Snort Lab

Reply needed 1 I had a surprisingly difficult time with this assignment and finding a unique rule that worked.

For this assignment, I chose to ban www.reddit.com.  The rule I created reads:

alert tcp any any -> any 443 (msg:“Access of restricted website”; sid:1000004;)

Unfortunately, this rule is identical to the example rule.  This was not intentional. I had originally intended to capture reddit using port 80, since most commercial websites use this port.  However, when accessing reddit via the virtual lab, I could not generate any alerts with this port. Only 443 allowed me to capture it.  Thus the following rule did NOT work:

alert tcp any any -> any 80 (msg:“Access of restricted website”; sid:1000004;)

Additionally, I wanted to narrow the scope of the rule using port 443 since it would obviously capture unintended websites that also use this port (thus creating too many false positives).  I attempted to modify the rule with a content option reading:

alert tcp any any -> any 443 (msg:“Access of restricted website”; content:“www.reddit.com”; sid:1000004;)

This rule also failed to generate any alerts on the virtual lab.

I know I could have tried to change the external net variables in snort.conf to identify the reddit server address.  Using this method, I would have allowed the header portion of the rule to truly narrow the scope. However, I was hesitant to mess with snort.conf using the virtual lab.

Does anyone have any suggestions or feedback on the rules that I attempted?  To me, they should have worked, but they did not deliver the results I was expecting.

Reply needed 2 The snort rules help to set out the online space that can be accessed by the different parties that take part in the safeguarding of a network. The rule-based language that is applied in the formation of the snort rules guide the developers in coming up with the desired remedy for the network issues. Some of the network issues that the rules help to protect the system against include; DOS attacks, stealth port scans, OS fingerprinting, buffer overflows and SMB probes.

The “prohibited” site that is chosen for this exercise is the Zillow.com. Upon the trial of snort rules on this site. The popular libcap, wincap, and the tcpdump cap perform the packet sniffing on the network to discover any of the mismatches. The Snort Packet Logger is particularly a major rule that is used in the debugging of the network traffic (Mark, 2019). The snort app functions regarding the rules that are defined in the configuration rule. Since the snort rule language is flexible, the creation of the new rules is simpler. With the properly configured rules, it can be easy to differentiate between the normal network activities and the malicious ones. The rules aid in ensuring that converge at the security point of the network. The rule options identify the alert messages and redirect them appropriately.

References

Mark, G. (2019). Basic Snort Rules Syntax and Usage. Retrieved 29 October 2019, from https://resources.infosecinstitute.com/snort-rules-workshop-part-one/#gref