Attack Profiles

Attacks fall into patterns. One of the common ways to break into a system is through inherently insecure protocols, such as Network File System (NFS) and Trivial File Transfer Protocol (TFTP). So you might decide to write yourself some rules that detect any attempt to use these protocols from anywhere outside of your trusted network.

As we said in the last chapter, many attacks begin with reconnaissance using tools like nmap and queso to identify hosts and systems on your network and to look for potentially vulnerable services running on that network. Thus, another thing you might want is a collection of rules that can recognize a port scanner like nmap.

This is beginning to sound a bit daunting, isn't it? If you have to think up rules for every possible way your network might be probed or attacked from the outside, why, you could spend the rest of your life writing Snort rules, couldn't you? Yes, you could. But this is Free Software, remember. Someone has probably done most of this work already. I'll tell you more about that.