157B

150B

2 . ................................................................................................................................
15B

4 ........................... ................................................................................................:
152B

7 ............................. ................................................................................................:
153B

9 .......................... ................................................................................................ :
154B

16 ........................ ................................................................................................:

156B

15B

19 ......................... ................................................................................................ :
20 ................................................................................................................................


15B

Ubuntu 12.04 - precise .

Snort 2.9.2 .
16B

#apt-get install snort
17B

18B

#apt-get upgrade
19B

20B

snort .
21B

/etc/snort/snort.conf
.

. HOME_NET EXTERNAL_NET
any
. 1 Snort
F0

comment # .

Ruleset

23

Snort
B

.
sourcefire . .
24B

Snort .
#/etc/init.d/snot start
25B

26B

#Ps auxw | grep snort
27B

28B

snort .

29

 :
30B

][Snort for dummies Charlie Scott, Paul Wolfe, Bert Hayes

.
31B

snort log /var/log/snort

.
# snort -l alternative_path
32B

Snort log alert tcpdump binary

3B

.
Snort
34B

.
:Tcpdump binary
35B

.
36B

.
snort .
.

.

37B

ASCII .
logging
.

 :Log_tcpdump tcpdump .
38B

. .dump.
:ASCII logging
39B

40B

snort .

.

alert log .
41B

alert .
) (Step #6
.
:Alert_fast .
42B

. -A fast snort
.
:Alert_full ASCII
43B

drop . -A full
snort .
:Alert_syslog fast . snort
4B

. syslog
deamon . alert_syslog
. log
.

 CSV :Alert-CSV comma Separate Values

45B

. snort snort
alert_CVS.

 :
46B

] [Snort for dummies Charlie Scott, Paul Wolfe, Bert Hayes

] [snort manuals .
47B

.
#snort -vd -A full -r source_file -c config_file -l destination_folder
48B

:-v IP, TCP, UDP ICMP .

49B

:-d -v packet logging Packet .

50B

logging pcap ascii none .

:-A fast, full nune . full
51B

alert .
.
:-r -r .
52B

:-c .
53B

:-l .
54B

root@ubuntu:/# snort -d -A full -r ./root/Desktop/HW4/icmp.tcpdump -c

./etc/snort/snort.conf -l ./root/Desktop/HW4/LOGS
5B

root@ubuntu:/# snort -d -A full -r ./root/Desktop/HW4/udp.tcpdump -c

./etc/snort/snort.conf -l ./root/Desktop/HW4/LOGS
56B

root@ubuntu:/# snort -d -A full -r ./root/Desktop/HW4/tcp.tcpdump -c

./etc/snort/snort.conf -l ./root/Desktop/HW4/LOGS
57B

-v :
58B

 -1 .
12B

-d -2 .tcpdump -v.
13B

-3 .
14B

59B

) alert-(icmp|tcp|udp)-(No. of alerts .

134 alert-icmp 37 alert-tcp 165 udp-tcp

60B

. ascii .

 :
61B

:
62B

63B

.
icmp.tcpdump 134 tcp.tcpdump 37 udp.tcpdump
165 .

64

0B

:1 icmp

65

1B

:2 tcp

2B

:3 udp

67B

.
#!/bin/bash
while read line
do
;)"ATTACK=$( echo $line | grep -P "\[[*]{2}\]$
if [ "$ATTACK" != "" ]; then
;echo $ATTACK
fi
done <alert_file
# it could be alert-tcp, alert-udp and alert-icmp file.
68B

69B

70B

71B

72B

73B

74B

75B

76B

alert_file alert-tcp
. .
7B

alert_count .

78

79B

3B

:4

336 = 165+37+134
10

:
80B

81B

tcp.tcpdump .
#./alert_count | awk '{$1=$2=""; print}' | sort | uniq -c |wc -l
82B

83B

4B

:5

85B

84B

30 tcp.tcpdump .

.
#./alert_count | awk '{$1=$2=""; print}' | sort | uniq -c |sort -rn
86B

5B

87B

:6 alert-tcp

11

8B

.
#./alert_count | awk '{$1=$2=""; print}' | sort | uniq -c |sort -rn |head -n 1
89B

90B

6B

:7 alert-tcp

91B

SHELLCODE x86 setuid 0

. ICMP Destination unreachable Port unreachable
.

:SHELLCODE x86 setuid 0

92B

93B

.
94B

.
95B

format
string .
:ICMP Destination unreachable Port unreachable
96B

97B

.
. udp scan services.

:
9B

98B

.
"*#./alert_count | awk '{$1=$2=""; print}' | sort | uniq -c |sort -rn | grep -P ".*DOS.
10B

12

10B

alert_count .
102B

icmp, tcp udp .

103B

:alert-icmp

104

7B

:8 icmp.tcpdump

105B

:DOS ath
106B

107B

IP
. .
.

:DDOS tfn2k
108B

109B

icmp ) tribe flood network 2000

( . tfn2k
icmp id 0 A
64 .
10B

:alert-tcp

12B

8B

:9 tcp.tcpdump

.
13

:DDOS mstream handler to client

13B

14B

mstream handler .
15B

.
.
udp 10498 ping
.
16B

:alert-udp

17

9B

:10 udp.tcpdump

18B

11 10
.
:Dos Ascend Route
19B

120B

12B

.
udp .
14

 11+2+2 .
12B

15

 :
123B

124B

.
TCP UDP . IP

. IP

.
TCP UDP
.
125B

any 129.105.100.0/24 .
any !$HOME_NET .
126B

127

16

 : | |3a
128B

] [EZ Snort Rules, Find the Truffles, Leave the Dirt, David J. Bianco
.
129B

20 " "PASS |3a| RECV .

Alert tcp $EXTERNAL_NET any -> $HOME_NET 8008 (msg: "Worm Ditty!"; content:
;)"|03 0E FE CC A0|"; content: "PASS |3a| RECV"; distance:0; within:20; sid:1000053
130B

Alert udp $EXTERNAL_NET any -> $HOME_NET 4004 (msg: "Worm Ditty!"; content:
;)"|03 0E FE CC A0|"; content: "PASS |3a| RECV"; distance:0; within:20; sid:1000054
13B

132B

/etc/snort/rules ditty.rules
snort.conf include .

13

134

17

135B

.
#snort -T -c /etc/snort/snort.conf
136B

138B

137B

18

 :
139B

. tcp
udp IP
. tcp 4004 )
( .
iptables -t filter -A INPUT -p tcp ! --source 129.105.100.0/24 -d 129.105.100.0/24
--dport 8008 -j DROP -m comment --comment Worm Ditty
140B

iptables -t filter -A INPUT -p udp ! --source 129.105.100.0/24 --sport 1:65535 -d

129.105.100.0/24 --dport 4004 -j DROP -m comment --comment Worm Ditty
14B

IPTABLES
142B

IPTABLES .

10

1B

:11

--sport 1:65535 --sport

143B

any.

19


[1]. Snort for dummies Charlie Scott, Paul Wolfe, Bert Hayes
14B

[2]. Snort manuals

145B

[3]. http://Snort.org
146B

[4]. EZ Snort Rules, Find the Truffles, Leave the Dirt, David J. Bianco
147B

[5]. Network security Hacks, Andrew Lockhart; OREILY

148B

[6]. http://ipset.netfilter.org/iptables.man.html
149B

20