Network Forensics: Tracking Hackers through Cyberspace (Fernando Lopez-Lezcano's Library) by Sherri Davidoff & Jonathan Ham

Author:Sherri Davidoff & Jonathan Ham
Language: eng
Format: epub
Publisher: Prentice Hall
Published: 2012-04-21T16:00:00+00:00

7.7.4 Examples

In this section we consider a couple of fairly simple Snort rules, examine packets that would trigger them, and then inspect the alerts that would result. Understanding how these three items correlate is very useful for any investigator.

• Snort Rule #1

Click here to view code image

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING"; icode:0;

itype:8; classtype:misc-activity; sid:384; rev:5;)

Above, we see a rule that will alert on any inbound ICMP traffic that is of type 8 code 0: an “Echo Request.” It is the fifth revision of the VRT’s rule number 384, and has been assigned a “classtype” that confers a priority of “3” (although you’d have to look at the Snort configuration to know that last part).

• Snort Packet #1

Click here to view code image

03:12:08.359790 IP 10.0.1.10 > 10.0.1.254: ICMP echo request, id 32335,

seq 0, length 64

0x0000: 4500 0054 eac8 0000 4001 78d9 0a00 010a [email protected].....

0x0010: 0a00 01fe 0800 75e4 7e4f 0000 e801 e349 ......u.~O.....I

0x0020: 487d 0500 0809 0a0b 0c0d 0e0f 1011 1213 H}..............

0x0030: 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 .............!"#

0x0040: 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 $%&'()*+,-./0123

0x0050: 3435 3637 4567

Here we see an ICMP packet that is indeed an Echo Request. If we presume that 10.0.1.10 is part of the $EXTERNAL NET definition, and 10.0.1.254 is within the $HOME NET range, we would expect a match and an alert.

• Snort Alert #1

Click here to view code image

[**] [1:384:5] ICMP PING [**]

[Classification: Misc activity] [Priority: 3]

04/13-03:12:08.359790 10.0.1.10 -> 10.0.1.254

ICMP TTL:64 TOS:0x0 ID:38125 IpLen:20 DgmLen:84

Type:8 Code:0 ID:32335 Seq:1 ECHO

This is the resulting alert. The first line of all Snort alerts, as presented in the native text-based output, contains four items. The first and last are reputed to be ASCII-art representations of the Snort pig’s snout. Between them is a square-bracketed, colon-delimited set of three numbers.

The first of these three numbers is the “generator ID” (GID), which specifies the part of the Snort architecture that produced the alert. In this case, the GID is “1,” which denotes the Snort rule engine. Keep in mind that all of the preprocessors can generate alerts as well. Each has its own GID. The second number is the SID, and the third number is the revision, both exactly what we’d expect to see: SID 384 Rev 5. The remainder of the first line is the message option, which also matches what we’d expect to see based on the rule itself.

The remaining information in the alert paragraph above should be fairly straightforward to interpret. In the second line, we see the classtype and priority, and in the third line, we see the date and time stamp, followed by the source and destination IP address. On the fourth line, we see more Layer 3 header data, including encapsulated protocol (ICMP), time-to-live value, type-of-service (TOS) field value (presented in hexadecimal, as the TOS byte is really a series of smaller fields that must be interpreted in binary), the IP identification value (in decimal), and the IP header and total datagram lengths (also in decimal).

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.