• April 11th, 2016


Paper, Order, or Assignment Requirements

The basic format for a Snort rule is as follows:

<action> <protocol> <source IP> <source port -> <destination IP> < destination port> (option)


Configure the following rule:

alert tcp any any -> 80 (msg:”Possible SYN Flood”; classtype:attempted-dos; threshold: type threshold, track by_dst, count 1000, seconds 5; flags:S; sid:1000814;)
In addition to our SID increment there are three new parameters: The ‘flags’ parameter allows us to specify if the rule should check to see if various TCP flags are set. In this example, the rule will only match if the SYN flag is set. The ‘classtype’ parameter lets us further define our alert and provides another method for grouping and/or reporting on rules. The ‘threshold’ argument has a few of its own parameters. In our example the rule will send one alert if there are 1000 or more SYN connections attempted to the web server within a 5 second interval. Note that we have also changed the source IP and port to any/any, as we are not limiting this type of activity to just one source.

Alternatively we could use ‘track by_src’ if the goal was to identify 1000 or more SYN packets coming from a single IP.

Questions are: Write three snort rules for each of the following:

1) That looks for and logs TCP traffic from your network port 22 (SSH) to any external network and any other port.(take a screen shot)
2) That looks for and log TCP traffic from your network port 22 (SSH) to any external network and any other port, and sends administrator a message saying ‘Attempt for secured socket shell’.(take a screen shot)
3) That looks for any TCP traffic coming into your network on port 80 with the content /cgi-bin/default.ida???????, and sends administrator a message saying ‘Code Red Worm’.(take a screen shot)

Latest completed orders:

Completed Orders
# Title Academic Level Subject Area # of Pages Paper Urgency