This is my fifth entry on my COMSEC2 learning log and the end of COMSEC2 is near 😥 I know it’s sad but the continuation of COMSEC depends on the person because security is an evolving subject because of possible new attacks and holes that the hackers could exploit. Anyway, we had a Snort activity during our 9th week and it was about how to implement the rules on Snort. Since we already had experience with Snort, all we had to do was to think about the formation of the rule and what are necessary protocols and ports that we should use. The first rule was your basic alert on Outbound Connection. Since the exercise stated that it should be Outbound, we set the protocol to tcp and the outgoing IP address port to 80 which is HTTP specifically. For the next rule that should be created, it should detect a Telnet connection. The port for telnet is 23 so we just copied the Outbound rule then replaced the port number and the message of the alert. The next rule that we should create is a rule that would detect an XMAS scan being conducted. For that rule, we had to research on what consist of an XMAS scan. It contained the flags of: FIN; PSH, URG. The last set of rules we had to create was to detect strings which contained the keywords of INSERT, DELETE, SELECT. This was an important rule because these keywords could be possible SQL queries being conducted. Each of the rules were given specific sid or their ID so that it would uniquely identify the rules in the logs.
After creating all the rules, we ran some initial problems such as having to set up a virtual machine to test the telnet connection and to install Nmap to scan but I thought it was hard; I was wrong and it was a breeze 🙂 . We ran Snort first and executed the attacks, instantly the syslog was getting the logs from Snort. It was awesome!! :)) I saw at the bottom of syslog that there were logs coming in from Snort in real-time. I knew that this was an important lesson to remember and I am going to keep on studying Snort. Thanks for reading! 🙂