Difference between revisions of "SNORT-RULES: Coba Menulis Rules untuk pemula"

From OnnoWiki
Jump to navigation Jump to search
(Created page with "Sumber: courses.umass.edu/cs415/labs/lab2/415-lab2-Snort.pdf CS 415: Computer and Network Security Fall 2007 Lab exercise: Working with Snort for Intrusion Detection Abstra...")
 
 
(20 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
Sumber: courses.umass.edu/cs415/labs/lab2/415-lab2-Snort.pdf
 
Sumber: courses.umass.edu/cs415/labs/lab2/415-lab2-Snort.pdf
  
 +
Sebuah pendeteksi penyusup / Intrusion Detection System (IDS) logika bekerjanya seperti anti-virus, engine pendeteksi hanya akan bekerja dengan benar kalau database-nya benar. Kalau serangan tersebut tidak ada dalam database maka serangan tersebut tidak akan terdeteksi. Sial-nya database tersebut adalah buatan manusia, yang harus telaten mendokumentasinya bentuk paket / isi paket serangan, kemudian menuangkannya ke dalam sebuah aturan / rules.
  
 +
Snort Intrusion Detection System (IDS) mempunyai kemampuan yang baik untuk membaca paket yang lewat di jaringan. Snort IDS mirip dengan tcpdump / wireshark, tetapi memiliki output yang lebih bersih dan bahasa aturan yang lebih fleksibel. Sama seperti tcpdump / wireshark, snort akan mendengarkan antarmuka tertentu, atau membaca jejak paket dari sebuah file. Umumnya administrator keamanan diminta untuk melihat jejak paket untuk menganalisa serangan yang terjadi. Salah satu yang nampaknya akan amat sangat bermanfaat adalah kemampuan untuk menulis snort rules untuk mendeteksi serangan. Disini kita akan belajar bagaimana menggunakan snort untuk membaca jejak dan belajar bagaimana menulis aturan / rules baru.
  
CS 415: Computer and Network Security
+
Tujuan utama snort sebagai IDS adalah untuk bereaksi jika ada rules yang cocok dengan paket yang masuk. Reaksi yang di berikan Snort IDS bisa bermacam-macam tergantung kebutuhan / kemauan yang memprogram, bisa di catat / "log", bisa memberikan "alert" bagi administrator keamanan jaringan.
Fall 2007
 
Lab exercise: Working with Snort for
 
Intrusion Detection
 
Abstract:
 
This lab is intended to give you experience with the snort program written by
 
Marty Roesch and a host of contributors. Snort is a simple and powerful network-
 
monitoring agent. We will provide you with a packet trace and you will write snort
 
rules to identify specific packet types.
 
1
 
Tools required for this lab:
 
User-level access to a machine with snort installed.
 
• The packet trace, snort-ids-lab.log, available from the class web site.
 
 
There are versions of snort for windows, but we have not tested them out
 
with this lab.
 
2
 
Pre-lab Background:
 
The suggested background reading may help you complete the questions..
 
 
The snort homepage. www.snort.org. On the homepage there are a few
 
documents that may assist you in understanding snort:
 
Snort FAQ
 
http://www.snort.org/docs/FAQ.txt
 
Snort Overview
 
http://www.snort.org/docs/snort_manual/node2.html
 
How to Write Snort Rules and Keep Your Sanity
 
http://www.snort.org/docs/snort_manual/node16.html
 
The writing snort rules document is an especially helpful reference for writing the
 
snort rules needed for this lab.3
 
Lab exercises: snort
 
Please complete the following exercises. As always, you must hand in a
 
lab write up containing answers to questions asked for each task.
 
3.1
 
I f snort is not installed already, install libpcap and then snort. You may be able to find these
 
as a package, or may have to build each from Source.
 
You can run this lab on your own system since it is a lab for setting up defenses --- but don't be
 
stupid: snort is easily viewed as a packet-sniffing tool and you may be accused of hacking.
 
For this lab, we won't be sniffing any live packets, just reading packet traces from a file. But, you
 
may be easily accused of sniffing packets. I wouldn't risk it if you have any concerns about how
 
your activities may be viewed by others.
 
Snort is similar to tcpdump, but has cleaner output and a more versatile rule language. Just like
 
tcpdump, snort will listen to a particular interface, or read a packet trace from a file.
 
