coen252computerforensics

coen252computerforensics内容摘要：

 flow_to_server, established。  content: “|31c031db 41c9b046 cd80 31c031db|”。 Snort will look whether the package contains this string, the dangerous payload.  reference: bugtraq,1387。 Snorts allow links to thirdparty warnings.  classtype:attemptedadmin。 Class Types allow users to quickly scan for attack types  sid 344。 Snort rule unique identifier. Can be checked against  rev4。 All rules are part of a revision process to limit false positives and detect new attacks. Snort Rules  Activation: Alert and then turn on another dynamic rule.  Dynamic: Log the traffic when called by the above activation rule.  Pass: Ignore the traffic.  Log: Log the traffic, but do not alert. Snort Rules  TCP: TCP protocol, for example SMTP, HTTP, FTP  UDP: For example DNS traffic  ICMP: For example ping, traceroute.  IP: For example IPSec, IGMP Snort Rules  Content: Content checked by the Boyer Moore pattern matching algorithm.  Flow: Link to the detection plugins. Using Snort  Install with libcap / wincap.  Move config / rule files to correct directory and alter them.  Use Snort from the mandline.  Snort can be used to sniff or to decode. Using Snort Sniffer Mode  Runtime switches:  v verbose  d dump package payloads  x dump entire package in hex  a display arp packages //does not work on your version.  e display link layer data  snort dvae Using Snort Packet Logger Mode  Tell snort to output packages to a log file.  Command line options:  l dump packages into log directory  b log packages in binary (tcpdump) format  Example: snort –b –l /temp/snort Using Snort  Binary log files are in tcpdump format  Can be read by snort with the –r switch  Readback can be used to dump, log, or perform detection Using Snort Full Text Logging  Packets are logged in plain ascii format  One file created per protocol port pair  A port scan creates too many files. Using Snort NIDS Mode  Load snort with a set of rules, configure packet analysis plugins, and let it monitor hostile work activity Using Snort  Use –c switch to specify configuration file. 。