O'Reilly logo

Managing Security with Snort & IDS Tools by Christopher Gerg, Kerry J. Cox

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

The Rule Sets

Here is a brief description of the rule sets:

attack-responses.rules

My personal favorite set of rules. They detect when a host on your local network is sending a known response to a successful attack. While it might not be as useful as catching the attacker before he has succeeded, the alerts these rules generate are very often not false positives. There are some that are a little noisy—in particular the rule that alerts on a "403 - Forbidden" HTTP response.

backdoor.rules

Detects traffic generated by backdoor network connections, including those created by attackers using many rootkits and stealthy remote control applications (like subseven, netbus, and deepthroat).

bad-traffic.rules

Watches for illegal packet header settings like a TCP and UDP port 0 traffic, or a SYN packet to a multicast address.

chat.rules

Disabled by default. It watches for people using instant messengers and other Internet chat protocols. If this activity is against your organization's security policy, enable this rule set.

ddos.rules

Alerts on traffic generated by many well-known distributed denial-of-service mechanisms, including Trin00 and shaft . The Stacheldraht rules can be noisy, since they are just looking for specific words in the payload that may be common in your environment.

deleted.rules

Actually not referenced by default in the snort.conf file; really just a museum of old Snort rules.

dns.rules

Alerts on attacks against DNS servers (including detection of zone transfers).

dos.rules

Detects ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required