This series will cover analyzing the common data types found in cyber security incidents; Netflow, Domain(s) & IP address(es), PCAP. The format of the posts will be as follows Background information, Concepts & Techniques, Tools, and Recommended reading and/or videos.
Background
Intrusion Detection Systems (IDS) perform network packet inspection for predefined criteria. Its capabilities are to alert and/or collect Packet Capture (PCAP) data related to the predefined criteria.
Overview
For the purpose of this blog we are going to be reviewing the Snort IDS. The information in this blog is design to help people create Snort signatures.
When creating snort rules remember that you might not have complete inbound/outbound traffic sensor coverage of your network. The longer the duration of PCAP collection the larger the file. Include documentation on why you are collecting/alerting on the information provided in your signature. Have a set review period for when you will re-evaluate the effectiveness of the signature based on the data collected and its false positive to true positive ratio.
Operators[1]
- \ - used to indicate the end of a line.
- Negation "!" - tells Snort to match any IP address except the one indicated by the listed IP address.
- [] - are used in the "Rules Action" section to define a set.
- () - the contents inside the parenthesis are the "Rule Options" section.
- Range ":" - used to define a range of numbers for the rule to take action on. The start of the range goes on the left of the : The end on the right side.
- Directional "->" - indicates the orientation or direction of the traffic that the rule applies to.
- BiDirectional "<>" - tells Snort to consider the address/port pairs in either the source or destination orientation.
Basics
- Most rules are single line.
- To do multiple line rules use the backslash \ to end the line.
- Rule are divided into two logical section, "Rule header" and "Rule Options".
- Rule Header: contains the rule's action, protocol, source and destination IP addresses and netmask, and the source and destination ports information. The text up to the first parenthesis is the rule header.
- Rule Option: contains alert messages and information on which parts of the packet should be inspected to determine if the rule actions should be taken. The contents enclosed in the parenthesis contains the rule options.
- (Best Practices) Separate the "Rule header" and "Rule options" onto separate lines making it easier to view both sections.
Rule Components
Rule Header = (Action + Protocol + SourceIP + Source Port) Directional or BiDirectional notation (destIP + destport)
Rule Options = Message + Flow + Reference + Classtype + sid/rev
Snort Rule equation = Rule Header + Rule Options
Rule Creation Steps
1. Rule action
- Rule action(s) take effect on one of the supported protocols the user can specify.
- There are 5 default "Rule Actions" available to in Snort:
- Alert - generate an alert using the selected alert method, and then log the packet.
- Log - log the packet.
- Pass - ignore the packet.
- Activate-alert and then turn on another dynamic rule.
- Dynamic - remain idle until activated by an activate rule, then act as a log rule.
2. Protocols
- After the "Rule Action" is chosen the next field in the rule is the "Protocol"
- Snort analyzes the following protocols TCP, UDP, ICMP, and IP.
3. IP Address
- The keyword "any" may be used to define any address.
- Write IP addresses in numeric four octate format and include a CIDR block.
- (i.e. xxx.xxx.xxx.xxx/24)
- CIDR block indicates the netmask (range of IP addresses) that should be applied to the rule's address and any incoming packets that are tested against the rule.
4. Port Numbers
- After the "Protocol" is chosen the next field in the rule is the "Port Number".
- The keyword "any" may be used to define any port number.
5. The Direction Operator
- Directional -> - indicates the orientation or direction of the traffic that the rule applies to.
- BiDirectional <> - tells Snort to consider the address/port pairs in either the source or destination orientation.
Detection Options[1]
Content
Allows the user to set rules that search for specific content in the packet payload and trigger response based on that data. Whenever a content option pattern match is performed, the Boyer-Moore pattern match function is called and the (rather computationally expensive) test is performed against the packet contents. If data exactly matching the argument data string is contained anywhere within the packets payload, the test is successful and the remainder of the rule option tests are performed.
Be aware that this test is case sensitive.
Options:
- nocase
- Used to specify that the Snort should look for the specific pattern, ignoring case.
- rawbytes
- Used to look at the raw packet data, ignoring any decoding that was done by pre-processors.
- depth
- Used to specify how far into a packet Snort should search for the specified pattern based on a chosen byte value.
- only values greater than or equal to the pattern length can be searched. The minimum byte value is 1 and the maximum byte value is 65535.
