Scribd
Upload
37 views9 pages

Lab 13

good

Uploaded by

nambinhh05
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
37 views9 pages

Lab 13

good

Uploaded by

nambinhh05
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 9

Lab 13: Snort analysis 2

Detect bad FTP login.

Rules used to detect:

alert tcp any 21 -> any any (msg:"FTP Bad login"; content:"530 User "; nocase;
flow:from_server,established; sid:491; rev:5;)
Detect Telnet login

Rules used to detect:

alert tcp any any <> any 23 (flags:S; msg:"Telnet Login";sid:9000005;rev:1;)

Detect port scan.

Rules used to detect:


preprocessor sfportscan:\

proto { all } \

scan_type { all } \

sense_level { high } \

logfile { portscan.log }

Detect SYN flood.


Rules used to detect:

alert tcp any any -> any 80 (msg:"DOS flood denial of service attempt";flow:to_server; \

detection_filter:track by_dst, count 60, seconds 60; \

sid:25101; rev:1;)

Detect FIN flood.


Rules used to detect:
alert tcp any any -> any 80 (msg:”SYN Flood - SSH"; flags:S;
flow: stateless; detection_filter: track by_dst, count 40, seconds 10;
GID:1; sid:10000002; rev:001; classtype:attempted-dos;)

Detect file attachments.

Rules used to detect:

alert tcp any any -> any 110 (flags:S;msg:"Pop-3 connection detection";sid:9000000;rev:1;)

alert tcp any any -> any 143 (flags:S;msg:"IMAP connection detection";sid:9000001;rev:1;)

alert tcp any any -> any 25 (flags:S;msg:"SMTP connection detection";sid:9000002;rev:1;)


Detect credit card details and also email addresses.

Rules used to detect:

# Detecting credit card details

alert tcp any any <> any any (pcre:"/5\d{3}(\s|-)?\d{4}(\s|-)?\d{4}(\s|-)?\d{4}/"; \

msg:"MasterCard number detected in clear text";content:"number";nocase;sid:9000003;rev:1;)

alert tcp any any <> any any (pcre:"/3\d{3}(\s|-)?\d{6}(\s|-)?\d{5}/"; \

msg:"American Express number detected in clear


text";content:"number";nocase;sid:9000004;rev:1;)

alert tcp any any <> any any (pcre:"/4\d{3}(\s|-)?\d{4}(\s|-)?\d{4}(\s|-)?\d{4}/"; \

msg:"Visa number detected in clear text";content:"number";nocase;sid:9000005;rev:1;)


Detect ping sweep.

Rules used to detect:

alert icmp any any -> any any (msg:"ICMP Packet found";sid:9000000;)

alert icmp any any -> any any (itype: 0; msg: "ICMP Echo Reply";sid:9000001;)

alert icmp any any -> any any (itype: 3; msg: "ICMP Destination Unreachable";sid:9000002;)

alert icmp any any -> any any (itype: 4; msg: "ICMP Source Quench Message received";sid:9000003;)

alert icmp any any -> any any (itype: 5; msg: "ICMP Redirect message";sid:9000004;)

alert icmp any any -> any any (itype: 8; msg: "ICMP Echo Request";sid:9000005;)

alert icmp any any -> any any (itype: 11; msg: "ICMP Time Exceeded";sid:9000006;)
Detect PDF files.

Rules used to detect:

alert tcp any any -> any any (content:"%PDF"; msg:"PDF";sid:10001)


Detect SNMP connections

Rules used to detect:

alert udp any any -> any 161 (msg:"SNMP Traffic";sid:9000000;)

alert udp any any -> any 162 (msg:"SNMP Trap";sid:9000001;)

Detect MP3 connections


Rules used to detect:

alert tcp any any -> any any (content:"|49 44 33|"; msg:"MP3";sid:10005)

What is the sound file and what are the graphics?

Sound file:

Graphics file:
Detect and extract RAR files
Rules used to detect:

alert tcp any any -> any any (content:"|52 61 72 21 1A 07 00|"; msg:"RAR";sid:10010)

What is the name of the RAR file:

Detect and extract Zip files


Rules used to detect:
alert tcp any any -> any any (content:"|50 4B 03 04|"; msg:"ZIP";sid:10003)

What is the name of the ZIP file:

Detect and extract GZip files


Rules used to detect:
alert tcp any any -> any any (content:"|1F 8B 08|"; msg:"GZip";sid:10009)

What is the name of the GZip file:

Detect and extract AVI files


Rules used to detect:
alert tcp any any -> any any (content:"|52 49 46 46|"; msg:"AVI";sid:10006)

What is the name of the AVI file:

Detect BitTorrent
Rules used to detect:

alert tcp any any -> any any (msg: "P2P .torrent metafile request"; content:"HTTP/"; content:".torrent";
flow:established,to_server; classtype:policy-violation; sid:1100010; rev:1;)

alert tcp any any -> any any (msg: "P2P torrent metafile download"; content:"|64 38 3a|announce";
flow:established; classtype:policy-violation; sid:1100011; rev:1;)

alert tcp any any -> any any (msg:"P2P BitTorrent handshake"; flow:to_server,established;
content:"BitTorrent protocol|0000 0000|"; classtype:policy-violation; sid:1100012; rev:1;)

You might also like