Intrusion Detection with Snort

Potentially Bad Traffic

This category of rule encompasses traffic that is definitely out of the ordinary, and is potentially indicative of a compromised system. Attack response rules fall into this category. Take this directory listing rule for example:

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any
(msg:"ATTACK RESPONSES http dir listing";
content: "Volume Serial Number"; flow:from_server,established;
classtype:bad-unknown;)

Alerts generated by this rule signify that "Volume Serial Number" content has been detected coming from a Web server. This type of content is usually detected when an attacker is able to execute commands and pass the output through a Web server. Attackers can do this by escaping out of the Web server document ...

Get Intrusion Detection with Snort now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Intrusion Detection with Snort by Jack Koziol

Potentially Bad Traffic

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly