IDS (Instrusion Detect System)_ snort 새로운 rule 등록

- 실습에서 확인한 내용 확인 

ping 

12/22-19:24:45.524410  [**] [1:366:7] ICMP PING *NIX [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.27.1 -> 192.168.27.134

( IDS )

# cd /etc/snort

#  find . -type f -name "*.rules" -exec fgrep -l 'ICMP PING *NIX' {} \; 

./rules/icmp-info.rules

# fgrep 'ICMP PING *NIX' ./rules/icmp-info.rules

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING *NIX"; itype:8; content:"|10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F|"; depth:32; classtype:misc-activity; sid:366; rev:7;)

nmap

12/22-19:25:39.098856  [**] [1:469:3] ICMP PING NMAP [**] [Classification: Attempted Information Leak] [Priority: 2] {ICMP} 192.168.27.1 -> 192.168.27.134

# find . -type f -name "*.rules" -exec fgrep -l 'ICMP PING NMAP' {} \; 

./rules/icmp.rules

# fgrep 'ICMP PING NMAP' ./rules/icmp.rules 

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING NMAP"; dsize:0; itype:8; reference:arachnids,162; classtype:attempted-recon; sid:469; rev:3;)

# cd /etc/snort

# cp -p snort.conf snort.conf.orig

# vi snort.conf

........ ################################################### # Step #7: Customize your rule set # For more information, see Snort Manual, Writing Snort Rules # # NOTE: All categories are enabled in this conf file ################################################### # Note to Debian users: The rules preinstalled in the system # can be *very* out of date. For more information please read # the /usr/share/doc/snort-rules-default/README.Debian file # # If you install the official VRT Sourcefire rules please review this # configuration file and re-enable (remove the comment in the first line) those # rules files that are available in your system (in the /etc/snort/rules # directory) # site specific rules include $RULE_PATH/local.rules # The include files commented below have been disabled # because they are not available in the stock Debian # rules. If you install the Sourcefire VRT please make # sure you re-enable them again: #include $RULE_PATH/app-detect.rules include $RULE_PATH/attack-responses.rules include $RULE_PATH/backdoor.rules include $RULE_PATH/bad-traffic.rule ..... :578,696s/^/#/

include 된 rule을 모두 주석 처리 하고 local.rules 만 하게 한다. 

# vi local.rules

# ---------------- # LOCAL RULES # ---------------- # This file intentionally does not come with signatures.  Put your local # additions here. alert tcp any any -> $HOME_NET 80 (msg: "Test Messages Port 80"; sid:2017031300; rev:1;)