Course: Network Security - Protecting Your Network Assignment

Verified

Added on 2022/08/22

AI Summary

This assignment provides solutions to a network security homework focusing on Snort, an open-source intrusion detection system. The assignment covers key aspects of network security, including creating and interpreting Snort rules, understanding the 'rev' field, and the importance of rule options. It explores how to detect specific text strings within TCP packets, the benefits of content options, and how to add insights for users. The solution identifies the snort.conf file, explains SID uniqueness, and details the function of preprocessors like stream4. The assignment also examines an Emerging Threats rule for detecting known malicious IPs and differentiates between Snort actions such as ALERT, DROP, and LOG, providing a comprehensive overview of network security principles and practical application of Snort.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.

Running head: PROTECTING YOUR NETWORK
FIREWALL AND NETWORK SECURITY
(Student’s Name)
(Professor’s Name)
(Course Title)
(Date of Submission)

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

PROTECTING YOUR NETWORK 2
Question one: Complete the Rule
alert tcp $EXTERNAL_NET any 31337 -> $HOME_NET any (msg:"SCAN SYN FN";
flow:to_client,established; classtype:Suspicious-Traffic; sid:2011010; rev:1;)
Question two: If you made a change to this rule what would you do the “rev” field? Why would
this be important?
It is important to note that the section within the parentheses is known as the Rule options section. This
is where the rule is determined by the default messages, attack classification, and flags. The “rev” field
is used to show the revision number of a certain rule. When a rule is more accurate or improved,
signature is added meaning that the revision number usually increases by one. This way one can identify
the version of the rule that triggered the alert.
Question Three: Complete the rule below to check for the text string “malware” in the payload
section of a TCP packet which starts after 32 bytes:
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Malware String Detected”;
content:”malware”; within:32; nocase; flow:to_client,established; classtype:Suspicious-Traffic;
sid:2011010; rev:1;)
Question four: In question #3, why would using this option or similar options be beneficial to
creating a good rule?
This enables the snort to only run a few checks.

PROTECTING YOUR NETWORK 3
Question Five: What would be some of the options you as the signature writer could add to your
rule to give other users some insight as to why a rule was created?
Signatures are created to analyze protocols. One can use additional tools which includes plugin for PHP,
web servers, and PHP to display logs via web interface.
Question six: What is the name of the file that contains the configuration of Snort? Where is it
usually located in the Linux build?
Those individuals who have interacted with SNORT notes that SNORT uses a configuration file at
startup time. The name of the file that contains snort configuration is known as snort.conf. In linux
snort.conf is located in the directory /etc/snort (Baker & Esler, 2007)
Question seven: Can two rules share the same SID? Why or Why not?
It is important to note that SID is specifically used to identify SNORT rules. This means that SID MUST
be unique for each and every rule. Even when one creates their own custom rules, the SID ought to be
unique. BUT if one prefer to use GID together with SID, (GID:SID) one can duplicate SIDs so long as
GID are not similar Example 1:20019 and 1:20019 is not allowed but if it is 2: 20019 and 1: 21019 it is
allowed (Beale & Foster, 2009).
Question Eight: Pick one of the Snort preprocessors and explain what its function is. Why are they
important to rule writing?
Preprocessors play a very important role in the detection process. Example are normalization services
which is there to ensure that the network packet data is presented in a single and a consistent way. Also
used for reassembly services, and detection services. One of SNORT preprocessors is the stream4;

PROTECTING YOUR NETWORK 4
which is used for processing specific protocols like HTTP (Jay Beale, 2007).
Question nine: Why was this Emerging Threats rule written?
alert ip 207.178.145.229 any -> $HOME_NET any (msg:"ET RBN Known Malvertiser IP (11)";
flowbits:set,ET.RBN.Malvertiser; flowbits:set,ET.Evil;
reference:url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork; threshold: type limit,
track by_src, seconds 60, count 1; sid:2408020; rev:297;)
 The above emerging rule is written to detect known Russian business network hosts.
Question ten: The difference between the DROP, LOG, and ALERT options.
Rule actions tells SNORT on what to do, what, where, and who of a certain packet. Also, the rule action
tells the SNORT what it is supposed to do when it finds a certain packet which matches a certain
criteria. The three available SNORT actions are ALERT, PASS, and LOG. Others were develop such as
DROP, SDROP, and reject. ALERT action is used to generate an alert to the SNORT, the DROP action
is used to log and block a certain packet, while the LOG is used to log a packet (CISCO, 2010).

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

PROTECTING YOUR NETWORK 5
References
Baker, A. R., & Esler, J. (2007). Snort : IDS and IPS toolkit. New York: Syngress.
Beale, J., & Foster, J. C. (2009). Snort 2.0 intrusion detection. Chicago.
CISCO. (2010). Advanced Snort Rule. New York.
Jay Beale, B. C. (2007). Snort Intrusion Detection and Prevention Toolkit. SNORT RULES.

1 out of 5

Your All-in-One AI-Powered Toolkit for Academic Success.

+13062052269

info@desklib.com

Available 24*7 on WhatsApp / Email

Company

Tools

Support