(a)Rule header
Action, Protocol, Source IP Address, Source Port, Action, Dest IP address, Dest Port
(b)Options
Option Keyword, Protocol Arguments
Meta-data:provides information about the rule but do not have any effect during detection
Payload:look for data inside the packet
Post-detection: rule-specific triggers that happen after a rule has matched a packet
snort rule actions
alert, log, pass, activate, dynamic, drop, reject, sdrop
snort rule example
alert tcp any any -> 192.168.1.0/24 25(content:”mail from:root”;msg:”root users attempts to send an email”;)
Honeypots
Honeypots are decoy systems designed to lure attackers away from critical systems
Honeypots are designed to:
divert an attacker
collect information about an attacker
encourage an attacker to stay long enough for administrators to respond
Honeypots are filled with fabricated information
Any accesses to a honeypot trigger monitors and event loggers
An attack against a honeypot is made to seem successful
A honeypot has no production value
there is no legitimate reason to access a honeypot
any attempt to communicate with a honeypot is most likely a probe, scan, or attack
if a honeypot initiates outbound traffic, the system is most likely compromised