Download the tracefile from the course web server and place it in the /tmp directory. Commonly
 
security administrators are asked to look at a packet trace to analyze a recent attack. In this lab,
 
we are going to learn how to use snort to read traces and learn how to write new snort rules. The
 
trace doesn't node contain a particular attack in progress, but instead several different distinct
 
types of questionable packets.
 
You can always get a list of command line options by typing "snort –help". A good set of
 
command line arguments to pass snort in this lab is:
 
snort –r /tmp/snort-ids-lab.log
 
-P 5000 –c /tmp/rules –e –X -v
 
Reading the help file, write in your lab write-up what each of those flags should do.
 
Some newer versions of snort have problems while reading incorrect checksums on packets. You
 
may have to add “config checksum_mode : none” to the top of your rules file if you run in to this
 
checksum problem.
 
The intention of snort is to alert the administrator when any rules match an incoming packet.
 
Administrators can keep a large list of rules in a file, much like a firewall rule set may be kept.
 
All the rules are generally about one line in length and follow the same format. Here's an example
 
log tcp
 
any any -> 128.119.245.66 23 (msg: "telnet to www machine!";)
 
This rule tells snort to record ("log") all packets destined to the telnet port on 128.119.245.66 and
 
to include a user readable string. This makes sense if that port is turned off in inetd.conf; there
 
shouldn't be any traffic.
 
In general, all rules are of this form:
 
action protocol address port direction address port (rule option)
 
In our example, the action was "log". We could simply write to a common alert file with the
 
command "alert". The difference between log and alert is that each IP address gets its own logfile for later analysis, while all alerts are stored in one common file.
 
The protocol field can be "tcp", "udp",or "icmp". "Any" is not allowed. Addresses can be specified
 
in CIDR notation, and ports can be given as ranges and with the "!" operator. For example, the
 
example below (stolen from the documentation!) logs all packets to a range of machine not on
 
ports 6000-6010.
 
log tcp any any -> 192.168.1.0/24 !6000:6010
 
The direction operator is either "->" or "<-"or "<>" for bi-directional traffic between two addresses.
 
The rule options specify tasks to be performed if the addresses and protocols match.
 
For example, here's a snort rule to catch all ICMP echo messages:
 
alert tcp any any -> 192.168.10.2 any (itype: 8; msg: "ping detected";)
 
Run this single rule on the packet trace. The results will be written to /var/log/snort/alert. In your
 
write up, state why the value 8 was used. And, include the output of that command.
 
Note that serveral options can be llisted in the parentheses. Each must end with a semicolon,
 
even if there is only one rule. Other useful options include, "content", "flags" , "ipoption". More are
 
list in the "writing snort rules" document.
 
3.2
 
What to hand in
 
Question 1. There are seven other distinct packet signatures in the packet trace file. In other
 
words, there are 30 packets total in the packet trace. There are 8 rules that will uniquely identify
 
the 8 different packet signatures. You already have one of the rules. Look though the packet trace
 
and figure out the other rules. Look for more general signatures where you can, however, be
 
careful not to write too general signatures. Part of the intent of the lab is to teach you how to write
 
effective rules. It is easy to write a rules that matches all IP datagrams regardless of content, but
 
this would be a very ineffective rule at detecting anomalous or malicious activity.
 
Include in your write up the 7 other rules you came up with as well as the /var/log/snort/alert
 
output. (The alert file is append each time snort has output, so you want to erase the alert file
 
before each snort run while experiementing with different rules.) Be sure to include a descriptive
 
message ("msg") with each alert.
 
The rules you write may be instructive, but not the most useful for a real system.
 
Question 2. Once you've completed that trace, state how each of following real rules from the
 
snort home page work:
 
1. alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"TELNET login incorrect";
 
content:"Login incorrect"; flags: A+; reference:arachnids,127;)
 
2. alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"EXPLOIT BIND Tsig
 
Overflow Attempt"; content:"|80 00 07 00 00 00 00 00 01 3F 00 01 02|/bin/sh";)
 
3. alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN FIN"; flags: F;
 
reference:arachnids,27;)
 
4. alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"MISC linux rootkit attempt
 
lrkr0x";flags: A+; content:"lrkr0x";)5. alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI view-source
 
access ";flags: A+; content:"/view-source?../../../../../../../etc/passwd";
 
nocase;reference:cve,CVE-1999-0174;)
 
7. alert icmp any any -> any any (msg:"ICMP Source Quench"; itype: 4; icode: 0;)
 
8. alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named
 
overflow";flags:
 
