Network Forensics: Tracking Hackers through Cyberspace (Fernando Lopez-Lezcano's Library) by Sherri Davidoff & Jonathan Ham
Author:Sherri Davidoff & Jonathan Ham
Language: eng
Format: epub
Publisher: Prentice Hall
Published: 2012-04-21T16:00:00+00:00
7.7.4 Examples
In this section we consider a couple of fairly simple Snort rules, examine packets that would trigger them, and then inspect the alerts that would result. Understanding how these three items correlate is very useful for any investigator.
• Snort Rule #1
Click here to view code image
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING"; icode:0;
itype:8; classtype:misc-activity; sid:384; rev:5;)
Above, we see a rule that will alert on any inbound ICMP traffic that is of type 8 code 0: an “Echo Request.” It is the fifth revision of the VRT’s rule number 384, and has been assigned a “classtype” that confers a priority of “3” (although you’d have to look at the Snort configuration to know that last part).
• Snort Packet #1
Click here to view code image
03:12:08.359790 IP 10.0.1.10 > 10.0.1.254: ICMP echo request, id 32335,
seq 0, length 64
0x0000: 4500 0054 eac8 0000 4001 78d9 0a00 010a [email protected].....
0x0010: 0a00 01fe 0800 75e4 7e4f 0000 e801 e349 ......u.~O.....I
0x0020: 487d 0500 0809 0a0b 0c0d 0e0f 1011 1213 H}..............
0x0030: 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 .............!"#
0x0040: 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 $%&'()*+,-./0123
0x0050: 3435 3637 4567
Here we see an ICMP packet that is indeed an Echo Request. If we presume that 10.0.1.10 is part of the $EXTERNAL NET definition, and 10.0.1.254 is within the $HOME NET range, we would expect a match and an alert.
• Snort Alert #1
Click here to view code image
[**] [1:384:5] ICMP PING [**]
[Classification: Misc activity] [Priority: 3]
04/13-03:12:08.359790 10.0.1.10 -> 10.0.1.254
ICMP TTL:64 TOS:0x0 ID:38125 IpLen:20 DgmLen:84
Type:8 Code:0 ID:32335 Seq:1 ECHO
This is the resulting alert. The first line of all Snort alerts, as presented in the native text-based output, contains four items. The first and last are reputed to be ASCII-art representations of the Snort pig’s snout. Between them is a square-bracketed, colon-delimited set of three numbers.
The first of these three numbers is the “generator ID” (GID), which specifies the part of the Snort architecture that produced the alert. In this case, the GID is “1,” which denotes the Snort rule engine. Keep in mind that all of the preprocessors can generate alerts as well. Each has its own GID. The second number is the SID, and the third number is the revision, both exactly what we’d expect to see: SID 384 Rev 5. The remainder of the first line is the message option, which also matches what we’d expect to see based on the rule itself.
The remaining information in the alert paragraph above should be fairly straightforward to interpret. In the second line, we see the classtype and priority, and in the third line, we see the date and time stamp, followed by the source and destination IP address. On the fourth line, we see more Layer 3 header data, including encapsulated protocol (ICMP), time-to-live value, type-of-service (TOS) field value (presented in hexadecimal, as the TOS byte is really a series of smaller fields that must be interpreted in binary), the IP identification value (in decimal), and the IP header and total datagram lengths (also in decimal).
Download
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.
Sass and Compass in Action by Wynn Netherland Nathan Weizenbaum Chris Eppstein Brandon Mathis(7784)
Grails in Action by Glen Smith Peter Ledbrook(7699)
Configuring Windows Server Hybrid Advanced Services Exam Ref AZ-801 by Chris Gill(6582)
Azure Containers Explained by Wesley Haakman & Richard Hooper(6570)
Running Windows Containers on AWS by Marcio Morales(6100)
Kotlin in Action by Dmitry Jemerov(5068)
Microsoft 365 Identity and Services Exam Guide MS-100 by Aaron Guilmette(4923)
Combating Crime on the Dark Web by Nearchos Nearchou(4505)
Management Strategies for the Cloud Revolution: How Cloud Computing Is Transforming Business and Why You Can't Afford to Be Left Behind by Charles Babcock(4416)
Microsoft Cybersecurity Architect Exam Ref SC-100 by Dwayne Natwick(4353)
The Ruby Workshop by Akshat Paul Peter Philips Dániel Szabó and Cheyne Wallace(4180)
The Age of Surveillance Capitalism by Shoshana Zuboff(3959)
Python for Security and Networking - Third Edition by José Manuel Ortega(3749)
Learn Windows PowerShell in a Month of Lunches by Don Jones(3510)
The Ultimate Docker Container Book by Schenker Gabriel N.;(3414)
Mastering Python for Networking and Security by José Manuel Ortega(3346)
Mastering Azure Security by Mustafa Toroman and Tom Janetscheck(3335)
Blockchain Basics by Daniel Drescher(3301)
Learn Wireshark by Lisa Bock(3276)
