Question

In: Computer Science

How is snort used to detect malicious activities?

How is snort used to detect malicious activities?

Solutions

Expert Solution

Snort is a light-weight intrusion detection tool which logs the
packets coming through the network and analyzes the
packets. Snort checks the packets coming against the rules
written by the user and generate alerts if there are any
matches found. The rules are written by the user in a text file
which is linked with snort.conf file where all the snort
configurations are mentioned. There are few commands
which is used to get snort running so that it can analyze
network behavior.

Snort uses a configuration file at start up time. A sample
configuration file snort.conf is included in the Snort
distribution. You can use any name for the configuration file,
however snort.conf is the conventional name. You use the -
c command line switch to specify the name of the
configuration file. The following command
uses /opt/snort/snort.conf as the configuration file.
We can also save the configuration file in our home directory
as snortrc, but most commonly used method is specifying it
on the command line. There are other advantages to using
the configuration file name as a command line argument to
Snort. It is possible to invoke multiple Snort instances on
different network interfaces with different configuration.
$ sudo /usr/local/bin/snort -A console -q -u snort -g snort -c
/etc/snort/snort.conf -i lo
This command should be run in our terminal to run snort
using our snort configuration file. It can be modified according to the user suitability. Snort has various modes;
few of them are listed here
Description of the command:
-c: specifies the config file
-i : specifies the interface mode , if a loopback address is
running then “lo” will be written , for Ethernet “eth0” or
“eth1” will be written.
-A: It will print the output to the console
Once we run this command, then type $ ping 127.0.0.1
We should see that the snort logs this packet and displays it
on the terminal. Here is the image of the terminal logging the
ping packets.

Writing rules:
Rules are written by the user, snort will log the packets
and generate alert if there if finds any match with the rules
that user defined in the rules file. Here is an example of
how to write rules.
1. alert ip $EXTERNAL_NET any -> $HOME_NET any
(ip_proto:igmp; rev:1000000)

For igmp traffic
2. alert tcp any any -> any 80 (content:"ABC";
content:"EFG"; http_raw_cookie;rev:1000001)
detects unnormalised cookie header
3. alert tcp any any -> any (msg:"exploit"; content:"|90|";
rev:1000002)
4.alert $EXATERNAL_NET any -> $HOME_NET any (flags:
SF,12; msg:"SYN FIN scan"; rev:1000003)
5.alert any any -> $HOME_NET 21(msg:"Incoming
FTP";rev:1000004)
6. alert tcp $HOME_NET any -> $EXTERNAL_NET
80(msg:”Invalid Content Found”;
content:”terrorism”;nocase; rev:1000005)
7.alert icmp $EXTERNAL_NET any -> $HOME_NET
any(msg:”PING ALERT”; icode:0;itype:8;rev:1000006)
8.alert tcp $EXTERNAL_NET any -> $HOME_NET 80
(msg:"EXPLOIT ntpdx overflow"; dsize:>128;
classtype:attempted-admin; priority:10 )
9.log tcp !192.168.0/24 any -> $HOME_NET any (msg:
"mounted access" ; )
10. $ alert tcp any any -> $HOME_NET 21 (msg:"Possible
FTP Login"; sid:1000004; rev:004;)
alert: it will generate alert packets
tcp: protocol which is being used
any: it specifies that log packets coming from any IP
address.
$HOME_NET: It is our local IP address, it is mapped in
snort.conf file
21 : It tells snort to generate alerts of any packet which try
to send request to port 21.


Related Solutions

Outline the Variance Inflating Factor (VIF) and explain how it may be used to detect the...
Outline the Variance Inflating Factor (VIF) and explain how it may be used to detect the presence of multicollinearity.
Explain how the analysis of financing options, investment activities, and operational activities can be used as...
Explain how the analysis of financing options, investment activities, and operational activities can be used as metrics for a assessing a company’s financial health. Include examples of how you might measure these activities using the information company’s financial statements, accounting standards, and publically available industry data.
Illustrate how financial statement ratios can be used to detect frauds and the types of frauds...
Illustrate how financial statement ratios can be used to detect frauds and the types of frauds they detect
In this assignment you are developing a fraud detection system to detect fraudulent activities based on...
In this assignment you are developing a fraud detection system to detect fraudulent activities based on this Decision Three. Your program receives a comma separated transaction log with the below format as its input: [amount],[# of transactions in last day],[area code],[transaction time] Your program should use string operations to decompose the transaction log and store its elements in variables of appropriate types. Then, based on the values of those attributes and the decision three, it attaches either a ",fraud" or...
Explains how IT can be used to change expenditure cycle activities.
Explains how IT can be used to change expenditure cycle activities.
Operating Activities How do you determine cash flow provided by (used in) operating activities using the...
Operating Activities How do you determine cash flow provided by (used in) operating activities using the indirect method? How is cash flow provided by (used in) operating activities determined using the direct method? How is this different from the indirect method? Investing Activities How do you determine cash flow provided by (used in) investing activities? Financing Activities How do you determine cash flow provided by (used in) financing activities? What is the formula to calculate change in cash flow? What...
How are activities of and accounting and financial reporting for commonly used agency funds?
How are activities of and accounting and financial reporting for commonly used agency funds?
Describe the structure and operation of an instrument that could be used to detect interruptions in...
Describe the structure and operation of an instrument that could be used to detect interruptions in the ossicular chain. Sketch a typical tympanogram, obtained from such an instrument, indicating this condition.
Is it true or false that IR spectroscopy is used to detect functional groups?
Is it true or false that IR spectroscopy is used to detect functional groups?
Design an indirect IF protocol that could be used to detect the presence of antibodies to...
Design an indirect IF protocol that could be used to detect the presence of antibodies to SARS CoV-2, the virus causing covid-19. Assume that the specificity of the antibodies from patients would be against epitopes on the spike proteins of the virus. Include both a description of the protocol and a diagram showing the steps of your protocol. (Draw the diagram, take a picture of it, and then insert that JPEG image into this word document).
ADVERTISEMENT
ADVERTISEMENT
ADVERTISEMENT