A+;content:"thisissometempspaceforthesockinaddrinyeahyeahiknowthisislamebutanyway
 
whocareshorizongotitworkingsoalliscool"; reference:cve,CVE-1999-0833;)
 
9. alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB
 
ADMIN$access"; flow:to_server,established; content:"\\ADMIN$|00 41 3a 00|";
 
reference:arachnids,340; classtype:attempted-admin; sid:532; rev:4;)
 
10. alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any
 
(msg:"SHELLCODE sparc NOOP"; content:"|a61c c013 a61c c013 a61c c013 a61c
 
c013|"; reference:arachnids,355; classtype:shellcode-detect; sid:646; rev:4;)
 
3.3
 
Phatbot Analysis
 
Read the analysis of the phatbot (sometimes referred to as polybot) Trojan at
 
http://www.lurhq.com/phatbot.html.
 
Question 3. As with question 2, evaluate the snort signatures contained in the above document.
 
Comment on the effectiveness of these signatures.
 
Question 4. The waste protocol used in the phatbot Trojan originally included the capability of
 
encrypting the peer-to-peer data stream. What effect would this have on the effectiveness of the
 
above signature.
 
Question 5. Do some additional research about the phatbot/polybot Trojan. Assume that phatbot
 
develops the capability of encrypting the data stream. Phatbot has a consistent and obvious
 
signature of network activity across multiple packets that allow it to be detected even with out
 
access to content of the data stream. The signature may traverse multiple packets. Snort rules
 
generally deal with packet-by-packet data signatures. This question is intentionally vague and is
 
designed to have you apply some of the skills you have acquired to tackling a real world problem
 
such as being able to detect malicious activity even when you do not have access to the content
 
of the data streams. Explain in a few paragraphs what other tools and techniques you may use to
 
detect this signature. Provide enough detail so that a campus network administrator could follow
 
your explanation to deploy your system in production.
 
Question 6. What techniques would you use to minimize the number of false positives with your
 
technique described above.
 
4
 
Evaluation
 
Question 7: How hard was this lab? Was it fair? How would you change it to improve it?
 
  
  
