76
Chapter 3 Working with Snort Rules
are usually placed in a configuration file, typically snort.conf. You
can also use multiple files by including them in a main configuration file.
This chapter provides information about different types of rules as well as
the basic structure of a rule. You will find many examples of common
rules for intrusion detection activity at the end of this chapter. After read
ing this chapter, along with the two preceding chapters, you should have
enough information to set up Snort as a basic intrusion detection system.
3.1 TCP/IP Network Layers
Before you move to writing rules, let us have a brief discussion about TCP/IP layers.
This is important because Snort rules are applied on different protocols in these layers.
TCP/IP is a five layer protocol. These layers interact with each other to make the
communication process work. The names of these layers are:
1. The physical layer.
2. The data link layer. In some literature this is also called the network interface
layer. The physical and data link layers consist of physical media, the network
interface adapter, and the driver for the network interface adapter. Ethernet
addresses are assigned in the data link layer.
3. The network layer, which is actually IP (Internet Protocol) layer. This layer is
responsible for point to point data communication and data integrity. All hosts
on this layer are distinguished by IP addresses. In addition to IP protocol,
ICMP (Internet Control Message Protocol) is another major protocol in this
layer. Information about IP protocol is available in RFC 791 available at http://
www.rfc editor.org/rfc/rfc791.txt. Information about ICMP protocol is avail
able at http://www.rfc editor.org/rfc/rfc792.txt.
4. The transport layer, which is actually TCP/UDP layer in the TCP/IP protocol.
TCP (Transmission Control Protocol) is used for connection oriented and reli
able data transfer from source to destination. UDP (User Datagram Protocol),
on the other hand, is used for connectionless data transfer. There is no assur
ance that data sent through UDP protocol will actually reach its destination.
UDP is used where data loss can be tolerated. Information about UDP protocol
is available in RFC 768 at http://www.rfc editor.org/rfc/rfc768.txt. Information
about TCP protocol is available in RFC 793 at http://www.rfc editor.org/rfc/
rfc793.txt.
footer
Our partners:
PHP: Hypertext Preprocessor Cheap Web Hosting
JSP Web Hosting
Ontario Web Hosting
Jsp Web Hosting
Cheapest Web Hosting
Java Hosting
Cheapest Hosting
Visionwebhosting.net Business web hosting division of Vision Web Hosting Inc.. All rights reserved