In the compressed (zipped) package, you are looking for the files that end in ".rules" extensions. Pick one of the named rules files, open it, and choose a rule. If this is your first exposure to Snor
Reply needed 1
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM 1.usa.gov URL in email, possible spam redirect"; flow:to_server, established; file_data; content:"http|3A 2F 2F|1.usa.gov"; pcre:"/http\x3A\x2f\x2f1\.usa\.gov\x2f[a-f0-9]{6,8}/smi"; metadata:ruleset community, service smtp; reference:url,www.symantec.com/connect/blogs/spam-gov-urls; classtype:bad-unknown; sid:24598; rev:3;)
From the above rule, there is a Rule head which is made up of the Nort rule defining what is inside packet. parameters define a unique network connection: Source IP, Source Port, Destination IP, and Destination Port. The header also includes the direction of the packet traverse, as defined by the -> or <> symbols. Using a basic example, we will break down a typical header into its component parts and explain what each part does. the rule options define what is involved in the network packet. It is basically a message to Snort to inspect the packet for matching values and determine whether to consider the packet malicious. These options are triggered only if the rule headers match certain packet content. If there is a match, Snort most commonly writes an alert message to the alert file in the Snort logging directory. Packet data is logged as well. This ensures that once an alert is issued, the administrator can go back, review the packet and confirm or deny it was an intrusion attempt. the last two fields are the Destination Address and Destination Port. The reasoning behind the respective Source Address and Source Port fields also applies.
7.3 Creating Your Own Rules. (2019). Books.gigatux.nl. Retrieved 23 October 2019, from http://books.gigatux.nl/mirror/snortids/0596006616/snortids-CHP-7-SECT-3.html
Reply needed 2
The following is a rule that I picked from file-pdf file in C:\Snort\rules.
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"FILE-PDF Microsoft Edge PDF Builder out of bounds read attempt"; flow:to_server,established; file_data; content:"|34 1A 8D 29 34 41 CE 48 24 48 FE 1F C1 5B B7 1D 89 C6 FA E2 FD 2D 09 85 A0 9D 32 DE 17 8B 46 5A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0023; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-009; classtype:attempted-user; sid:41602; rev:4;)
This snort rule is used to detect variety of attacks that can be conducted through PDF files. In case of a vulnerability, the snort rule displays a message that the reading the file is out of bounds. Also in the metadata section, balanced-ips drop, policy max-detect-ips and policy security-ips. This means that the rule is set to drop in the Balanced Security and Connectivity policy and the Security Over Connectivity policy.
Reply needed 3
I divided my task into two parts. First, creating a snort rule that blocks the content of the website. Second is to create a rule that creating snort rules to prevent workers from accessing this website, It will alerts the administrator whenever someone tries to access the website.
I created the alert rule using TCP alert snort rule, namely; alert tcp 104.27.216.28 (IP for thepiratebay) -> any any (content: “www.thepiratebay.org”; msg: “ALERT: Unauthorized Website Access Activity”; sid:1000004;). I then used the drop snort rule to block packets sent from the (104.27.216.28) to access thepiratebay website.
Reference:
Jeffrey Carr (2007-06-05). "Snort: Open Source Network Intrusion Prevention". Retrieved 2010-06-23.