 +
==Alat==
 +
 +
* server dengan snort yang di instalasi
 +
 +
 +
==Bacaan==
 +
 +
* www.snort.org
 +
* http://www.snort.org/docs/FAQ.txt - Snort FAQ
 +
* http://www.snort.org/docs/snort_manual/node2.html - Snort Overview
 +
* http://www.snort.org/docs/snort_manual/node16.html - How to Write Snort Rules and Keep Your Sanity
 +
 +
==Beberapa perintah bermanfaat==
 +
 +
Melihat perintah snort
 +
 +
snort –help
 +
 +
Contoh membaca log
 +
 +
snort –r /tmp/snort-ids-lab.log -P 5000 –c /tmp/rules –e –X -v
 +
 +
Versi snort yang baru punya masalah saat membaca checksum paket yang tidak benar.
 +
Kita perlu menambahkan kalimat
 +
 +
config checksum_mode : none
 +
 +
di bagian atas rules file jika kita memperoleh checksum problem.
 +
 +
Logging ASCII agar local.rules bisa di baca dengan mudah
 +
 +
 +
snort -c /etc/snort/snort.conf -l /var/log/snort/ -K ascii -D
 +
 +
==Rule Sederhana==
 +
 +
JIka kita instalasi snort dengan baik maka, semua aturan snort biasanya di simpan di folder /etc/snort/rules. Aturan tersebut berupa file-file dengan nama yang sesuai dengan kategori serangan, misalnya, virus.rules adalah file berisi aturan snort yang akan mendeteksi paket yang kemungkinan membawa virus.
 +
 +
Bagi kita yang akan berexperimen dengan aturan snort, sebaiknya mengedit file /etc/snort/rules/local.rules. Beri keterangan dengan tanda '#' di depan-nya. Keterangan tersebut perlu dibuat untuk mengingatkan kita tentang percobaan / aturan apa yang kita buat.
 +
 +
Secara umum, semua rules mengikuti aturan:
 +
 +
action protocol address port direction address port (rule option)
 +
 +
Penjelasan format,
 +
 +
* Pilihan action adalah "log" atau "alert". "alert" akan menuliskan semua alert ke sebuah file "alert" yang sama. Sementara log akan menyimpan traffic untuk masing-masing IP address yang bermasalah pada sebuah folder untuk di analisa lebih lanjut.
 +
* Bagian protocol harus di isi "tcp", "udp",or "icmp". "Any" tidak di ijinkan.
 +
* Address dapat berupa notasi CIDR
 +
* Port dapat menggunakan range dan operator "!. Contoh log paket ke sekumpulan mesin dengan port tidak antara 6000-6010
 +
 +
log tcp any any -> 192.168.1.0/24 !6000:6010
 +
 +
* Operator arah "->" atau "<-" atau "<>" untuk traffic bi-directional antara dua address.
 +
 +
 +
Disini kita akan belajar untuk membuat rules pendeteksi traffic telnet. Mengapa telnet perlu di deteksi? karena memang telnet sangat rentan untuk di sadap.
 +
 +
Semua aplikasi pada jaringan TCP/IP akan bekerja menggunakan nomor port tertentu. Telnet menggunakan nomor port 23. Aplikasi lain akan menggunakan nomor port yang lain, misalnya, web 80, https 443, smtp 25, pop3 110, imap 143. Daftar sebagian besar nomor port yang digunakan oleh aplikasi Internet bisa di lihat di file /etc/services.
 +
 +
Setelah mengetahui nomor port telnet 23, maka kita dapat membuat aturan snort sederhana untuk mendeteksi telnet, sebagai berikut,
 +
 +
alert tcp any any -> 192.168.0.100 23 (msg: "Ada yang telnet ke mesin!"; sid:1000001;)
 +
 +
arti dari rule di atas adalah,
 +
 +
* action: kasi tanda bahaya ("alert")
 +
* semua paket ke telnet port (port 23)
 +
* ke mesin 192.168.0.100
 +
* tambahkan string yang bisa di baca admin "Ada yang telnet ke mesin!"
 +
* sid - rule ID start dari 1000000
 +
 +
==Rule option==
 +
 +
Rule option dapat menentukan task yang harus dilakukan jika address dan protocol cocok.
 +
Contoh, untuk menangkap semua ICMP Echo message. Untuk percobaan ini kita perlu mematikan icmp rules yang ada di snort.conf
 +
 +
vi /etc/snort/snort.conf
 +
 +
Matikan
 +
 +
# include $RULE_PATH/icmp-info.rules
 +
# include $RULE_PATH/icmp.rules
 +
 +
snort rule untuk menangkap semua ICMP echo message,
 +
 +
alert icmp any any <> 192.168.0.232 any (msg:"Ada yang ECHO PING"; icode:0; itype:8; sid: 1000002; )
 +
alert icmp any any <> 192.168.0.232 any (msg:"Ada yang ECHO REPLY PING"; icode:0; itype:0; sid: 1000003; )
 +
 +
perhatikan mengapa itype = 8? atau itype = 0?
 +
 +
Catatan rule option:
 +
 +
* harus berada dalam kurung ( )
 +
* harus di akhiri dengan ;
 +
* Opsi yang menarik untuk di explorasi "content", "flags", dan ipoption".
 +
 +
==Contoh Rule==
 +
 +
alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"TELNET login incorrect";
 +
content:"Login incorrect"; flags: A+; reference:arachnids,127;)
 +
 +
alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"EXPLOIT BIND Tsig
 +
Overflow Attempt"; content:"|80 00 07 00 00 00 00 00 01 3F 00 01 02|/bin/sh";)
 +
 +
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN FIN"; flags: F;
 +
reference:arachnids,27;)
 +
 +
alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"MISC linux rootkit attempt
 +
lrkr0x";flags: A+; content:"lrkr0x";)5. alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI view-source
 +
access ";flags: A+; content:"/view-source?../../../../../../../etc/passwd";
 +
nocase;reference:cve,CVE-1999-0174;)
 +
 +
alert icmp any any -> any any (msg:"ICMP Source Quench"; itype: 4; icode: 0;)
 +
 +
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named
 +
overflow";flags:
 +
A+;content:"thisissometempspaceforthesockinaddrinyeahyeahiknowthisislamebutanyway
 +
whocareshorizongotitworkingsoalliscool"; reference:cve,CVE-1999-0833;)
 +
 +
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB
 +
ADMIN$access"; flow:to_server,established; content:"\\ADMIN$|00 41 3a 00|";
 +
reference:arachnids,340; classtype:attempted-admin; sid:532; rev:4;)
 +
 +
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any
 +
(msg:"SHELLCODE sparc NOOP"; content:"|a61c c013 a61c c013 a61c c013 a61c
 +
c013|"; reference:arachnids,355; classtype:shellcode-detect; sid:646; rev:4;)
 +
 +
==Restart Snort==
 +
 +
Supaya local.rules bisa jalan dengan baik,
 +
logging ASCII agar local.rules bisa di baca dengan mudah
 +
 +
killall snort
 +
killall snort
 +
snort -c /etc/snort/snort.conf -l /var/log/snort/ -K ascii -D
 +
 +
 +
==Phatbot Analysis==
 +
 +
Coba iseng-iseng baca analisa tentang phatbot / polybot trojan di  http://www.lurhq.com/phatbot.html. Coba buat rule nya.
  
