  More often than not only food that is high in sugar, salt, preservatives, and low on nutritional value are with in an arms reach.  

 
Solution(s)
Below are a few simple things one can try that will not break the bank nor consume a massive amount of time when it comes to implementation. I recommend starting out implementing one item for a weeks time period and then building upon that the following week with another item until you have successfully implemented them all. Also an important note is to give yourself room for error(s). You might forget to do something one day or even for one week, but don't get discourage or quit, just try again.

1. Drink plenty of Water
Water is essential for maintaining many bodily functions. A good way to ensure you consume enough water throughout the day is to buy a water bottle of a certain size, fill it up at the beginning of the day, and make sure you drink it up by the end of the day. Try adding fruit to your water in order to add flavor and nutrients to it. Citrus fruits such as Oranges, Lemons, Limes, etc diffuse well in water and provide one with vitamin C and plenty of minerals. Cucumbers in the water help to curb one's appetite. 


2. Nuts & Veggies
If you like crunchy snacks try replacing any junk food with Nuts & Veggies. Nuts like Almonds, Pistachios, Cashews, are good source of protein and fatty acids. Carrots and Celery are crunch veggies that even when paired with a dip are still healthier than junk food.


3. Tea
Caffeine intake is almost mandatory in the work force. An alternative to coffee and energy drinks is ceremonial grade green tea powder. It has as much caffeine as a cup of coffee and is packed full of antioxidants. Sweeten it with raw honey for added health benefits.


4. Juicing
Juicing your fruits and veggies allows you to pack a substantial amount of nutrients into a small space. This makes it a convenient way for you to consume or surpass your daily amount of fruits and veggies. Please remember to rotate your fruits and veggies on a weekly basis. This is the one step that will take the most time and money. 
Materials
There are two ways to juice. The first is to buy a conventional juicer to which I recommend researching the various types to decide which will work best for you as an individual.  The second is to buy a blender and a fine strainer. The fine strainer will be use to extract the juice by removing the planet fibers from the blended food. The second approach may seem more difficult or as if it'll take more time than the first, but all juicers have multiple parts to which each needs to be cleaned. This means both options may end up requiring the same amount of time to execute.
Storage
Various juicing blogs and books come to a general consensus that juiced fruits and veggies will keep in an air tight container for 2 to 3 days in the refrigerator or freezer. I recommend using glass wide mouth Mason jars (Per Ball's information both Pint (16oz) and Pint & Half (24oz) are freezer safe) with a fermentation lid that allow one to pump the air out of the jar once it's been sealed. Remember when placing jars in the freezer to only fill half way as to allow room for expansion.


5. Protein Shakes
Protein shakes make great meal replacements or snacks. Brown Rice, Pea, Hemp, and Cricket are great planet and insect base complete proteins respectively. It is a good idea to rotate your proteins every other week.


6. Granola Bars
Granola bars can be considered a healthy snack but only if they are low in sugar and salt.  They come in the form of chewy or hard. I have linked to a brand whose granola bars come in either hard or chewy and both are low in sugar and salt.

 
Conclusion
All these recommendations are things I am implementing into my personal daily life. If you feel that these recommendations are helpful or have any of your own please feel free to leave them in the comment section below or tweet them at me so I can share them with the rest of the community.


Social Media
Facebook:
https://www.facebook.com/BDavisCS/

Twitter:
@BDavis_CyberSec 
Posted by at 9 comments:
Labels: , ,

Sunday, August 13, 2017

Forensics: Imaging a Drive

Background 
This blog post will cover how to image a hard drive(s) of a workstation/desktop computer. The process for imaging a large scale server will differ from these steps.   

Purpose 
Imaging is used to create a 1 to 1 copy of a drive. Forensics will be performed on the copy of the drive to gather evidence. The Chain of Custody is used to ensure that the processes used to obtain the image and the forensic evidence will hold up in legal proceedings.  


Requirements
Live Boot USB/CD  
  • Create a Live Boot USB/CD of a forensics oriented operating system. For the purpose of this blog post we will be using Kali Linux
Zero Drive
  • Zero Drive refers to a drive that has been over written with zeros.  
Methodology
When Imaging a drive for the purpose of evidence collection one must always adhere to the Chain of Custody[1]. The Chain of Custody is a set of standards and procedures designed to preserve the integrity of the data collected for legal proceedings. 


