1. Complete this rule which would be deployed to detect incoming TCP traffic on port 31337:
alert _____ $EXTERNAL_NET _____ -> $HOME_NET _____ (msg:”__________________”; flow:to_client,established; classtype:Suspicious-Traffic; sid:2011010; rev:1;)
2. If you made a change to this rule what would you do the “rev” field? Why would this be important?
3. Complete the rule below to check for the text string “malware” in the payload section of a TCP packet which starts after 32 bytes:
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:”Malware String Detected”; content:”malware”; _____:32; nocase; flow:to_client,established; classtype:Suspicious-Traffic; sid:2011010; rev:1;)
4. In question #3, why would using this option or similar options be beneficial to creating a good rule?
5. What would be some of the options you as the signature writer could add to your rule to give other users some insight as to why a rule was created?
6. What is the name of the file that contains the configuration of Snort? Where is it usually located in the Linux build?
7. Can two rules share the same SID? Why or Why not?
8. Pick one of the Snort preprocessors and explain what its function is. Why are they important to rule writing?
9. Why was this Emerging Threats rule written? (hint: look at the reference option)
alert ip 207.178.145.229 any -> $HOME_NET any (msg:”ET RBN Known Malvertiser IP (11)”; flowbits:set,ET.RBN.Malvertiser; flowbits:set,ET.Evil; reference:url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork; threshold: type limit, track by_src, seconds 60, count 1; sid:2408020; rev:297;)
10. Explain the difference between the DROP, LOG, and ALERT options.
