Monthly Archives: July 2015

SNORT – Effective Rule Writing Techniques – Constraining Snort Content Matches with Keyword Modifiers

Snort IDS and IPS Toolkit (Jay Beale’s Open Source Security)

You can constrain the location and case-sensitivity of content searches with options that
modify the content keyword. Some examples are as follows:

Nocase – You can instruct the detection engine to ignore case when searching for content
matches in ASCII strings.

Offset -The offset keyword allows you to specify where the detection engine should
start searching for content within a packet, measured in bytes (note that the byte count
starts at byte 0). For example, if you added a content match with an offset value of 5, the
detection engine starts searching for the content at the fifth byte counting from 0.
By using the offset keyword it will promote more efficient searches by constraining the portion
of packet payload that is searched and is useful in instances where you know that the
matching content will not appear in the first part of the packet. Conversely, you should be
sure not to set the offset value too stringently, because the detection engine will not inspect
the bytes that appear before the specified offset value.

Snort IDS and IPS Toolkit (Jay Beale’s Open Source Security)

Depth – The depth keyword allows you to specify the maximum search depth, in bytes,
from the beginning of the offset value, or, if no offset is configured, from the beginning of
the payload.

Distance – The distance keyword instructs the detection engine to identify subsequent
content matches that occur a specified number of byes after the previous content match.
For example, if you set a distance value of 4, the detection engine starts searching for
content matches four bytes after the previous content match.

Within – The within keyword indicates that, to trigger the rule, the next content match
must occur within the specified number of bytes after distance. However, if no distance is defined
then the value is from the end of the previous content match. For example, if you specify a
within value of 8 and no distance, the next content match must occur within the next eight
bytes of the previous content match or it does not meet the criteria that triggers the rule.
The entire content string must be within the value you specified.

Flow – You can use the flow keyword to leverage the work performed by the stream reassembly
preprocessor. Note that if you enabled stream processing of UDP or ICMP in the stream
preprocessor, you can use this option for those protocols as well even though they are not
connection-oriented protocols. The flow keyword allows you to specify the direction of the
traffic flow to which a rule applies, applying rules to either the client flow or server flow.

By adding these keyword modifiers to your rules you will enhance the overall performance of Snort by consuming less system resources.

Share Button

GSEC GIAC Security Essentials Certification Practice Exam Quiz Questions

The GCIA practice exam is written and formatted by Certified Senior IT Professionals working in today’s prospering companies and data centers all over the world! The GCIA Practice Test covers all the exam topics and objectives and will prepare you for success quickly and efficiently. The GCIA exam is very challenging, but with our GCIA questions and answers practice exam, you can feel confident in obtaining your success on the GCIA exam on your FIRST TRY! GIAC GCIA Exam Features – Detailed questions and answers for GCIA exam – Try a demo before buying any GIAC exam – GCIA questions and answers, updated regularly – Verified GCIA answers by Experts and bear almost 100% accuracy – GCIA tested and verified before publishing – GCIA exam questions with exhibits – GCIA same questions as real exam with multiple choice options – GSEC GIAC Security Essentials Certification All-in-One Exam Guide

 

Share Button

SANS GIAC Systems and Network Auditor GSNA Practice Exam Test Questions

The GSNA practice exam is written and formatted by Certified Senior IT Professionals working in today’s prospering companies and data centers all over the world! The GSNA Practice Test covers all the exam topics and objectives and will prepare you for success quickly and efficiently. The GSNA exam is very challenging, but with our GSNA questions and answers practice exam, you can feel confident in obtaining your success on the GSNA exam on your FIRST TRY! GIAC GSNA Exam Features – Detailed questions and answers for GSNA exam – Try a demo before buying any GIAC exam – GSNA questions and answers, updated regularly – Verified GSNA answers by Experts and bear almost 100% accuracy – GSNA tested and verified before publishing – GSNA exam questions with exhibits – GSNA same questions as real exam with multiple choice options

GIAC Systems and Network Auditor Certification Exam ExamFOCUS Study Notes & Review Questions 2012: Building your SANS GSNA exam readiness

Share Button

Cisco Certified Network Associate (CCNA) Routing and Switching Exams 100-101, 200-101, and 200-120 Study Guide Quiz Questions PT. 5

CCNA Routing and Switching Deluxe Study Guide: Exams 100-101, 200-101, and 200-120

Share Button

Cisco Certified Network Associate (CCNA) Routing and Switching Exams 100-101, 200-101, and 200-120 Study Guide Quiz Questions PT. 4

CCNA Routing and Switching Deluxe Study Guide: Exams 100-101, 200-101, and 200-120

Share Button