 Use Cases
There will be two primary scenarios for acquiring a forensic image:
  • The hard drive is NOT connected to the computer.
    • Solution: Attach the drive to a forensic workstation using a Write Blocking mechanism.
  • The hard drive is still connected to a powered down computer.
    • Solution: Use a Forensic Live USB/CD and have the computer boot from the attached USB/CD. 
 Concepts 
  • Reasons to Split an Image File:
    • If the media you are imaging is larger than the media it is being imaged too, then split the image into smaller files for transferring across multiple devices.
    • If you are trying to transfer a large FAT32 Image, then you must split it into files less than 4gigs in size. This is do to the fact that FAT32 supports a maximum file size of 4GB.

How To
Create a Zero Drive
Steps:
1. Boot into Kali Linux.
2. Connect the drive.
3. Run the following command:
  • sudo dc3dd wipe=/dev/sda dc3dd
  • This will over right all data on the drive using zeros.

Acquiring The Image[2]
Steps:
1. Identify
  • Verify the drive to be imaged from the list of available drives. Using 1 of 2 methods:
  • Run command the following command to show a list of available drives:
    • fdisk -I
  • If the drive is removed from the computer then compare the physical label on the drive to the output from the following command:
    • hdparm -I /dev/sda
  • Disk Name will be in the format of:
    • /dev/sDN
    • D - device
    • N - name
  • To Image the whole drive DO NOT include a number in the drive name
    • Incorrect:  /dev/sda1, /dev/sda2, etc
    • Correct: /dev/sda
  • Select a location (a Zero Drive) to save the image file to using the following command:
    • df -h: displays see the location of where your external Drive is mounted.
2. Run The dc3dd tool
  • To Image a FAT32 drive you will need to split the Image file using the following:
    • “hofs” option
      • Requires that you add the Format Specifier to the file name.
      • Format Specifier - is used to set a pattern for a sequence of file extensions.
      • BEST Practice: always use three numerical digits at the end of your .img naming scheme because AFF only recognizes names in that format.
        • Example: If you included “00” to the end of the file extension .img, then the file set would be the following .img.00, .img.01, .img.02, ext
    • “ofsz” option
      • Purpose: set the maximum size of each file in the sets of files specified.
      • For FAT32 set the file size to under 4GB.

  • Syntax:
    • dc3dd if=Name_Of_Disk_To_Image /Full_Path_Of_Location_To_Save_The_Disk_Image/Image_Name.img
    • example:
      • Dc3dd if=/dev/sda /media/root/47bf-5c55/forensics/cases/
  • Add option(s) to the command for hashing
    • “hof” option
    • Purpose: write output to a file or device.
    • To use it place it in front of the “/Full_Path_Of_Location_To_Save_The_Disk_Image/Image_Name.img”
      • Syntax:
        • hof=/Full_Path_Of_Location_To_Save_The_Disk_Image/Image_Name.img
    • “hash” option
    • Purpose: compute an ALGORITHM hash of the input and also of any outputs specified.
    • Place it at the end of the “hof” command
      • Syntax:
        • hash=(select one of the following:)md5,sha1,sha-256,sha-512
    • “log” option
      • Purpose: Log input/output statistics, diagnostics, and total hashes of input and output to file.
      • Syntax:
        • log=Full_Path_of_Location_to_Store_log_files/Log_File_Name.log


Resources 
1. An Open Extensible Format for Disk Imaging
2. Digital Forensics with Kali Linux
    ISBN: 9781783989225

 
References
1. Chain of Custody
2. Digital Forensics with Kali Linux
    ISBN: 9781783989225


Social Media
Facebook:
https://www.facebook.com/BDavisCS/

Twitter:
@BDavis_CyberSec
Posted by at 1 comment:
Labels: , ,

Wednesday, June 7, 2017

OSINT: Nmap


Disclaimer
Do NOT preform network scans on networks without prior authorization.

Download
Nmap for Windows
Nmap for Linux

Background
This blog post is design to provide one with a basic understanding of how Nmap works and concepts to consider when performing a network scan.  

Purpose
Network Scanning is the probing of individual network systems for the purpose of obtaining vital information about it. Packet(s) are sent with various network flags set (SYN, ACK, FIN, URG, PSH) in order to solicit a response from the target system. The different response(s) are known to mean specific things are true.

Requirements
To perform a network scan the system performing the scan must have one of the following IP Address of the network to be scanned, an IP Address CDIR range, or a domain name.

Methodology
Network scanning is a balancing act between probing a system and the amount of time spent probing it. The more time you take probing an individual system for results will increases the likely hood of it crashing. Bandwidth consumption is also a consistent issue which must be monitored, as consuming too much will slow down the network for business operations. Try to limit the amount of bandwidth your scan will use by setting time out limits per system, specifying your options related to protocols and data collection. Scanning multiple systems in parallel will increase the speed of your scan.

