Creating SNORT Rules
HTML-код
- Опубликовано: 19 авг 2024
- Summary
Several examples of Snort rule creation and triggered alerts.
4:22 - Adding custom rules to Snort configuration
4:47 - Create custom rules file
5:40 - FTP alert rule
14:57 - Manually running Snort
17:53 - FTP alert generated
19:12 - Keyword alert rule
25:24 - Keyword alert generated
26:28 - ICMP alert rule
28:56 - ICMP alert generated
36:28 - Processing a tcpdump file with Snort
Reference Materials
www.snort.org/docs - Snort Documentation
oreilly.com/pub...
You are an excellent teacher. Very careful, not condescending and you talk at a nice pace. Thank you very much!
Who would be condescending? I hear a lot of students claiming, proclaiming, or even accusing inaccurately or erroneously a professor or instructor as condescending. Call it what you want, but the teacher teaches while the student learns, so there's always and necessarily a level difference. A teacher needs to be expert in order to teach the novice who is not expert, but is hoping and studying to be expert. If good enough, the student can then surpass the teacher and then be "condescending" toward teacher in what new subject about which the student has become expert.
This is a great tutorial. This is exactly what I was looking for.
Thanks a lot for this explain, you are an excellent teacher
Hey, your videos are really good and helpful. Please come back and create some more.
Thank you for your clear explanation of rule basics.
Very good video, excellent explanation and clearly. Thanks.
This video makes more understandable "SNORT BASICS", which is what i need! thanks for posting it!! is it possible to show us all how to write rules for Brute Force attacks to the HTTP ports with different tools like Hydra or Medusa?... thanks a lot!
Thanks a lot, your video made the subject a whole lot more understandable!
Thanks Dr. Craiger you rock!
Very very good tutorial, excellent indeed! Thanks a lot!
Super helpful Thanks!
Well explained! Thank you sir!
Thank you. I really enjoyed it.
brilliant video. Thank you
Very helpful. Thanks.
Hi ! Thanks for the tutorial , I have been trying to listen on the port 1883 . but nothing seems to work , could you please help I want to detect mqtt protocol via snort
thanks, helped a lot for my implementation
How can I create a rule to detect and drop DOS/DDOS packets?
How did it catched the google search ...it's over https long ago , isn't it ??
i don't get that either
Why is the narrator saying "variable" when he's talking about the directory named /var?
Thank you!
Any idea's on how Snort deals with compressed files? I want to create a alert that looks for certain patterns within a word document (i.e. sensitive info like SSN) but since the modern word doc files are compressed, it doesn't show up in plain text without decoding the compression. Can someone point me in the right direction if there is something out there that would do this for Snort. Thanks. BTW Great video's. Easy to follow.
how do block youtube.com using snort without blocking google drive for selected users/group
Hi,
Thank for the video. It has given some of the information I need to write my own rules. I wish to know if I want to get alert for download. How do I write the rule in snort to detect that. Hope to hear from you. Thank.
Thank you!
you so handsume guy!
I like you!
sorry it is so late, love to run this in a VM or something that will watchdog and probes, shoudl i maybe put it on a separate box?
I can receive alert, but why my alert file is binary code
i dont have the alert file too., could some one help me with this ???
how to create the alert file? i can't seem to understand that part
VERY nice video. Thank you. Can you share the presentation software you used to create this?
Thanks again!
No one ever explains what "HOME_NET" means. Yes it's the "network we want to protect" but what exactly does that mean? Are $HOME_NET sources treated differently? Are packets trusted from there? How exactly are they trusted?
can we block ip using snort ? can you do it some rules in drop actions ?
Hello I am newbie ,
Facing this error:
ERROR: /etc/snort//etc/snort/rules/myrules.rules(0) Unable to open rules file "/etc/snort//etc/snort/rules/myrules.rules": No such file or directory.
-Thanks advance.
it seems, that you wrote in your snort.conf file wrong include.. check that is have to be exactly: "include /etc/snort/rules/myrules.rules" or "include $RULE_PATH/myrules.rules" and var RULE_PATH /etc/snort/rules
Hi Phillip, Awesome presentation.
I am not able to get an alert generated on below rules, did exactly what you demonstrated.
alert tcp 10.113.57.118 any -> any 80 (msg:"Terror search"; content:"terrorism"; nocase; sid:10001;)
I am able to get alerts on other kinds of basic rules like ping, etc.
Please let me know what may be wrong. Or is it something needs to be updated in conf file.
+Amit Nag I have this same issue - did you find a solution?
+El Rammo , Try this
-d option and your ethernet device ID, it worked for me after this.
snort -d -i eth1 -c /home/demo/snort_confs/snort.conf -l /tmp/ -k none
Thanks I'll give it a go.
me too i have a problem with that specific rule.. did u make it work?
What a great tutorial sir!!! But how to configure snort to avoid false alerts in windows? because i enabled those rules that are with # in the beginning thinking it would make detection more efficient. im not familiar with tuning up snort all i know is that it detects intrusion but when i tried dictionary attack it gives false alert. i created a webpage using apache with log in form. so i will try to brute force log in using dictionary attack. but before i start i tried logging in to that webpage and it was a regular login which is not actually harmful but it gives an alert saying potentially bad traffic. i am creating a GUI programmed to capture intrusion using snort with mobile alert and prevent it by throwing the alert to windows firewall since im using windows. but i find it unreliable to prevent a regular login and treat it as intrusion.. i need to tune up snort.. hope you can teach me.. this is for my project study which is almost done but i need snort to really capture a threat.. thank you in advance sir.
+Glicerio Catolico Hola Glicerio, me imagino que hablas español, también estoy en un proyecto que tiene que ver con la implementación de Snort, mi problema es que yo ya he hecho ataques de fuerza bruta con diccionarios a una página web básica en mi localhost, pero el snort no me las detecta,..quizás podriamos intercambiar experiencias, gracias y un saludo!
+Victor Amarilla sory sir i dont speak spanish im Filipino.
+Glicerio Catolico Hi Glicerio, thanks for your soon response.I've said before that i'm also involved in a project that includes Snort /IDS-IPS. I have already tested a brute force attack, based on diccionaries for user and password, to a very basic php login homepage, before that i've written the rule but somehow snort do not detects this attack. Maybe we can exchange experiencies about this matter, if i can help you, just let me know it. have a nice time!
+Victor Amarilla sir it can detect it base on my experience. The only thng is that it also detects a normal login. So its a priority 2 alert with false positive. I interpret it as an alert when same source nd dest ip occur repeatdly. So in my program u wil have to manually prevent it bcoz prevntng all priority 2 alerts wil be prone to false prevention. I only set priority 1 as default autoblock
+Victor Amarilla and sir by the way im using the windows version of snort whch has no inline or ips. I create a program that gives windows snort a gui with mobile alert and firewall prevention. U might be using unix version whch i really havnt touch yet
How do you save the rule you have written? Is it Ctrl+S
in VIM/VI you should type ESC , then ":wq" (without "")
how to perform buffer overflow attack in cmd using snort.????
magic snort snort
ddos configuration please
Gustavo Cinak, you can find that rule in : /etc/snort/rules/ddos.rules.
Thank you!