2. Snort Rules
Snort Rules Creation
IP and Port Numbers
These parameters identify the source and destination IP addresses and associated port numbers filtered for the rule.
IP Filtering
alert icmp 192.168.1.56 any <> any any (msg: "ICMP Packet From "; sid: 100001; rev:1;)This rule will create an alert for each ICMP packet originating from the 192.168.1.56 IP address.
Filter an IP range
alert icmp 192.168.1.0/24 any <> any any (msg: "ICMP Packet Found"; sid: 100001; rev:1;)This rule will create an alert for each ICMP packet originating from the 192.168.1.0/24 subnet.
Filter multiple IP ranges
alert icmp [192.168.1.0/24, 10.1.1.0/24] any <> any any (msg: "ICMP Packet Found"; sid: 100001; rev:1;)This rule will create an alert for each ICMP packet originating from the 192.168.1.0/24 and 10.1.1.0/24 subnets.
Exclude IP addresses/ranges
"negation operator" is used for excluding specific addresses and ports. Negation operator is indicated with "!"alert icmp !192.168.1.0/24 any <> any any (msg: "ICMP Packet Found"; sid: 100001; rev:1;)This rule will create an alert for each ICMP packet not originating from the 192.168.1.0/24 subnet.
Port Filtering
alert tcp any any <> any 21 (msg: "FTP Port 21 Command Activity Detected"; sid: 100001; rev:1;)This rule will create an alert for each TCP packet sent to port 21.
Exclude a specific port
alert tcp any any <> any !21 (msg: "Traffic Activity Without FTP Port 21 Command Channel"; sid: 100001; rev:1;) This rule will create an alert for each TCP packet not sent to port 21.
Filter a port range (Type 1)
alert tcp any any <> any 1:1024 (msg: "TCP 1-1024 System Port Activity"; sid: 100001; rev:1;)This rule will create an alert for each TCP packet sent to ports between 1-1024.
Filter a port range (Type 2)
alert tcp any any <> any :1024 (msg: "TCP 0-1024 System Port Activity"; sid: 100001; rev:1;) This rule will create an alert for each TCP packet sent to ports less than or equal to 1024.
Filter a port range (Type 3)
alert tcp any any <> any 1025: (msg: "TCP Non-System Port Activity"; sid: 100001; rev:1;)This rule will create an alert for each TCP packet sent to source port higher than or equal to 1025.
Filter a port range (Type 4)
alert tcp any any <> any [21,23] (msg: "FTP and Telnet Port 21-23 Activity Detected"; sid: 100001; rev:1;)This rule will create an alert for each TCP packet sent to port 21 and 23.
Example Rules and Their Meaning
Example 1:
arduinoCopy codealert tcp any any -> any 80 (msg:"found"; sid:100001; rev:1;)Action:
alert(generate an alert)Protocol:
tcp(applies to TCP traffic)Source:
any any(any IP, any port)Direction:
->(outbound traffic)Destination:
any 80(any IP, port 80)Options:
msg:"found"; sid:100001; rev:1;(log message "found", rule ID 100001, revision 1)
Meaning: Generate an alert for any TCP traffic going to port 80. Typically, this is outbound HTTP requests from a client to a web server.
Example 2:
Action:
alertProtocol:
tcpSource:
any any(any IP, any port)Direction:
<-(inbound traffic)Destination:
any 80(any IP, port 80)Options:
msg:"found"; sid:100001; rev:1;
Meaning: Generate an alert for any TCP traffic coming from port 80. Typically, this is inbound HTTP responses from a web server to a client.
Directions Simplified
->: Outbound traffic (e.g., client to server)Example: Your computer (source) sends a request to a web server (destination port 80).
<-: Inbound traffic (e.g., server to client)Example: A web server (source port 80) sends a response to your computer (destination).
<>: Bidirectional traffic (e.g., both ways)Example: Any traffic between two hosts, where either could be the source or destination.
Example 3: Bidirectional Rule
Action:
alertProtocol:
tcpSource:
any anyDirection:
<>(bidirectional)Destination:
any 80Options:
msg:"found"; sid:100001; rev:1;
Meaning: Generate an alert for any TCP traffic involving port 80, whether it's going to port 80 or coming from port 80. This captures both HTTP requests (outbound) and HTTP responses (inbound).
Summary
Use
->for outbound traffic (client to server).Use
<-for inbound traffic (server to client).Use
<>for both directions.
By understanding the direction operators and ports, you can configure Snort rules to monitor and alert on specific types of network traffic effectively.
1. Snort HTTP Rules
alert tcp any any <> any 80 (msg: "http Packet Found"; sid:1000001; rev:1;)
-c : Identifying the configuration file.
-r : Read a single pcap.
-A : Alert modes.
-l : Logger mode, target log and alert output directory
Investigate packet using packet number fromlogs
2. Snort FTP Rules
alert tcp any any <> any 21 (msg: "http Packet Found"; sid:1000001; rev:1;)
FTP runs on port 21 and we can find the FTP server name in code 220.
-dvr : for detailed reading
-n 10 : the first 10 packages are selected
-A1 : If the selected word is found, it returns the current line and the next line. The reason for this is that the FTP server name is shifted to a second line.
Failed FTP Login Snort Rule
alert TCP any any <> any 21 (msg:"FTP Failed Login"; content:"530 User"; sid:10000003; rev:1;)
Succussed FTP Login Snort Rule
alert TCP any any <> any 21 (msg:"FTP Success Login"; content:"230 User"; sid:10000003; rev:1;)
FTP login attempts with a valid username but no password entered yet
alert TCP any any <> any 21 (msg:"FTP Bad Password"; content:"User"; sid:10000003; rev:1;)
FTP login attempts with the "Administrator" username but no password entered yet
alert TCP any any <> any 21 (msg:"FTP Bad Administrator Password"; content:"530 User Administrator cannot log"; sid:10000003; rev:1;)
3. Snort Rule to detect png file
alert tcp any any -> any any (content:"|89 50 4E 47|"; msg:"PNG";sid:10001)
sudo snort -dvr snort.log.1680855881
4. Snort Rule to detect gif file
alert tcp any any -> any any (content:"GIF89a"; msg:"GIF";sid:10002)
sudo snort -dvr snort.log.1680856311
5. Snort Rule to detect Torrent file
alert TCP any any <> any any (msg:"Torrent"; content:".torrent"; sid:10000001; rev:1;)
sudo snort -dvr snort.log.1680856311
Last updated