The First Bad Rule


77


5. The application layer consists of applications to provide user interface to the


network. Examples of network applications are Telnet, Web browsers, and FTP


clients. These applications usually have their own application layer protocol for


data communication.


Snort rules operate on network (IP) layer and transport (TCP/UDP) layer proto 


cols. However there are methods to detect anomalies in data link layer and application


layer protocols. The second part of each Snort rule shows the protocol and you will


learn shortly how to write these rules.


3.2 The First Bad Rule


Here is the first (very) bad rule. In fact, this may be the worst rule ever written, but it


does a very good job of testing if Snort is working well and is able to generate alerts.


alert ip any any  > any any (msg: "IP Packet detected";)


You can use this rule at the end of the snort.conf file the first time you install


Snort. The rule will generate an alert message for every captured IP packet. It will soon


fill up your disk space if you leave it there! This rule is bad because it does not convey


any information. What is the point of using a rule on a permanent basis that tells you


nothing other than the fact that Snort is working? This should be your first test to make


sure that Snort is installed properly. In the next section, you will find information about


the different parts of a Snort rule. However for the sake of completeness, the following


is a brief explanation of different words used in this rule:


  The word  alert  shows that this rule will generate an alert message when the


criteria are met for a captured packet. The criteria are defined by the  words that


follow.


  The  ip  part shows that this rule will be applied on all IP packets.


  The first  any  is used for source IP address and shows that the rule will be


applied to all packets.


  The second  any  is used for the port number. Since port numbers are irrelevant


at the IP layer, the rule will be applied to all packets.


  The  > sign shows the direction of the packet.


  The third  any  is used for destination IP address and shows that the rule will


be applied to all packets irrespective of destination IP address.


  The fourth  any  is used for destination port. Again it is irrelevant because this


rule is for IP packets and port numbers are irrelevant.








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      toronto web hosting

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Cheap Web Hosting
JSP Web Hosting
Ontario Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Java Hosting
Cheapest Hosting



Visionwebhosting.net Business web hosting division of Vision Web Hosting Inc.. All rights reserved