 
==Referensi==
 
==Referensi==
  
 
* courses.umass.edu/cs415/labs/lab2/415-lab2-Snort.pdf
 
* courses.umass.edu/cs415/labs/lab2/415-lab2-Snort.pdf
 +
 +
 +
==Pranala Menarik==
 +
 +
* [[SNORT]]

Latest revision as of 20:12, 10 October 2019

Sumber: courses.umass.edu/cs415/labs/lab2/415-lab2-Snort.pdf

Sebuah pendeteksi penyusup / Intrusion Detection System (IDS) logika bekerjanya seperti anti-virus, engine pendeteksi hanya akan bekerja dengan benar kalau database-nya benar. Kalau serangan tersebut tidak ada dalam database maka serangan tersebut tidak akan terdeteksi. Sial-nya database tersebut adalah buatan manusia, yang harus telaten mendokumentasinya bentuk paket / isi paket serangan, kemudian menuangkannya ke dalam sebuah aturan / rules.

Snort Intrusion Detection System (IDS) mempunyai kemampuan yang baik untuk membaca paket yang lewat di jaringan. Snort IDS mirip dengan tcpdump / wireshark, tetapi memiliki output yang lebih bersih dan bahasa aturan yang lebih fleksibel. Sama seperti tcpdump / wireshark, snort akan mendengarkan antarmuka tertentu, atau membaca jejak paket dari sebuah file. Umumnya administrator keamanan diminta untuk melihat jejak paket untuk menganalisa serangan yang terjadi. Salah satu yang nampaknya akan amat sangat bermanfaat adalah kemampuan untuk menulis snort rules untuk mendeteksi serangan. Disini kita akan belajar bagaimana menggunakan snort untuk membaca jejak dan belajar bagaimana menulis aturan / rules baru.

Tujuan utama snort sebagai IDS adalah untuk bereaksi jika ada rules yang cocok dengan paket yang masuk. Reaksi yang di berikan Snort IDS bisa bermacam-macam tergantung kebutuhan / kemauan yang memprogram, bisa di catat / "log", bisa memberikan "alert" bagi administrator keamanan jaringan.


Alat

  • server dengan snort yang di instalasi


Bacaan

Beberapa perintah bermanfaat

Melihat perintah snort

snort –help

Contoh membaca log

snort –r /tmp/snort-ids-lab.log -P 5000 –c /tmp/rules –e –X -v

Versi snort yang baru punya masalah saat membaca checksum paket yang tidak benar. Kita perlu menambahkan kalimat

config checksum_mode : none

di bagian atas rules file jika kita memperoleh checksum problem.

Logging ASCII agar local.rules bisa di baca dengan mudah


snort -c /etc/snort/snort.conf -l /var/log/snort/ -K ascii -D

Rule Sederhana

JIka kita instalasi snort dengan baik maka, semua aturan snort biasanya di simpan di folder /etc/snort/rules. Aturan tersebut berupa file-file dengan nama yang sesuai dengan kategori serangan, misalnya, virus.rules adalah file berisi aturan snort yang akan mendeteksi paket yang kemungkinan membawa virus.

Bagi kita yang akan berexperimen dengan aturan snort, sebaiknya mengedit file /etc/snort/rules/local.rules. Beri keterangan dengan tanda '#' di depan-nya. Keterangan tersebut perlu dibuat untuk mengingatkan kita tentang percobaan / aturan apa yang kita buat.

Secara umum, semua rules mengikuti aturan:

action protocol address port direction address port (rule option)

Penjelasan format,

  • Pilihan action adalah "log" atau "alert". "alert" akan menuliskan semua alert ke sebuah file "alert" yang sama. Sementara log akan menyimpan traffic untuk masing-masing IP address yang bermasalah pada sebuah folder untuk di analisa lebih lanjut.
  • Bagian protocol harus di isi "tcp", "udp",or "icmp". "Any" tidak di ijinkan.
  • Address dapat berupa notasi CIDR
  • Port dapat menggunakan range dan operator "!. Contoh log paket ke sekumpulan mesin dengan port tidak antara 6000-6010
log tcp any any -> 192.168.1.0/24 !6000:6010
  • Operator arah "->" atau "<-" atau "<>" untuk traffic bi-directional antara dua address.


