intrusion detection - Snort rules for byte code -


i started learn how use snort today.

however, need bit of rules setup.

i trying following code on network sent machine. machine has snort installed on (as installed now).

the code want analyze on network in bytes.

\xaa\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x02\x74\x00\x00' (total of 14 bytes)

now, looking @ wanting analyze first 7 bytes of code. me if 1st byte (aa) , 7th byte (0f). want snort set off alarm.

so far rules are:

alert tcp any -> any \ (content:"|aa 00 00 00 00 00 00 0f|"; msg:"break in attempt"; sid:10; rev:1; \ classtype:shellcode-detect; rawbytes;) byte_test:1, =, aa, 0, relative; byte_test:7 =, 0f, 7, relative;

i'm guessing have made mistake somewhere. maybe familair snort me out?

thanks.

congrats on deciding learn snort.

assuming bytes going found in payload of tcp packet rule header should fine:

alert tcp any -> any

we can specify content match using pipes (||) let snort know these characters should interpreted hex bytes , not ascii:

content:"|aa 00 00 00 00 00 00 0f|"; depth:8;

and since want rule match if these bytes found in first 8 bytes of packet or buffer can add "depth". "depth" keyword modifier tells snort check in packet or buffer content match found. above content match return true 8 bytes must found within first 8 bytes of packet or buffer.

"rawbytes" not necessary here , should ever used 1 specific purpose; match on telnet control characters. "byte_test" isn't needed either since we've verified bytes 1 , 8 "aa" , "0f" respectively using content match.

so, final rule becomes: 

alert tcp any -> any ( \ msg:"shellcode break in attempt"; \ content:"|aa 00 00 00 00 00 00 0f|"; depth:8; \ classtype:shellcode-detect; sid:10;)

if decide should match inside file can use "sticky" buffer "file_data" so: 

alert tcp any -> any ( \ msg:"shellcode break in attempt"; file_data; \ content:"|aa 00 00 00 00 00 00 0f|"; depth:8; \ classtype:shellcode-detect; sid:10;)

this alert if shellcode found inside alternate data (file data) buffer.

if you'd rule inside file types shellcode can use "flowbits" so: 

alert tcp any -> any ( \ msg:"shellcode break in attempt"; \ flowbits:isset,file.pdf; file_data; \ content:"|aa 00 00 00 00 00 00 0f|"; depth:8; \ classtype:shellcode-detect; sid:10;)

this alert if these bytes found when file.pdf flowbit set. need rule enabled sets pdf flowbit. rules set file flowbits , other examples can found in community ruleset available free here https://www.snort.org/snort-rules.


Comments

Post a Comment

Popular posts from this blog

apache - Remove .php and add trailing slash in url using htaccess not loading css -

i have add following code htaccess file removing .php extension , add trailing slash urls. worked fine reduced page loading speed , css code not loading @ all. pages ugly. please help rewriteengine on rewritebase / ## hide .php extension snippet # externally redirect /dir/foo.php /dir/foo rewritecond %{the_request} ^[a-z]{3,}\s([^.]+)\.php [nc] rewriterule ^ %1/ [r,l] # add trailing slash rewritecond %{request_filename} !-f rewritecond %{request_uri} !/$ rewriterule . %{request_uri}/ [l,r=301] # internally forward /dir/foo /dir/foo.php rewritecond %{request_filename} !-d rewritecond %{request_filename}.php -f rewriterule ^(.*?)/?$ $1.php [l] we can rewrite urls using .htaccess files. before writing in .htaccess files need verify kind of server using. can check server adding a <?php phpinfo(); ?> in php page. ensure mod_rewrite module enabled in apache server. can identified checking phpinfo included page. common methods used url rewriting follows ...
Read more

javascript - jQuery show full size image on click -

pretty self explanatory not workking . i want display full image when user click on image... yes know there tons of plugins but i want keep simple. any idea ? css : .full { display: none; width: 500px; height: 500px; margin-left: 100px; margin-top: -300px; position: fixed; background-color: #f00; z-index: 6; } .thumbnail { width: 50px; height: 50px; } html: <img class="thumbnail" src="http://4.bp.blogspot.com/-uhbdp2esxng/txneptvi92i/aaaaaaaaaky/upfqis7zto0/s1600/rihanna-wallpaper.jpg"> jquery: $(document).ready(function() { $('.thumbnail').on('click', function() { var img = $('<img />',{src:this.src,'class':'full'}); $('.full').html(img).show(); console.log('done!'); }); }); try looking how jquery works. $(document).ready(function() { $('.thumbnail').on('click', function(...
Read more