Understanding Snort Response Mechanisms: Comprehensive Guide to Protocol Analysis and IP Address Configuration

Analysis of Rule Writing

Syntax Analysis

alert icmp any any <> $HOME_NET any (logto:"task1";msg:"---msg---";sid:100001)
1　　　 2 　 3　 4   5   　 6　　  7 　　　　　　　　 8

Certainly! Here’s a rewritten version of your content with the keyword “Snort response mechanisms” included:

1. Response Mechanism

The Snort response mechanisms are essential for detecting and responding to potential network threats. These mechanisms are designed to provide real-time alerts and take predefined actions when suspicious activity is detected.

Snort has five response mechanisms for rules

alert #Alert and log
pass #Ignore
log  #Log
activation #Alert and activate another dynamic rule chain
dynamic #Called by other rule packets

2. Protocol

Snort can analyze the following protocols: TCP, UDP, and ICMP

3 and 4

Source IP address Source IP address port #These addresses can only use numbers/CIDR

5 Packet Flow Direction

-> One way
<- One way
<> Two way

6 and 7

Destination IP address Destination IP address port

8 Optional Content

1 msg Print message in alerts and logged data.
 2 logto Log packets to a user-specified file.
 3 ttl Detect TTL fields of IP packets.
 4 id Detect if the IP packet's fragment ID field equals a specific value.
 5 dsize Detect if the packet payload size equals a specific value.
 6 content Search the payload for a specific pattern string.
 7 offset Set the starting point mentioned in content.
 8 depth Set the endpoint mentioned in content.
 9 nocase Set the search to be case-insensitive.
10 flags Detect if TCP packet flags equal a specific value.
11 seq Detect if the TCP sequence number matches a specific value.
12 ack Detect if the TCP acknowledgement field matches a specific value.
13 itype Detect if the ICMP type field equals a specific value.
14 icode Detect if the ICMP code field equals a specific value.
15 session Replicate the total data of a specified session in the application layer.
16 icmp id Check if the ICMP ECHO ID field equals a specific value.
17 icmp seq Check if the ICMP ECHO sequence number equals a specific value.
18 ipoption Check if the IP packet’s protocol header options contain a specific value.
19 rpc Detect specific applications for RPC services.
20 resp Active response.
Format key: "pass";

Alert Setup

Snort Execution Parameters

-c 　　　　Specify configuration file
-l        Specify log directory
-L        Specify log record name, used with -l
-r        Specify pcap packets to read
and src IP
and src/dst port number

Interface Configuration Parameters
-i 　　#Specify listening packet interface
-I 　　#Alert output can specify a certain interface

-h Specify target host 192.168.0.0/24 specifies all hosts in this subnet
-dve Specify displaying link layer information

Alarm Mode Settings

-A fast  #Fast alert mode. Writes alerts in a simple format with timestamp, alert message, source and destination IP/port
-A full  #Full alert mode. This is the default alert mode, automatically used if no mode is specified
-A unsock　#Send alerts to a UNIX socket where another program can listen
-A none 　#Disable alerts
-A console　#Send "fast format" alerts to the console
-A cmg    #Generate "cmg format" alerts

Details of snort.conf

1)set the network variables　#Configure multiple sets of IP and port variables used for the rules section and to locate rules and library files 
2)Configure the decoder　#Decoder alerts
3)Configure the base detection engine #Configure parameters for the basic detection engine
4) Configure dynamic loaded libraries #Configure dynamic library load paths and dynamic rule paths
5) Configure preprocessors　#Configure preprocessor switches, converting part of protocol data into variables
6) Configure output plugins #Configure output method in high-speed mode
7) Customize your rule set #Configure custom rules
8) Customize preprocessor and decoder rule set #Configure preprocessor and decoder rule sets
9) Customize shared object rule set　#Configure shared object rules

# Set the network addresses to be protected
ipvar HOME_NET any

# Set external network addresses. Retain as any in most cases
ipvar EXTERNAL_NET any

# List of DNS servers on your network
ipvar DNS_SERVERS $HOME_NET

# List of SMTP servers on your network
ipvar SMTP_SERVERS $HOME_NET

# List of web servers on your network
ipvar HTTP_SERVERS $HOME_NET

# List of SQL servers on your network 
ipvar SQL_SERVERS $HOME_NET

# List of Telnet servers on your network
ipvar TELNET_SERVERS $HOME_NET

# List of SSH servers on your network
ipvar SSH_SERVERS $HOME_NET

# List of FTP servers on your network
ipvar FTP_SERVERS $HOME_NET

# List of SIP servers on your network
ipvar SIP_SERVERS $HOME_NET

# List of ports running web servers
portvar HTTP_PORTS [36,80,81,82,83,84,85,86,87,88,89,90,311,383,443,555,591,593,623,631,664,801,808,818,901,972,1158,1220,1270,1414,1533,1581,1719,1720,1741,1801,1812,1830,1942,2231,2301,2375,2381,2578,2809,2869,2980,3000,3029,3037,3057,3128,3443,3702,4000,4343,4592,4848,5000,5054,5060,5061,5117,5222,5250,5416,5443,5450,5480,5555,5600,5814,5894,5984,5985,5986,6080,6173,6988,7000,7001,7005,7070,7071,7080,7144,7145,7180,7181,7510,7770,7777,7778,7779,8000,8001,8008,8014,8015,8020,8028,8040,8080,8081,8082,8085,8088,8090,8095,8118,8123,8161,8180,8181,8182,8222,8243,8280,8300,8333,8344,8393,8400,8443,8484,8500,8509,8694,8787,8800,8852,8880,8888,8899,8983,9000,9001,9002,9050,9060,9080,9090,9091,9111,9200,9201,9290,9443,9447,9700,9710,9788,9830,9850,9999,10000,10080,10100,10250,10255,10297,10443,11371,12601,13014,14592,15489,16000,16992,16993,16994,16995,17000,18081,19980,29991,30007,30018,30888,33300,34412,34443,34444,36099,40007,41080,44449,49152,49153,50000,50002,50452,51423,53331,54444,55252,55555,56712]

# List of shellcode ports, shellcode is a type of code used to exploit software vulnerabilities.
portvar SHELLCODE_PORTS !80

# List of ports likely to witness Oracle attacks
portvar ORACLE_PORTS 1024:

# List of ports to search for SSH connections
portvar SSH_PORTS 22

# List of ports running FTP servers
portvar FTP_PORTS [21,2100,3535]

# List of ports running SIP servers
portvar SIP_PORTS [5060,5061,5600]

# File data port list used for file checking
portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143]

# GTP port list for GTP preprocessor
portvar GTP_PORTS [2123,2152,3386]

# Other variables, do not modify
ipvar AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]

# Your rule file path (can be relative path)
var RULE_PATH ../rules
var SO_RULE_PATH ../so_rules
var PREPROC_RULE_PATH ../preproc_rules

# If using whitelist/blacklist preprocessor, please configure these
var WHITE_LIST_PATH ../rules
var BLACK_LIST_PATH ../rules

Three kinds of variables
ipvar 　　Defines a set of IPs. This definition can be a single IP or multiple IPs. Example: ipvar example[1.1.1.1,2.2.2.0/24]
portvar  Defines a set of ports, can be a single port, multiple ports, or a port range. Example: portvar example[80,91:94]
var　　　 Defines a general variable. Example: var PREPROC_RULE_PATH ../preproc_rules