2. ● Some old questions answer
● Default detectable/Undetectable attacks
● Optimization’s
● Rule writing basics
● Alert (Something special here from me)
● Demo
● Questions
● Thanks
S3CuriTy B3a$t
3. ● Snort or suricata?
● What is pf_ring,netsnif-ng?
● ??
S3CuriTy B3a$t
4. Less Spread
OISF(Open information security
foundation )
Snort Inline used with snor
Multy threaded
S3CuriTy B3a$t
● Open Source De-Facto-Standard
● SourceFire
● IPS Optional
● Single Threaded
6. PF_RING™ is a new type of network socket that dramatically improves the
packet capture speed
netsniff-ng is a free Linux networking toolkit, a Swiss army knife for your
daily Linux network plumbing if you will.Its gain of performance is
reached zero-copy mechanisms, so that on packet reception and
transmission the kernel does not need to copy packets from kernel space
to user space and vice versa.
S3CuriTy B3a$t
9. Less False positive
Mature Traffic
Improved LAN Cards Which support PF-Ring
Customization of Snort and RuleSet
And Many More………!
S3CuriTy B3a$t
10. action proto src_ip src_port direction dst_ip dst_port
(options)
alert tcp 10.0.9.4 any -> any any (msg:"Traffic from 10.0.9.4”;)
Action :-
alert - generate an alert using the selected alert method, and then log the packet
log - log the packet
pass - ignore the packet
activate - alert and then turn on another dynamic rule
dynamic - remain idle until activated by an activate rule, then act as a log rule
S3CuriTy B3a$t
11. Protocol :- Which protocol should be looked at
TCP
UDP
ICMP
IP Addresses :- IPs,any & CIDR Fashion
Port Numbers :- any any, from to, from <= & to >=
Ex. ip any -> IP 1:1020 -> from any port to 1-1024
any any -> ip:6000 -> from any to port less than or equal to 6000
ip:1024 -> ip:500: -> from port less than 1024 to port greater than 500
Direction oprator -> or <>
S3CuriTy B3a$t
12. Options :-
logto - log the packet to a user specified filename instead of the standard output file
ttl - test the IP header's TTL field value
tos - test the IP header's TOS field value
id - test the IP header's fragment ID field for a specific value
ipoption - watch the IP option fields for specific codes
fragbits - test the fragmentation bits of the IP header
dsize - test the packet's payload size against a value
flags - test the TCP flags for certain values
seq - test the TCP sequence number field for a specific value
S3CuriTy B3a$t
13. ack - test the TCP acknowledgement field for a specific value
itype - test the ICMP type field against a specific value
icode - test the ICMP code field against a specific value
icmp_id - test the ICMP ECHO ID field against a specific value
icmp_seq - test the ICMP ECHO sequence number against a specific value
content - search for a pattern in the packet's payload
content-list - search for a set of patterns in the packet's payload
nocase - match the preceeding content string with case insensitivity
session - dumps the application layer information for a given session
rpc - watch RPC services for specific application/proceedure calls
resp - active response (knock down connections, etc)
S3CuriTy B3a$t