15.4 The Snort Attack DetectorSnort is designed to, uh, snort (sniff) your network looking for patterns of known attacks and warn you. It has a very large database of more than 500 attack signatures and this database is kept up-to-date. It is an intrusion detection system (IDS), not a firewall. This means that it will detect problems but will not block them. An IDS assumes that someone will receive the warning and manually resolve the problem.
As an excellent example of Snort's power, here are the rules to catch the ILOVEYOU Windows worm discussed in "Desktop Policy" on page 344. This Snort trap was published the day after ILOVEYOU struck. Like many readers, I received a copy but, of course, Linux is immune unless you get carried away with MIME configuration. (In this example, remove the "\" character and join its line with the next line, having only a single space after the semicolon.) alert tcp any 110 -> any any (msg:"Incoming Love Letter Worm";\ content:"rem barok -loveletter"; content:"@GRAMMERSoft Group";) alert tcp any 143 -> any any (msg:"Incoming Love Letter Worm";\ content:"rem barok -loveletter"; content:"@GRAMMERSoft Group";) alert tcp any any -> any 25 (msg:"Outgoing Love Letter Worm";\ content:"rem barok -loveletter"; content:"@GRAMMERSoft Group";) Note that this is a very specific test. Within a few days, the worm had mutated due to evil people simply changing certain insignificant aspects of it. Certain mutations will not be detected by this test. Note that this simply warns of the virus, it does not block it. Blocking is discussed in "Using Sendmail to Block E-Mail Attacks" on page 393. It may be downloaded from www.snort.org/ |
Top |