- Syntax:
- depth: [<number>|<var_name>]
- offset
- Used to specify where to start searching for a pattern within a packet based on a chosen byte value.
- The byte ranges from -65535 to 65535.
- Syntax:
- offset:[<number>|<var_name>]
- distance
- Used to specify how far into a packet Snort should ignore before starting to search for the specified pattern relative to the end of the previous pattern match.
- syntax:
- distance:[<byte_count>|<var_name>]
- within
- Used to make sure that at most N bytes are between pattern matches using the content keyword.
- Syntax:
- within:[<byte_count>|<var_name>]
- http_client_body
- Used to restrict the search to the body of an HTTP client request.
- Syntax:
- http_client_body
References
1. Snort
Social Media
Facebook:
https://www.facebook.com/BDavisCS/
Twitter:
@BDavis_CyberSec
well covered topic. Please suggest few cybersecurity devices.
ReplyDeleteThanks for sharing such an informative post with us on cyber security.
ReplyDeleteHi bdavis!
ReplyDeleteSuch a great Article! I'm going to recommend your website to all my friends.
Thank you bdavis
Nice post.Thanks for sharing such useful information with us on Cyber Security. Keep Writing.
ReplyDeletethanks you for sharing a useful information about cyber security course.
ReplyDeletethank you for posting a useful blog regardingcyber security course.
ReplyDeletethank you for sharing a useful information as on about cyber security course.
ReplyDeleteHello, it's a really nice and very informative blog post. I'm doing cyber security course in India from Stratford University, Thanks for sharing this very useful information and great list of cyber security Analysis list. Its very useful for me.
ReplyDeleteThis post is really very helpful. Thanks for sharing.
ReplyDeleteCyber security course
Construction site surveillance
ReplyDeleteWelcome to the Par Security companies in Minnesota, We provide the best door access, alarm system, and security camera for construction site surveillance. Contact us now - 763-571-4816
to get more - https://parsecurity.com/
Thank you for sharing nice blog with us The blog seems so helpful for me and the tips that you have shared are definitely going to help the users to protect themselves from Hackers.
ReplyDeleteCyber security services
cyber security audit
penetration testing
thanks for giving this information,it is very useful,waiting for your next blog.
ReplyDeletezplus cyber secure technology pvt. Ltd.
Thanks for sharing such an outstanding blog. This is really helpful for those who are interested in learning cyber security training. Kindly do share more that kind of blogs. Visit Cyber Security Course
ReplyDeleteI like your blog post. Keep on writing this type of great stuff. cyber security training online!
ReplyDeleteHi
ReplyDeleteI visited your blog you have shared amazing information, i really like the information provided by you, You have done a great work. I hope you will share some more information regarding Cyber Security. I appreciate your work.
Thanks
Have a Great Day
Antivirus Software
ReplyDeleteAntivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
ReplyDeleteAntivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
ReplyDeleteAntivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
This comment has been removed by the author.
ReplyDeleteAntivirus Software
ReplyDeleteAntivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
Antivirus Software
ReplyDeleteThis post is so helpfull and informative.keep updating more information...
Type Of System Testing
System Tester
Great Post!!
ReplyDeleteThanks for sharing this wonderful post with us. This is more helpful for find the best IT Security Services Provider in the Bhutan Country.
Very informative article. But learning about cyber security is not that easy for a person who does not belong to this field but want to learn more about cyber security course. I also heard there is few online E-learning platform like Techourse.com that offers Ethical Hacking Course along with certifications.
ReplyDeleteAmazing content, i request you to keep writing blogs like this...
ReplyDeletePlease visit my blog also
SOAR Cybersecurity
I read this blog and shared with friends also, amazing blog, keep writing...
ReplyDeletePlease visit my blog also
open source threat intelligence
Borgata Hotel Casino & Spa | Hotels - JTM Hub
ReplyDeleteJUMBIA HOTEL CASINO 논산 출장샵 & 보령 출장안마 SPA in 상주 출장안마 Atlantic City offers a variety 안산 출장안마 of dining, casino and entertainment venues, plus 상주 출장마사지 a night club and a nightclub.
Cyber Security Training in Gurgaon
ReplyDeleteThank you for sharing the valuable information.
ReplyDeleteBest Cybersecurity Services in the USA/a>
INformative Article Thank you for Sharing DevOps Services, Azure Consulting Services
ReplyDelete