Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

HERE ARE THE SPECIFIC REQUIREMENTS FOR YOUR INTRUSION DETECTION RULES: You are t

ID: 3765953 • Letter: H

Question

HERE ARE THE SPECIFIC REQUIREMENTS FOR YOUR INTRUSION DETECTION RULES:

You are to create several intrusion detection rules. Create these in a text file called '<firstname.lastname>.rules' located under /etc/snort/rules. Develop rules that implement the following policies:

       1. alert on any incoming pings to the server from .128. Your message should indicate: ".128 pinging the server."

       2. alert on any ftp traffic with the SYN flag set, from .128 to the server. Message should read: ".128 attempt to FTP to server."

       3. alert on any telnet traffic with the SYN flag set, from .128 to the server. Message should read: ".128 attempt to telnet to server."

       4. alert on any ssh traffic containing the keyword "SSH-2", from .128 to the server. Message should read: ".128 attempt to SSH to server."

       5. alert on any http traffic from .128 with the SYN flag set, from .128 to the server. Message should read: .128 attempt to the web server."

       6. alert on any http traffic with the SYN flag set from the CLASS A private network (10.0.0.0/8) to the server. Message should read "Possible DDOS."

       7.   alert on any DNS traffic from 172.16.136.130 to the local DNS server (172.16.136.1) that contains the keyword "ubuntu." Message should read "DNS Query Ubuntu."

       8. alert on any packets from .128 to the server containing the text "supersecret.txt" (note this is the first time I didn't mention a service!)

       9. alert on any ftp traffic from the .128 to the server that contains the keyword "pfarnsworth". Message should read "Pfarnsworth over ftp".

       10. alert on any ssh traffic from .128 to the server with the FIN and ACK flags set. Message should read "F/A for SSH teardown."

    -----------

How I would do the assignment

1. Modify your snort.conf so that you've defined your SERVER, BADGUY (.128), and CLASS_A networks. Mine looked like this:

ipvar HOME_NET 172.16.136.0/16

ipvar SERVER 172.16.136.129

ipvar CLASS_A 10.0.0.0/8

ipvar BADGUY 172.16.136.128

All I really need is an idea how to write the rules 1-10 There is more to the assignment but if I can get help on what the rules are it would help me a ton.

Explanation / Answer

1. alert on any incoming pings to the server from .128. Your message should indicate: ".128 pinging the server."


   alert on any incoming pings to the server 128 "flow:from_server,pinging:128"   

       2. alert on any ftp traffic with the SYN flag set, from .128 to the server. Message should read: ".128 attempt to FTP to server."
  
   alert on any ftp traffic with SYN flag set,(msg:FTP GET flow:from_sever )


       3. alert on any telnet traffic with the SYN flag set, from .128 to the server. Message should read: ".128 attempt to telnet to server."

   alert on any telnet raffic with the SYN flag(msg:telnet GET flow:from_server)   

       4. alert on any ssh traffic containing the keyword "SSH-2", from .128 to the server. Message should read: ".128 attempt to SSH to server."

   alert on any ssh traffic containing the keyword (msg:ssh-2)

       5. alert on any http traffic from .128 with the SYN flag set, from .128 to the server. Message should read: .128 attempt to the web server."

   alert on any http traffic from 128 with SYNflag set (msg:SYN flag set)

       6. alert on any http traffic with the SYN flag set from the CLASS A private network (10.0.0.0/8) to the server. Message should read "Possible DDOS."

       alert on any trffic with the SYN flag set from the CLASS A private network(10.0.0.0/8) to the server (msg:DDOS)

       7.   alert on any DNS traffic from 172.16.136.130 to the local DNS server (172.16.136.1) that contains the keyword "ubuntu." Message should read "DNS Query Ubuntu."

        alert on any DNS traffic from 172.16.136.130 to the local DNS server (172.16.136.1) that contains the keyword "ubuntu."(msg:"DNS zone" flow to ubuntu)

       8. alert on any packets from .128 to the server containing the text "supersecret.txt" (note this is the first time I didn't mention a service!)

       alert on any packets from .128 to the server containing the text "supersecret.txt" (msg:"packet" supetext.txt)

       9. alert on any ftp traffic from the .128 to the server that contains the keyword "pfarnsworth". Message should read "Pfarnsworth over ftp".

       alert on any ftp traffic from the .128 to the server that contains the keyword "pfarnsworth". (msg:"pfarnsworth" flow to_ftp)

       10. alert on any ssh traffic from .128 to the server with the FIN and ACK flags set. Message should read "F/A for SSH teardown."
       alert on any ssh traffic from .128 to the server with the FIN and ACK flags set. (msg:"ssh tear down" flown to_FIN ACK flags)

Related Questions

HELP!!!!!!!!!!!!!!!!! 1. MAIN OBJECTIVE The goal of this homework is to design a
Question #3777388
HELP!!Can you please explain too?Iwould really appreciate this!! 1) A 0.43-kg ma
Question #2251360
HELP, I need the steps and not in EXCEL Assume the following information for a U
Question #2723339
HELP, I need the steps and not in EXCEL Assume the following information for a U
Question #2723340
HELP, Inc. uses a job-order costing system. The company applies manufacturing ov
Question #2365188
HELP. Hello! Another genetic algorithm python 3.5 code question. I am really in
Question #3581248
HELP. I TRIED A COUPLE OF TIMES AND GOT 5950.41W AND 4958.7W. None of them were
Question #1401496
HELP. Please show your work . Assume you have two algorithms, A and B, both of w
Question #667453

Navigate

Previous
HERE ARE THE NUMBERS NEEDED FOR THE DATABASE TO ANSWER THE PROBLEM 1 2 3 4 5 6 7
Next
HERE ARE THE VALUES NEEDED SO YOU WONT NEED THE TABLE MENTIONED IN QUESTION Q=12

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.