49 lines
5.6 KiB
Plaintext
49 lines
5.6 KiB
Plaintext
Jakub Stefko, 426254
|
|
|
|
zadanie 1:
|
|
1. adres: https://www.snort.org/rule_docs/1-312
|
|
plik: snort3-deletede.rules (linia 1571)
|
|
reguła: alert udp $EXTERNAL_NET any -> $HOME_NET 123 (msg:"DELETED EXPLOIT ntpdx overflow attempt"; flow:to_server; dsize:>128; reference:arachnids,492; reference:bugtraq,2540; reference:cve,2001-0414; reference:nessus,10647; classtype:attempted-admin; sid:312; rev:9;)
|
|
opis: Buffer overflow in ntpd ntp daemon 4.0.99k and earlier (aka xntpd and xntp3) allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long readvar argument.
|
|
2. adres: https://www.snort.org/rule_docs/1-366
|
|
plik: snort3-protocol-icmp.rules (linia 45)
|
|
reguła: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING Unix"; itype:8; content:"|10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F|"; depth:32; metadata:ruleset community; classtype:misc-activity; sid:366; rev:11;)
|
|
opis: ping is a standard networking utility that determines if a target host is up. This rule indicates that the ping originated from a host running Unix.
|
|
3. adres: https://www.snort.org/rule_docs/1-382
|
|
plik: snort3-protocol-icmp.rules (linia 60)
|
|
reguła: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING Windows"; itype:8; content:"abcdefghijklmnop"; depth:16; metadata:ruleset community; classtype:misc-activity; sid:382; rev:11;)
|
|
opis: This event is generated when a Windows PING is detected
|
|
4. adres: https://www.snort.org/rule_docs/1-384
|
|
plik: snort3-protocol-icmp.rules (linia 62)
|
|
reguła: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING"; icode:0; itype:8; metadata:ruleset community; classtype:misc-activity; sid:384; rev:8;)
|
|
opis: This event is generated when a ping is detected.
|
|
5. adres: https://www.snort.org/rule_docs/1-402
|
|
plik: snort3-protocol-icmp.rules (linia 79)
|
|
reguła: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP destination unreachable port unreachable packet detected"; icode:3; itype:3; metadata:policy max-detect-ips drop, ruleset community; reference:cve,2004-0790; reference:cve,2005-0068; classtype:misc-activity; sid:402; rev:16;)
|
|
opis: Multiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (reset TCP connections) via spoofed ICMP error messages, aka the "blind connection-reset attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.
|
|
6. adres: https://www.snort.org/rule_docs/1-469
|
|
plik: snort3-deletede.rules (linia 7278)
|
|
reguła: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED ICMP PING NMAP"; dsize:0; itype:8; reference:arachnids,162; classtype:attempted-recon; sid:469; rev:6;)
|
|
opis: This event is generated when a ping is detected from nmap program. (explanation made by me, becayse there is none in docs)
|
|
7. adres: https://www.snort.org/rule_docs/1-527
|
|
plik: snort3-deletede.rules (linia 638)
|
|
reguła: alert ip any any -> any any ( msg:"DELETED BAD-TRAFFIC same SRC/DST"; reference:bugtraq,2666; reference:cve,1999-0016; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:bad-unknown; sid:527; rev:10; )
|
|
opis: Land IP denial of service.
|
|
8. adres: https://www.snort.org/rule_docs/1-1280
|
|
plik: snort3-protocol-rpc.rules (linia 213)
|
|
reguła: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap listing UDP 111"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1280; rev:18;)
|
|
opis: This event is generated when an attempt is made dump entries from the portmapper.
|
|
9. adres: https://www.snort.org/rule_docs/1-1616
|
|
plik: snort3-protocol-dns.rules (linia 28)
|
|
reguła: alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS named version attempt"; flow:to_server; content:"|07|version"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; metadata:policy max-detect-ips drop, ruleset community, service dns; reference:nessus,10028; classtype:attempted-recon; sid:1616; rev:17;)
|
|
opis: This event is generated when an attempt is made to query version.bind on your DNS server.
|
|
10.adres: https://www.snort.org/rule_docs/1-1917
|
|
plik: snort3-indicator-scan.rules (linia 35)
|
|
reguła: alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"INDICATOR-SCAN UPnP service discover attempt"; flow:to_server; content:"M-SEARCH "; depth:9; content:"ssdp|3A|discover"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:network-scan; sid:1917; rev:16;)
|
|
opis: This event is generated when UPnP service discovery is detected.
|
|
|
|
zadanie 2:
|
|
adres największej ilości ataków: 2001:0:9d38:6ab8:48:2726:6901:b2c2
|
|
|
|
Tak, wykonany więcej niż 1 rodzaj ataków z adresu 167.114.82.227
|