128


Chapter 3     Working with Snort Rules


  The variable $EXTERNAL_NET is defined in the snort.conf file and


shows all addresses which are outside the private network. The rule will apply


to those telnet sessions which originate from outside of the private network. If


someone from the internal network starts a Telnet session, the rule will not


detect that traffic.


  The flow keyword is used to apply this rule only to an established connection


and traffic flowing from the server.


  The content keyword shows that an alert will be generated when a packet


contains  to su root .


  The nocase keyword allows the rule to ignore case of letters while matching the


content.


  The classtype keyword is used to assign a class to the rule. The attempted 


admin class is defined with a default priority in classification.config file.


  The rule ID is 715.


  The rev keyword is used to show version of the rule.


3.11.2 Checking for Incorrect Login on Telnet Sessions


The following rule is similar to the rule for checking su attempts. It checks incor 


rect login attempts on the Telnet server port.


alert tcp $TELNET_SERVERS 23  > $EXTERNAL_NET any (msg:"TELNET login 


incorrect"; content:"Login inco


rrect"; flow:from_server,established; reference:arachnids,127; 


classtype:bad unknown; sid:718; rev:6;)


There is one additional keyword used in this rule which is  reference: arachnids,


127 . This is a reference to a web site where you can find more information about this


vulnerability. The URLs for external web sites are placed in the reference.con 


fig file in the Snort distribution. Using the information in reference.config, the


URL for more information about this rule is http://www.whitehats.com/info/IDS=127.


127 is the ID used for searching the database at the arachnids web site.


3.12 Writing Good Rules


There is a large list of predefined rules that are part of Snort distribution. Looking at


these rules gives you a fairly good idea of how to write good rules. Although it is not


mandatory, you should use the following parts in the options for each rule:


  A message part using the msg keyword.


  Rule classification, using the classification keyword.








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      toronto web hosting

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Cheap Web Hosting
JSP Web Hosting
Ontario Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Java Hosting
Cheapest Hosting



Visionwebhosting.net Business web hosting division of Vision Web Hosting Inc.. All rights reserved