Question

In: Computer Science

Write a snort rule that will fire when you browse to craigslist.org from the machine Snort...

Write a snort rule that will fire when you browse to craigslist.org from the machine Snort is running on; it should look for any outbound TCP request to craigslist.org and alert on it.

Solutions

Expert Solution

1. Install Snort into your operating system.
    >> sudo apt-get install snort

2. Read through Snort's configuration guide and edit /etc/snort/snort.conf as needed for your machine

3. When you run snort you'll see many errors/warnings in the output. Warnings about duplicate rules are okay, but others aren't.

4. Read about Snort's rule syntax and configuration

Trigger some alerts
    Find two different rules in the /etc/snort/rules/*.conf files and read about them, understand them. Now try to trigger the rules. Some of the simpler rules to trigger are based on finding bad data in web requests. Many inbound tests need incoming requests on established connections. You can start a simple webserver like this: sudo python -m SimpleHTTPServer 80

    Once triggered, view the alert in /var/log/snort. It will be in binary, so you'll need to convert it from Snort's unified2 format into human readable using:

    gmu@gmu-virtual-machine:/var/log/snort$ u2spewfoo snort.log
   
    Turn in: - The alert signature (from the rules file)
                  - A description of how you triggered the alert
                  - The alert itself from the log file (after converting it to readable text)

    Do this for two Snort rules.

Problem 2: Writing your own rules
In this part you need to write a rule that will fire when you browse to craigslist.org from the machine Snort is running on. So it should look for any outbound TCP request to craigslist.org and alert on it. The alert should also fire for any of the pages under the main page for example. You should add your rule into /etc/snort/rules/local.rules. Make sure to pick a SID 1000000 . Make sure your rule does NOT trigger when you go to other .org sites.

    Turn in: - The alert signature (from the rules file)
                  - The alert itself from the log file (after converting it to readable text)

venereology answered 2 years ago
Next > < Previous

Related Solutions

T F     To have a Snort rule match on both inbound and outbound traffic, the rule...
T F     To have a Snort rule match on both inbound and outbound traffic, the rule should use the flow:to_server,from_client,established; option.          Answer: _____ T F     Host-based IDS can be used to monitor compliance with corporate policies such as acceptable use of computer resources.      Answer: _____ T F     An on-demand operational IDS model is not suitable if legally admissible data collection is required.     Answer: _____ T F     Current criminal and civil procedure laws and rules of evidence do not apply to...
Write in the following topic from   Browse websites or social media for FOUR ads that you...
Write in the following topic from   Browse websites or social media for FOUR ads that you think are highly effective for generating exposure, attention, and perception. Also find FOUR ads that you think are ineffective for each process. What makes the good ones effective? What do you think is wrong with the others, and how could they be improved? Show the ads as part of your presentation to the class. Visit one of the hypermarket nearby select FOUR products you...
When reading a legal text, the first rule to apply is the: Literal Rule. Golden Rule....
When reading a legal text, the first rule to apply is the: Literal Rule. Golden Rule. Mischief Rule. Class Rule.
Write a java console application,. It simulates the vending machine and ask two questions. When you...
Write a java console application,. It simulates the vending machine and ask two questions. When you run your code, it will do following: Computer output: What item you want? User input: Soda If user input is Soda Computer output: How many cans do you want? User input:            3 Computer output: Please pay $3.00. END The vending machine has 3 items for sale: Soda the price is $1.50/can. Computer should ask “How many cans do you want?” Chips, the price is $1.20/bag....
You are in your room when the fire alarm sounds. You look out of your door...
You are in your room when the fire alarm sounds. You look out of your door and see the stairs full of smoke. You remember that some work was being done on the outside of the building and a 10 m long ladder is reachable outside your window. You can climb out to a point 2 m from the top of the ladder. you see that the ladder is resting against a smooth wall (negligible friction) above you and on...
A fire insurance company thought that the mean distance from a home to the nearest fire...
A fire insurance company thought that the mean distance from a home to the nearest fire department in a suburb of Chicago was at least 4.7 miles. It set its fire insurance rates accordingly. Members of the community set out to show that the mean distance was less than 4.7 miles. This, they thought, would convince the insurance company to lower its rates. They randomly identified 64 homes and measured the distance to the nearest fire department from each. The...
A fire insurance company thought that the mean distance from a home to the nearest fire...
A fire insurance company thought that the mean distance from a home to the nearest fire department in a suburb of Chicago was at least 5.9 miles. It set its fire insurance rates accordingly. Members of the community set out to show that the mean distance was less than 5.9 miles. This, they thought, would convince the insurance company to lower its rates. They randomly indentified 62 homes and measured the distance to the nearest fire department from each. The...
A fire insurance company thought that the mean distance from a home to the nearest fire...
A fire insurance company thought that the mean distance from a home to the nearest fire department in a suburb of Chicago was at least 5.9 miles. It set its fire insurance rates accordingly. Members of the community set out to show that the mean distance was less than 5.9 miles. This, they thought, would convince the insurance company to lower its rates. They randomly indentified 60 homes and measured the distance to the nearest fire department from each. The...
A fire insurance company thought that the mean distance from a home to the nearest fire...
A fire insurance company thought that the mean distance from a home to the nearest fire department in a suburb of Chicago was at least 4.7 miles. It set its fire insurance rates accordingly. Members of the community set out to show that the mean distance was less than 4.7 miles. This, they thought, would convince the insurance company to lower its rates. They randomly identified 64 homes and measured the distance to the nearest fire department from each. The...
By rewriting the formula for the multiplication​ rule, you can write a formula for finding conditional...
By rewriting the formula for the multiplication​ rule, you can write a formula for finding conditional probabilities. The conditional probability of event B​ occurring, given that event A has​ occurred, is Upper P left parenthesis Upper B vertical line Upper A right parenthesis equals StartFraction Upper P left parenthesis Upper A and Upper B right parenthesis Over Upper P left parenthesis Upper A right parenthesis EndFraction . Use the information below to find the probability that a flight departed on...
ADVERTISEMENT
Subjects
ADVERTISEMENT
Latest Questions
ADVERTISEMENT