UC知道snort规则
来源:百度知道 编辑:UC知道 时间:2024/09/23 19:10:29
谁能帮我把这些规则翻译一下啊,还有其中包含的原理也说一下,不甚感激!
alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP missing community string attempt"; content:"|04 00|"; depth:15; offset:5; metadata:service snmp; reference:bugtraq,2112; reference:cve,1999-0517; classtype:misc-attack; sid:1893; rev:6;)
alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP null community string attempt"; content:"|04 01 00|"; depth:15; offset:5; metadata:service snmp; reference:bugtraq,2112; reference:bugtraq,8974; reference:cve,1999-0517; classtype:misc-attack; sid:1892; rev:8;)
alert udp $EXTERNAL_NET any -> $HOME_NET 161:162 (msg:"SNMP community string buffer overflow attempt"; flow:to_server; content:"|02 01 00 04 82 01 00|"; offset:4; metadata:service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:cve,2002-0012; reference:cve,2002-0013; reference:url,
alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP missing community string attempt"; content:"|04 00|"; depth:15; offset:5; metadata:service snmp; reference:bugtraq,2112; reference:cve,1999-0517; classtype:misc-attack; sid:1893; rev:6;)
alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP null community string attempt"; content:"|04 01 00|"; depth:15; offset:5; metadata:service snmp; reference:bugtraq,2112; reference:bugtraq,8974; reference:cve,1999-0517; classtype:misc-attack; sid:1892; rev:8;)
alert udp $EXTERNAL_NET any -> $HOME_NET 161:162 (msg:"SNMP community string buffer overflow attempt"; flow:to_server; content:"|02 01 00 04 82 01 00|"; offset:4; metadata:service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:cve,2002-0012; reference:cve,2002-0013; reference:url,
这个嘛。你应该去看介绍snort规则的书,或者是官方手册snort manual.
snort的每一条规则分为规则头和规则体。例如第一条规则:
alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP missing community string attempt"; content:"|04 00|"; depth:15; offset:5; metadata:service snmp; reference:bugtraq,2112; reference:cve,1999-0517; classtype:misc-attack; sid:1893; rev:6;)
括号(之前为规则头。括号之内的是规则体。
这条规则讲到,如果一条目的地为$HOME_NET的UDP数据包,目的端口为161,则产生一个报警(alert)。该报警在日志文件或者其它报警输出方式中就显示为:SNMP missing community string attempt。snort如何判断该攻击呢?是通过查找UDP数据包中是否存在十六进制04 00。(因为snort是一个特征匹配类型的IDS,所以这是它基本的工作原理)后边的偏移位,深度,参考,分类,sid之类的不多说了。要想用好snort,还得看文档,好好熟悉规则,并在实际中应用,再做出修改。