Sample Default Rules


127


alert tcp $EXTERNAL_NET any  > $HOME_NET 6000 (msg:"X11 MIT Magic 


Cookie detected"; flow:established


; content: "MIT MAGIC COOKIE 1"; reference:arachnids,396; 


classtype:attempted user; sid:1225; rev:3;


)


alert tcp $EXTERNAL_NET any  > $HOME_NET 6000 (msg:"X11 xopen"; 


flow:established; content: "|6c00 0b


00 0000 0000 0000 0000|"; reference:arachnids,395; classtype:unknown; 


sid:1226; rev:2;)


Similarly, each file contains rules specific to a particular class. The dns.rules


file contains all rules related to attacks on DNS servers, the telnet.rules file con 


tains all rules related to attacks on the telnet port, and so on.


3.10.1 The local.rules File


The local.rules file has no rules. This is meant to be used by Snort adminis 


trator for customized rules. However, you can use any file name for your own custom 


ized rules and include it in the main snort.conf file.


3.11 Sample Default Rules


You have learned the structure of Snort rules and how to write your own rules. This sec 


tion lists some predefined rules that come with Snort. All of the rules in this section are


taken from the telnet.rules file. Let us discuss each of these to give you an idea


about rules that are used in production systems.


3.11.1 Checking su Attempts from a Telnet Session 


The first rule generates an alert when a user tries to su to root through a telnet ses 


sion. The rule is as shown below:


alert tcp $TELNET_SERVERS 23  > $EXTERNAL_NET any (msg:"TELNET 


Attempted SU from wrong group"; flow:


from_server,established; content:"to su root"; nocase; 


classtype:attempted admin; sid:715; rev:6;)


There are a number of things to note about this rule. The rule generates an alert


and applies to TCP packets. Major points are listed below:


  The variable $TELNET_SERVERS is defined in snort.conf file and shows


a list of Telnet servers.


  Port number 23 is used in the rule, which means that the rule will be applied to


TCP traffic going from port 23. The rule checks only response from Telnet


servers, not the requests.








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      toronto web hosting

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Cheap Web Hosting
JSP Web Hosting
Ontario Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Java Hosting
Cheapest Hosting



Visionwebhosting.net Business web hosting division of Vision Web Hosting Inc.. All rights reserved