Rule Options


105


alert udp $EXTERNAL_NET any  > $HOME_NET 1900 \


(msg:"MISC UPNP malformed advertisement"; \


content:"NOTIFY * "; nocase; classtype:misc attack; \


reference:cve,CAN 2001 0876; reference:cve, \


CAN 2001 0877; sid:1384; rev:2;)


This rule generates the following entry in /var/log/snort/alert file:


[**] [1:1384:2] MISC UPNP malformed advertisement [**]


[Classification: Misc Attack] [Priority: 2] 


12/01 15:25:21.792758 192.168.1.1:1901  > 239.255.255.250:1900


UDP TTL:150 TOS:0x0 ID:9 IpLen:20 DgmLen:341


Len: 321


[Xref => cve CAN 2001 0877][Xref => cve CAN 2001 0876]


The last line of this alert shows a reference where more information about this


alert can be found. The reference.config file plays an important role because it


contains the actual URL to reach a particular reference. For example, the following line


in reference.config file will reach the actual URL using the last line of the alert


message.


config reference: cve  http://cve.mitre.org/cgi bin/


cvename.cgi?name=


When you add CAN 2001 0876 at the end of this URL, you will reach the web


site containing information about this alert. So the actual URL for information about


this alert is http://cve.mitre.org/cgi bin/cvename.cgi?name= CAN 2001 0876.


Multiple references can be placed in a rule. References are also used by tools like


ACID


3


 to provide additional information about a particular vulnerability. The same log


message, when displayed in an ACID window, will look like Figure 3 4. In this figure,


the URL is already inserted under the  Triggered Signature  heading. You can click on


it to go to the CVE web site for more information.


3.6.23 The resp Keyword


The resp keyword is a very important keyword. It can be used to knock down


hacker activity by sending response packets to the host that originates a packet match 


ing the rule.  The keyword is also known as Flexible Response or simply FlexResp and


is based on the FlexResp plug in. The plug in should be compiled into Snort, as


explained in Chapter 2, using the command line option (  with flexresp) in the


3.


ACID is discussed in Chapter 6.








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      toronto web hosting

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Cheap Web Hosting
JSP Web Hosting
Ontario Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Java Hosting
Cheapest Hosting



Visionwebhosting.net Business web hosting division of Vision Web Hosting Inc.. All rights reserved