题目描述
write a rule in test.rules detect a tcp packet with
- Destination Port at 8080, TCPFLAG ACK set, a string " I am IDS Homework I " in payload [100th byte-200th byte]
- alert message " TEST ALERT "
Snort Rules
首先我们要了解一下Snort规则
这里我只会介绍一些比较重要且题目中会涉及到的字段
详细的介绍可以看一下这个博主翻译的部分Snort手册
Header:RuleType + Five Tuple(五元组)
- Rule Type ( IDS )
- alert:产生警告,并记录
- log:记录在日志
- pass: 忽略
- Rule Type ( IPS )
- drop:丢弃
- reject:主动断开此传输链接
- sdrop: 悄悄地丢弃
- Five Tuple
- Protocol:TCP/UDP,etc
- SIP/DIP:源IP/宿IP
- SPORT/DPORT:源端口/宿端口(most important)
Options
- General
- msg:打印的警告信息
- reference:详细信息的引用
- gid/sid/rev:规则ID及版本号
- classtype:类别,与优先级有关
- priority:优先级
- metadata:日期相关信息
- Non-Payload
- dsize
- ttl
- tos
- flags:检查是否存在特定的TCP标志位,可以检查以下位
- F:FIN - Finish (LSB in TCP Flags byte)
- S:SYN - Synchronize sequence numbers
- R:RST - Reset
- P:PSH - Push
- A:ACK - Acknowledgment
- U:URG - Urgent
- C:CWR - Congestion Window Reduced (MSB in TCP Flags byte),原来为1,reserved bit 1
- E:ECE - ECN-Echo (If SYN, then ECN capable. Else, CE flag in IP header is set),原来为2,reserved bit 2
- 0:No TCP Flags Set
- Payload
- content:负载中需要匹配的字符串
- offset:搜索的开始位置,相对于净荷开始位置的偏移量,真正匹配是从offset+1开始
- depth:配合offset使用,指定搜索的深度,从offset+1开始计算,若没有规定offset则从the first btye开始计算
- within:与offset类似,只不过distance设置的是从上一个匹配结束开始的距离,而offset是从开始计算
- distance:多个content匹配之间的距离要求要满足within设定的字节
- pcre:负载中需要匹配的模式
- content:负载中需要匹配的字符串
- Post-Detection
More on Rule of Snort
- flow
- to_client:匹配从服务器到客户端的数据包
- to_servert:匹配从客户端到服务器的数据包
- established:匹配链接建立过程中的数据包
- flowbits
- set:将某一变量标志位,置1
- unset:将某一变量标志位,置0
- isset:判断某一变量标志位,是否为1
- noalert :对匹配上该规则的数据包不发出警报
简单了解一下Snort的预处理器
- detect: sfportscan, reputation
- reassemble: frag3, session, stream
- decode & detect: http/smtp/pop3/dns/….
- management: performance monitor
- rewrite the packet: normalizer
sfportscan
- based on statistics of packet
- TCP/UDP/IP
- one-one
- many-one
- one-many
Reputation
- IP Blacklist/Whitelist
- implemented in route table format
- performance better than rule
- the first pp where packet arrived
frag3 vs. Session vs. Stream
- frags : IP fragment
- session & stream
- Transport protocol fragment
- stream5
- memory cost
Session
- provide context for rule detection(flow, flowbits)
- support TCP(default), UDP, ICMP, IP
- tcp session count : 256k(default), 1M(max)
Stream
- Target-Based
- Anomaly Detection
- Protocol Aware Flushing
- support application protocol decode
Application Protocol
- HTTP, SMTP, etc
- rule content options
- improve detection accuracy
Performance Monitor
- measures Snort’s real-time and theoretical maximum
performance. - packet performance/ pp performace/rule performance
回归正题,我们题目的答案是什么呢?
需要注意的内容我已经讲解过了,注意黑体字的内容
alert tcp any any -> any 8080 (msg:"TEST ALERT";content:"I am IDS Homework I";offset:99;depth:101;flags:A;sid:1;)
Scapy及测试
想要测试一下我们rules对不对?
这里我们可以使用Scapy构造想要的数据包
(我们只简单介绍如何用scapy构造本题需要的数据包,其他功能可以在查看官方手册)
安装&&启动scapy
sudo pip install scapy
sudo scapy
构造有负载的数据包
scapy的语法和python一样,较为复杂的负载内容需要单独专门设置
pkt=Ether()/IP()/TCP()/""
pkt=IP()/TCP(dport=8080,flags="A")/""
pkt.load="a"*99+"I am IDS Homework I"
保存构造出的数据包
wrpcap("1.pcap",pkt)
退出
quit()
测试rules
选择特定的rules检测给定的数据包
sudo snort -r 1.pcap -c rules
6680
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
