snort - LOCAL RULES :: 규칙 생성하기

모니터링/Snort

snort - LOCAL RULES :: 규칙 생성하기

bigju 2022. 2. 8. 09:00

Snort 2.9

snort에 사용되는 규칙 정리

1. 로컬 규칙

1-1. telnet 로그인 시도 시 실패

alert icmp any any -> any any (msg:"Inter ICMP Message Test"; sid:1000001;)

alert tcp 10.10.10.20 23 -> any any (msg: "Telnet login failed"; content: "login incorrect"; nocase; sid: 1000000; rev: 2)

1-2. telnet 로그인 시도시 test 계정으로 성공

alert tcp any 23 -> any any (msg: "test user login"; content: "test@"; nocase; sid:1000001; rev: 1;)

1-3. Telnet Brute Force 탐지

alert tcp 10.10.10.0/24 23 -> any any (msg: "Telnet brute force attack"; threshold: type both,track by_src, count 4, seconds 20; content: "login incorrect"; sid: 1000002; rev: 3;)

1-4. SSH Brute Force 탐지

alert tcp any any -> 10.10.10.0/24 22 (msg: "SSH brute force attack"; threshold: type both, track by_src, count 5, seconds 20; sid:1000003; rev: 4;)

1-5. 관리자가 아닌 사용자가 관리자 페이지 접근 확인

alert tcp any any -> 10.10.10.20 80 (msg: "HTTP Web adminpage access"; content: "/admin/index.html"; nocase; sid: 1000004;)

1-6. Scanning 탐지

# NULL Scan

alert tcp any any -> 10.10.10.0/24 any (msg:"NULL Scanning Detect"; flags:!SAPURFCE; threshold:type both, track by_src, count 10, seconds 30; sid:1000006;)

# X-mas Scan

alert tcp any any -> 10.10.10.0/24 any (msg:"X-max Scanning Detect"; flags:UPF; threshold:type both, track by_src, count 10, seconds 30; sid:1000007;)

# Directory Listing 탐지

alert tcp 10.10.10.0/24 80 -> any any (msg:"Directory Listing Detect"; content:"to parent directory"; nocase; sid:1000008;

# DOS 탐지

# ping of death

alert ip any any -> 10.10.10.0/24 any (msg:"[DOS] ping of death detection"; content:"|58|"; threshold:type both, track by_dst, count 20, seconds 10; sid:1000009;)

# Land Attack

alert ip any any -> 10.10.10.0/24 any (msg:"[DOS] Land Attack Detection"; sameip; threshold:type both, track by_dst, count 20, seconds 10; sid:1000010;)

# Smurf Attack

alert icmp any any -> 10.10.10.255 any (msg:"[DOS] Smurf Attack Detection"; threshold:type both, track by_dst, count 10, seconds 10; sid:1000011;)

# HTTP Slowloris Attack

alert tcp any any -> 10.10.10.0/24 80 (msg:"[DDOS] HTTP Slowloris Attack Detection"; flow:established; pcre:"/[^\x0d\x0a]\x0d\x0a$/"; threshold:type both, track by_dst, count 30, seconds 10; sid:1000012;)

# Zone Transfer Attack

alert tcp !10.10.10.100 any -> 10.10.10.20 53 (msg:"Zone Transfer Attack"; sid:1000013;)

Big Ju
Snort

저작자표시 비영리 변경금지