Jakub Stefko, 426254 zadanie 1: 1. adres: https://www.snort.org/rule_docs/1-312 plik: snort3-deletede.rules (linia 1571) reguła: alert udp $EXTERNAL_NET any -> $HOME_NET 123 (msg:"DELETED EXPLOIT ntpdx overflow attempt"; flow:to_server; dsize:>128; reference:arachnids,492; reference:bugtraq,2540; reference:cve,2001-0414; reference:nessus,10647; classtype:attempted-admin; sid:312; rev:9;) opis: Buffer overflow in ntpd ntp daemon 4.0.99k and earlier (aka xntpd and xntp3) allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long readvar argument. 2. adres: https://www.snort.org/rule_docs/1-366 plik: snort3-protocol-icmp.rules (linia 45) reguła: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING Unix"; itype:8; content:"|10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F|"; depth:32; metadata:ruleset community; classtype:misc-activity; sid:366; rev:11;) opis: ping is a standard networking utility that determines if a target host is up. This rule indicates that the ping originated from a host running Unix. 3. adres: https://www.snort.org/rule_docs/1-382 plik: snort3-protocol-icmp.rules (linia 60) reguła: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING Windows"; itype:8; content:"abcdefghijklmnop"; depth:16; metadata:ruleset community; classtype:misc-activity; sid:382; rev:11;) opis: This event is generated when a Windows PING is detected 4. adres: https://www.snort.org/rule_docs/1-384 plik: snort3-protocol-icmp.rules (linia 62) reguła: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING"; icode:0; itype:8; metadata:ruleset community; classtype:misc-activity; sid:384; rev:8;) opis: This event is generated when a ping is detected. 5. adres: https://www.snort.org/rule_docs/1-402 plik: snort3-protocol-icmp.rules (linia 79) reguła: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP destination unreachable port unreachable packet detected"; icode:3; itype:3; metadata:policy max-detect-ips drop, ruleset community; reference:cve,2004-0790; reference:cve,2005-0068; classtype:misc-activity; sid:402; rev:16;) opis: Multiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (reset TCP connections) via spoofed ICMP error messages, aka the "blind connection-reset attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities. 6. adres: https://www.snort.org/rule_docs/1-469 plik: snort3-deletede.rules (linia 7278) reguła: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED ICMP PING NMAP"; dsize:0; itype:8; reference:arachnids,162; classtype:attempted-recon; sid:469; rev:6;) opis: This event is generated when a ping is detected from nmap program. (explanation made by me, becayse there is none in docs) 7. adres: https://www.snort.org/rule_docs/1-527 plik: snort3-deletede.rules (linia 638) reguła: alert ip any any -> any any ( msg:"DELETED BAD-TRAFFIC same SRC/DST"; reference:bugtraq,2666; reference:cve,1999-0016; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:bad-unknown; sid:527; rev:10; ) opis: Land IP denial of service. 8. adres: https://www.snort.org/rule_docs/1-1280 plik: snort3-protocol-rpc.rules (linia 213) reguła: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap listing UDP 111"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1280; rev:18;) opis: This event is generated when an attempt is made dump entries from the portmapper. 9. adres: https://www.snort.org/rule_docs/1-1616 plik: snort3-protocol-dns.rules (linia 28) reguła: alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS named version attempt"; flow:to_server; content:"|07|version"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; metadata:policy max-detect-ips drop, ruleset community, service dns; reference:nessus,10028; classtype:attempted-recon; sid:1616; rev:17;) opis: This event is generated when an attempt is made to query version.bind on your DNS server. 10.adres: https://www.snort.org/rule_docs/1-1917 plik: snort3-indicator-scan.rules (linia 35) reguła: alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"INDICATOR-SCAN UPnP service discover attempt"; flow:to_server; content:"M-SEARCH "; depth:9; content:"ssdp|3A|discover"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:network-scan; sid:1917; rev:16;) opis: This event is generated when UPnP service discovery is detected. zadanie 2: adres największej ilości ataków: 2001:0:9d38:6ab8:48:2726:6901:b2c2 Tak, wykonany więcej niż 1 rodzaj ataków z adresu 167.114.82.227