Disini kita akan belajar untuk membuat rules pendeteksi traffic telnet. Mengapa telnet perlu di deteksi? karena memang telnet sangat rentan untuk di sadap.

Semua aplikasi pada jaringan TCP/IP akan bekerja menggunakan nomor port tertentu. Telnet menggunakan nomor port 23. Aplikasi lain akan menggunakan nomor port yang lain, misalnya, web 80, https 443, smtp 25, pop3 110, imap 143. Daftar sebagian besar nomor port yang digunakan oleh aplikasi Internet bisa di lihat di file /etc/services.

Setelah mengetahui nomor port telnet 23, maka kita dapat membuat aturan snort sederhana untuk mendeteksi telnet, sebagai berikut,

alert tcp any any -> 192.168.0.100 23 (msg: "Ada yang telnet ke mesin!"; sid:1000001;)

arti dari rule di atas adalah,

  • action: kasi tanda bahaya ("alert")
  • semua paket ke telnet port (port 23)
  • ke mesin 192.168.0.100
  • tambahkan string yang bisa di baca admin "Ada yang telnet ke mesin!"
  • sid - rule ID start dari 1000000

Rule option

Rule option dapat menentukan task yang harus dilakukan jika address dan protocol cocok. Contoh, untuk menangkap semua ICMP Echo message. Untuk percobaan ini kita perlu mematikan icmp rules yang ada di snort.conf

vi /etc/snort/snort.conf

Matikan

# include $RULE_PATH/icmp-info.rules
# include $RULE_PATH/icmp.rules

snort rule untuk menangkap semua ICMP echo message,

alert icmp any any <> 192.168.0.232 any (msg:"Ada yang ECHO PING"; icode:0; itype:8; sid: 1000002; )
alert icmp any any <> 192.168.0.232 any (msg:"Ada yang ECHO REPLY PING"; icode:0; itype:0; sid: 1000003; )

perhatikan mengapa itype = 8? atau itype = 0?

Catatan rule option:

  • harus berada dalam kurung ( )
  • harus di akhiri dengan ;
  • Opsi yang menarik untuk di explorasi "content", "flags", dan ipoption".

Contoh Rule

alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"TELNET login incorrect";
content:"Login incorrect"; flags: A+; reference:arachnids,127;)
alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"EXPLOIT BIND Tsig
Overflow Attempt"; content:"|80 00 07 00 00 00 00 00 01 3F 00 01 02|/bin/sh";)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN FIN"; flags: F;
reference:arachnids,27;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"MISC linux rootkit attempt
lrkr0x";flags: A+; content:"lrkr0x";)5. alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI view-source
access ";flags: A+; content:"/view-source?../../../../../../../etc/passwd";
nocase;reference:cve,CVE-1999-0174;)
alert icmp any any -> any any (msg:"ICMP Source Quench"; itype: 4; icode: 0;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named
overflow";flags:
A+;content:"thisissometempspaceforthesockinaddrinyeahyeahiknowthisislamebutanyway
whocareshorizongotitworkingsoalliscool"; reference:cve,CVE-1999-0833;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB
ADMIN$access"; flow:to_server,established; content:"\\ADMIN$|00 41 3a 00|";
reference:arachnids,340; classtype:attempted-admin; sid:532; rev:4;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any
(msg:"SHELLCODE sparc NOOP"; content:"|a61c c013 a61c c013 a61c c013 a61c
c013|"; reference:arachnids,355; classtype:shellcode-detect; sid:646; rev:4;)

Restart Snort

Supaya local.rules bisa jalan dengan baik, logging ASCII agar local.rules bisa di baca dengan mudah

killall snort
killall snort
snort -c /etc/snort/snort.conf -l /var/log/snort/ -K ascii -D


Phatbot Analysis

Coba iseng-iseng baca analisa tentang phatbot / polybot trojan di http://www.lurhq.com/phatbot.html. Coba buat rule nya.

Referensi

  • courses.umass.edu/cs415/labs/lab2/415-lab2-Snort.pdf


Pranala Menarik