Output
The output from Nmap is a list of scanned targets, with supplemental information on each depending on the options used. Key among that information is the “interesting ports table”. That table lists the port number and protocol, service name, and state. The state is either open, filtered, closed, or unfiltered. Open means that an application on the target machine is listening for connections/packets on that port. Filtered means that a firewall, filter, or other network obstacle is blocking the port so that Nmap cannot tell whether it is open or closed. Closed ports have no application listening on them, though they could open up at any time. Ports are classified as unfiltered when they are responsive to Nmap's probes, but Nmap cannot determine whether they are open or closed. Nmap reports the state combinations open|filtered and closed|filtered when it cannot determine which of the two states describe a port. The port table may also include software version details when version detection has been requested. [2]

How To
Syntax:
nmap  [option] [option]... Domain/IP Address

List of Nmap Options

Common Issues
Firewalls and Systems can be configured to drop or not respond to the various network flags based on various criteria. [1]

Common Solutions
Evade Firewalls:
  • Don't Ping
  • Skip the default discovery check.
  • Limit the number of SYN packets you send at one time. [1]

Use Cases
Nmap is used for mainly two purposes Asset Management and Vulnerability Scanning.

Vulnerability Scanning
One of the uses of network scanning is for identifying vulnerabilities of individual network systems. This is done through a process called Fingerprinting in which the collection of information relating to an individual system is obtained. It is a best practice to use verbose when using the TCP fingerprinting method as to gather logging information for trouble shooting purposes.Key information from Fingerprinting is (but not limited) to:
  • Services running
  • Operating systems
  • Device type
  • OS CPE
  • OS details
  • Uptime guess
  • Network Distance
  • TCP Sequence Prediction
  • IP ID sequence generation
Asset Management
Is the process of maintaining current information on system inventory. In addition to the physical inventory the capability/usage of the system can also be cataloged. This process is similar to Vulnerability scanning with a change in focus for the resulting information. One may be more focused on an individual system's uptime or services running for the purpose of identifying a systems role in the organization's infrastructure.

For asset management scan I would scan the network in segments and if possible during off business hours. For network segmentation try to determine which systems are internet facing verses internal. For the public facing use options that identify if a system is online. For speed use an option that does not require a response from the probed system. To Identify network segments. To speed up your scan increase the number of parallel operations (host being scanned in parallel to one another).

Nmap Scripting Engine (NSE)
(Disclaimer: I do not recommend using a publicly available NSE without first reviewing the code for yourself to determine its legitimacy.)
Here is Nmap.org's official list of Nmap Scripting Engine from Cyber Security professionals and Amateurs. I recommend reviewing their code to learn how to create your own NSE.

Resources
List of websites available for scanning

Nmap 6 Cookbook: The Fat Free Guide to Network Scanning by Nicholas Marsh
  • ISBN-10: 1507781385
  • ISBN-13: 978-1507781388
Hands on Tutorials

References
1. Nmap 6 Cookbook: The Fat Free Guide to Network Scanning by Nicholas Marsh
  • ISBN-10: 1507781385
  • ISBN-13: 978-1507781388
2.  Chapter 15 Nmap Reference Guide
  • https://nmap.org/book/man.html
3. Nmap Options
Social Media
Facebook:
https://www.facebook.com/BDavisCS/

Twitter:
@BDavis_CyberSec
Posted by at 2 comments:
Labels: , ,

Monday, March 20, 2017

Cyber Security Analyst (Part 3 of 3)

Writing Snort Signatures

This series will cover analyzing the common data types found in cyber security incidents; Netflow,  Domain(s) & IP address(es), PCAP. The format of the posts will be as follows Background information, Concepts & Techniques, Tools, and Recommended reading and/or videos.


Background
Intrusion Detection Systems (IDS) perform network packet inspection for predefined criteria. Its capabilities are to alert and/or collect Packet Capture (PCAP) data related to the predefined criteria.

Overview
For the purpose of this blog we are going to be reviewing the Snort IDS. The information in this blog is design to help people create Snort signatures.

 When creating snort rules remember that you might not have complete inbound/outbound traffic sensor coverage of your network. The longer the duration of PCAP collection the larger the file.  Include documentation on why you are collecting/alerting on the information provided in your signature. Have a set review period for when you will re-evaluate the effectiveness of the signature based on the data collected and its false positive to true positive ratio.

