3.11 Sample Default Rules
You have learned the structure of Snort rules and how to write your own rules. This section lists some predefined rules that come with Snort. All of the rules in this section are taken from the telnet.rules file. Let us discuss each of these to give you an idea about rules that are used in production systems.
3.11.1 Checking su Attempts from a Telnet Session
The first rule generates an alert when a user tries to su to root through a telnet session. The rule is as shown below:
alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"TELNET Attempted SU from wrong group"; flow: from_server,established; content:"to su root"; nocase; classtype:attempted-admin; sid:715; rev:6;)
There are a number of things to note about this rule. The rule generates an alert and applies to TCP packets. Major points are listed below:
-
The variable $TELNET_SERVERS is defined in snort.conf file and shows a list of Telnet servers.
-
Port number 23 is used in the rule, which means that the rule will be applied to TCP traffic going from port 23. The rule checks only response from Telnet servers, not the requests.
-
The variable $EXTERNAL_NET is defined in the snort.conf file and shows all addresses which are outside the private network. The rule will apply to those telnet sessions which originate from outside of the private network. If someone from the internal network starts a Telnet session, the rule will not detect that traffic.
-
The flow keyword is used to apply this rule only to an established connection and traffic flowing from the server.
-
The content keyword shows that an alert will be generated when a packet contains “to su root”.
-
The nocase keyword allows the rule to ignore case of letters while matching the content.
-
The classtype keyword is used to assign a class to the rule. The attempted-admin class is defined with a default priority in classification.config file.
-
The rule ID is 715.
-
The rev keyword is used to show version of the rule.
3.11.2 Checking for Incorrect Login on Telnet Sessions
The following rule is similar to the rule for checking su attempts. It checks incorrect login attempts on the Telnet server port.
alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"TELNET login incorrect"; content: "Login inco rrect"; flow:from_server,established; reference:arachnids,127; classtype:bad-unknown; sid: 718; rev:6;)
There is one additional keyword used in this rule which is “reference: arachnids, 127”. This is a reference to a web site where you can find more information about this vulnerability. The URLs for external web sites are placed in the reference.config file in the Snort distribution. Using the information in reference.config, the URL for more information about this rule is http://www.whitehats.com/info/IDS=127. 127 is the ID used for searching the database at the arachnids web site.