alecccg03/Snort-Rules
GitHub: alecccg03/Snort-Rules
一组用于学习和演示的自定义 Snort 3.12 规则,帮助用户掌握网络入侵检测与防御系统的规则编写和部署方法。
Stars: 0 | Forks: 0
# Snort-Rules
一系列专为主动网络威胁检测设计的自定义 Snort 3.12 规则集合。包含用于对特定流量模式发出警报以及在虚拟化环境中演示 IPS/IDS 功能的自定义规则。
## 规则 1:Alert ICMP 流量
This rule alerts on ICMP traffic to 8.8.8.8 from any source address. I used the --daq-batch-size parameter to print every packet to the console one by one. This is a way to use Snort as an IDS, alerting you but not taking any action to prevent malicious activity.
## 规则 2:Alert HTTPS 流量
This rule alerts on incoming HTTPS traffic (port 443) to any port on the host address. When I used curl to make a GET request to google.com, Snort did not alert on the traffic because it was over HTTP, not HTTPS.
When I made the request to https://google.com, Snort correctly alerted the traffic in the console.
## 规则 3:Log DNS 流量
Instead of writing alerts to the console, this rule logs incoming DNS traffic which can then be viewed inside Wireshark.
Using Snort to log traffic, you can then open those files inside Wireshark for further analysis
## 规则 4:Drop ICMP 流量
Sometimes logging isn't enough and you want to drop certain traffic. This rule drops incoming ICMP traffic originating from any address. By actively dropping the packets, this turns Snort from an IDS into an IPS, allowing it to take action on your network.
## 规则 5:Reject 来自恶意 IP 的 ICMP 流量
For the purposes of this lab, 8.8.8.8 was used as the 'malicious' IP address. This rule is rejecting ICMP traffic from this IP which we are then alerting in the console. As you can see below, 4 packets were transmitted and we had 100% packet loss due to the reject rule. Because we are rejecting, only one packet is output to the console because the session gets terminated.
This rule alerts on ICMP traffic to 8.8.8.8 from any source address. I used the --daq-batch-size parameter to print every packet to the console one by one. This is a way to use Snort as an IDS, alerting you but not taking any action to prevent malicious activity.
## 规则 2:Alert HTTPS 流量
This rule alerts on incoming HTTPS traffic (port 443) to any port on the host address. When I used curl to make a GET request to google.com, Snort did not alert on the traffic because it was over HTTP, not HTTPS.
When I made the request to https://google.com, Snort correctly alerted the traffic in the console.
## 规则 3:Log DNS 流量
Instead of writing alerts to the console, this rule logs incoming DNS traffic which can then be viewed inside Wireshark.
Using Snort to log traffic, you can then open those files inside Wireshark for further analysis
## 规则 4:Drop ICMP 流量
Sometimes logging isn't enough and you want to drop certain traffic. This rule drops incoming ICMP traffic originating from any address. By actively dropping the packets, this turns Snort from an IDS into an IPS, allowing it to take action on your network.
## 规则 5:Reject 来自恶意 IP 的 ICMP 流量
For the purposes of this lab, 8.8.8.8 was used as the 'malicious' IP address. This rule is rejecting ICMP traffic from this IP which we are then alerting in the console. As you can see below, 4 packets were transmitted and we had 100% packet loss due to the reject rule. Because we are rejecting, only one packet is output to the console because the session gets terminated.
标签:AMSI绕过, DNS, HTTPS, ICMP, IPS, PB级数据处理, Snort3, Snort规则, Wireshark, 入侵检测系统, 句柄查看, 威胁检测, 威胁检测与响应, 安全数据湖, 安全运维, 流量监控, 网络安全, 网络流量分析, 虚拟化环境安全, 隐私保护