You are on page 1of 5

Snort

.
TCP/IP .
.
. : .
:
:Sniffer -1 1 .
-2 : .
-3 :
. .
.

. .
2

. .

Console
False positive

1
2

.
.

. .

.
" "rule
:

Backdoor.rules
Bad-traffic.rules
Ddos.rules
Dos.rules
Exploit.rules
Malware-tools.rules
Scan.rules

.
.
sourcefire
. .
( )/etc/snort/snort.conf
.
. EXTERNAL_NET HOME_NET any IP
.
# .

. hping3
.
.

#!/bin/bash
for i in `seq 1 254`;
do
for j in `seq 1 254`;
do
1 (hping3 -q -c 100 -1 192.168.$i.$j -I eth0 -q -i u100)&>/dev/null&
2 hping3 --flood -8 known 192.168.$i.$j -I eth0 --quiet
3 hping3 --fast -c 20 -S -a 192.168.$i.$j -p 21 192.168.$i.$j
4 hping3 --faster -c 200 -S -a 192.168.$i.$j -p 22 192.168.$i.$j
5 hping3 -c 20 -I eth0 -SA 192.168.$i.$j
6 hping3 -c 200 --faster -X 192.168.$i.$j -I eth0
7 hping3 -c 100 --faster -Y 192.168.$i.$j -I eth0 --quiet
8 hping3 -c 15 --faster --destport 1024-10000 -R -A -F 192.168.$i.$j -I eth0 --quiet
9 hping3 -c 20 --fast -p known -b -2 192.168.$i.$j -I eth0
done
done

. ping :1

: 2
.
:3 land . .
:4 land 22 .
:5 idle 22 .
:6 3 222 .
:7 4 122 .
:8 ResetAckFin .
:9 udp .

land 23
scan.rules /etc/snort/rules
scan.rules .
;"alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN synscan portscan
);flow:stateless; flags:SF+; classtype:attempted-recon; sid:3000000
;"alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN hping3 Xmasscan
);flow:stateless; flags:E; classtype:attempted-recon; sid:3000002
;"alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN hping3 Ymasscan
);flow:stateless; flags:C; classtype:attempted-recon; sid:3000003
;"alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN NULLscan
);flow:stateless; flags:0; classtype:attempted-recon; sid:3000004

Xmas Scan
Null

3
4

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN hping3 XYNscan";
flow:stateless; flags:EC; classtype:attempted-recon; sid:3000005;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN Nmap Xmasscan";
flow:stateless; flags:FPU; classtype:attempted-recon; sid:3000006;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN Nmap FINscan";
flow:stateless; flags:F; classtype:attempted-recon; sid:3000007;)

hping3 Zenmap
hping3 .
. namp Zenmap . 6.42 zenmap
.