In this lesson, we introduce a Snort intrusion detection system and relate it as no rule syntax. So that you can specify, you will customize intrusion detection rule to be inserted for Snort detection based on your own observations or honey pot findings. Remember we have presented a typical Network IDS system, or NIDS for short. With IDS sensors that read in traffic from inside, outside switches oversight. And then, perhaps matching them again certain pattern or selection rule. And those IDS sensors then forward a suspected traffic over secure managing suite to IDS server with two for further analysis. The IDS server can compare the traffic content with signature or IDS through for detecting malicious worm and the IDS server can also inform the system administration for taking action. Snort is a popular open source network intrusion public domain solo package. It's available on www.snort.org. It allows the user to specify a set of rules which specifies the pattern in the packets, and the corresponding actions. Typically just an alert messages for matching the packet. It also allows the user to create their own plug-in for additional detection that is not available with the default pattern matching mechanism. For example, the subnet flooding, it require modification of the preprocessing steps, so that we can accumulate how much traffic is being sent in and trigger some threshold. On snort download site, installation steps are given for integrating snort with MySQL database, Apache web server, Webmins for administrator, the assistant related assistant, and ACID which is a PSP GUI interface for retrieving and organizing the data. The newer version is called BASE, Basic Analysis and Security Engine. For easy web-based access and display of intrusion instance, the statistics and related intrusion event database, such as CVE and arachNIDS URL. As in NIDS system with one devices and server as IDSN so IDS server with a machine installed with Snort it can be configured with four different operating mode. The first mode is sniffer mode. It read packets and displays on console. We're rarely using that, and it's more for testing. The second one is the Packet Logger operating mode. It read packets and logs to a disk, and we're also rarely using this. NIDS operating mode. It analyze the packets, and matching against user-defined rules and perform the action. This is most often used mode and the command index is snort with the option dev option l specify the log and option c specify the configuration for configure itself. And with a minus D, application D to run as a daemon. With minus O for obfuscate the IP address, hiding the IP address in the log record. The fourth one is the new one, NIPS operating mode. It running Snort as an intrusion prevention system. Here, we use minuscule to indicate that. We also including additional minus I. br0 to specify that is a network interface. We are going to trigger that dropping of the packet in the IPS system. For when SNORT starts, it reads snort.com for its default variables which specify what is an IP address for what address, outside Internet address range and inside address range and the specific port of servers. It also including additional prprocessing plug in, output specification to MySQL database and a set of a Snort rule file. The configuration file specified the credential for depositing the intuition record to MySQL database. Then we're in the Snort detection rule or signature organized by the category are shown here. Here, we introduce a Snorth rule syntax. Each snort rule has two parts, the rule header and the rule options. We color the rule header with red to make it easier for you to read and we color the rule option with blue color. The rule header contains actions. The protocol, the source, IP address port, and there's a direction symbol followed by destination IP address and port number that matching the packet. The rule options contains a multiple name value field. For example, the content column field specifies the unique pattern in the parallel for matching against the incoming traffic. The messages field specify the name of the recognized intrusion that would be insert into the database record. For ICMP packet there are additional field like itype. ICMP ID field, and here we also show the reference which is specify the ui of all the related cbe conduct database document record. The classtype field specified the category. The sid is a unique snort id related to this particular unique attack. And they're organized by the snort organization. IEV field specify the revision number and here we have two snort rule here. The first one is related to the structure, distributed denial service attack. It is based on ICMP packet. And here we see the directions symbol less than, greater than sign, which means read in traffic can be generated from inside or outside. We need to detect both. The unique pattern is the string s-k-i-l-l-z which come with a default, details software package. If they were no change, it will show up in ICMP payload. The second snort is the web app attack. It is a TCP segment from outside to the inside HTTP server. Typically with PORT 80 and 313. The unique payroll parent here is cmd.exe. You try to execute the command shell and assuming it's a Window system. The content field in the rule option allows us to specify unique intuition pattern. It should allow us to specify both texts, the string and binary byte pattern. We use bar to specify the binary byte, content using hexadecimal. It used bang for negations. It also use no case which represents we try to matching without the case, case-insentive matching. The first rule here specify a unique pattern with [INAUDIBLE] followed by the shield slash bin slash shield text. For an IMAP mail server, buffer overflow attack. It is aiming from outside to the inside IMX server. Rounding at 192.168.0 subnet. You then specify which one though but with the specific pole 143. Then the second rule specify a unique pattern for FTP attack, where starting from the survey the payload does not contain get command. And therefore, we can't start from the survey. And the payload size is greater than 100 byte. Know that port 21 is listening by the FTP server. To speed up this no rule matching with packet content, there's no provide offset and depth through option to pinpoint the area for research and speed up the performance. The offset field specifies the number of bytes to skip. You can ignore those and then start after those number of bytes. The depth field sets the maximum search depth. After that, you don't need to search anymore. Here is the snort rule pinpoint the patterns should be search starting from the first pie, since the typical HTTP request. We will have TET, uppercase TET space as a stop string. Here we inhibit the search from the first pie until 22 pie, and this 22 number probably based on some statistics about this type of attack. The Sid field specify the unique snort rule of number. The number less than 100 is reserved for future use. 1 from 100 to 1 million, those rule are used by snort distribution. They can only given the number. For the local user, any customer, they can use any number above the 1 million. For example, our customized snort rule can start with 1 million and one. The flow option is used in conjunction with TCP stream reassembly. Simply slow that header, just concentrate on the payload. Now, option field. There's four, of them. to_server, means, we focus on client request. to_client we focus on server response. And there's also, from_client and, from_server.