Operators[1]
  • \ - used to indicate the end of a line.
  • Negation "!" - tells Snort to match any IP address except the one indicated by the listed IP address.
  • [] - are used in the "Rules Action" section to define a set.
  • () - the contents inside the parenthesis are the "Rule Options" section.
  • Range ":" - used to define a range of numbers for the rule to take action on. The start of the range goes on the left of the : The end on the right side.
  • Directional "->" - indicates the orientation or direction of the traffic that the rule applies to.
  • BiDirectional "<>" - tells Snort to consider the address/port pairs in either the source or destination orientation.

Basics
  • Most rules are single line.
  • To do multiple line rules use the backslash \ to end the line.
  • Rule are divided into two logical section, "Rule header" and "Rule Options".
  • Rule Header: contains the rule's action, protocol, source and destination IP addresses and netmask, and the source and destination ports information. The text up to the first parenthesis is the rule header.
  • Rule Option: contains alert messages and information on which parts of the packet should be inspected to determine if the rule actions should be taken. The contents enclosed in the parenthesis contains the rule options.
  • (Best Practices) Separate the "Rule header" and "Rule options" onto separate lines making it easier to view both sections.


Rule Components

Rule Header = (Action + Protocol + SourceIP + Source Port) Directional or BiDirectional notation (destIP + destport)

Rule Options = Message + Flow + Reference + Classtype + sid/rev

Snort  Rule equation = Rule Header + Rule Options



Rule Creation Steps

1. Rule action
  • Rule action(s) take effect on one of the supported protocols the user can specify.

  • There are 5 default "Rule Actions" available to in Snort:
  • Alert - generate an alert using the selected alert method, and then log the packet.
  • Log - log the packet.
  • Pass - ignore the packet.
  • Activate-alert and then turn on another dynamic rule.
  • Dynamic - remain idle until activated by an activate rule, then act as a log rule.

2. Protocols
  • After the "Rule Action" is chosen the next field in the rule is the "Protocol"
  • Snort analyzes the following protocols TCP, UDP, ICMP, and IP.

3. IP Address

  • The keyword "any" may be used to define any address.
  • Write IP addresses in numeric four octate format and include a CIDR block. 
  • (i.e. xxx.xxx.xxx.xxx/24)
  • CIDR block indicates the netmask (range of IP addresses) that should be applied to the rule's address and any incoming packets that are tested against the rule.

4. Port Numbers
  • After the "Protocol" is chosen the next field in the rule is the "Port Number".
  • The keyword "any" may be used to define any port number.

5. The Direction Operator
  • Directional -> - indicates the orientation or direction of the traffic that the rule applies to.
  • BiDirectional <> - tells Snort to consider the address/port pairs in either the source or destination orientation.


Detection Options[1]
Content
Allows the user to set rules that search for specific content in the packet payload and trigger response based on that data. Whenever a content option pattern match is performed, the Boyer-Moore pattern match function is called and the (rather computationally expensive) test is performed against the packet contents. If data exactly matching the argument data string is contained anywhere within the packets payload, the test is successful and the remainder of the rule option tests are performed.
Be aware that this test is case sensitive.
Options:
  • nocase
    • Used to specify that the Snort should look for the specific pattern, ignoring case.
  • rawbytes
    • Used to look at the raw packet data, ignoring any decoding that was done by pre-processors.
  • depth
    • Used to specify how far into a packet Snort should search for the specified pattern based on a chosen byte value.
    • only values greater than or equal to the pattern length can be searched. The minimum byte value is 1 and the maximum byte value is 65535.
    • Syntax:
      • depth: [<number>|<var_name>]
  • offset
    • Used to specify where to start searching for a pattern within a packet based on a chosen byte value.
    • The byte ranges from -65535 to 65535.
    • Syntax:
      • offset:[<number>|<var_name>]
  • distance
    • Used to specify how far into a packet Snort should ignore before starting to search for the specified pattern relative to the end of the previous pattern match.
    • syntax:
    • distance:[<byte_count>|<var_name>]
  • within
    • Used to make sure that at most N bytes are between pattern matches using the content keyword.
    • Syntax:
      • within:[<byte_count>|<var_name>]
  • http_client_body
    • Used to restrict the search to the body of an HTTP client request.
    • Syntax:
      • http_client_body


References
1. Snort


Social Media
Facebook:
https://www.facebook.com/BDavisCS/

Twitter:
@BDavis_CyberSec

Posted by at 28 comments:
Labels: ,
Subscribe to: Posts (Atom)