mod2 C02_M02 NIDS Rule Fundamentals links ../C02_M02/assets/coursemap.swf courseMenuBtn Course menu Course menu. Select this button to access the course menu. MainMenuButtonClicked moduleMapBtn Lesson Map Lesson Map. Select this button to access the lesson map. CourseMapButtonClicked glossaryBtn Glossary Glossary. Select this button open the glossary. GlossaryButtonClicked resourcesBtn Resources Resources. Select this button open the resources. ResourcesButtonClicked exitBtn Exit Exit. Select this button to exit the course. ExitButtonClicked replayBtn Replay Replay. Select this button to replay the current screen. ReplayButtonClicked pauseBtn Pause Pause. Select this button to pause the course. PauseButtonClicked resumeBtn Resume Resume. Select this button to resume the course. ResumeButtonClicked previousPgBtn Previous Page Previous. Select this button to go to the previous screen. PreviousButtonClicked nextPgBtn Next Page Next. Select this button to go to the next screen. NextButtonClicked disaidscr2_01 1 Welcome to the NIDS Rule Fundamentals lesson. When you have completed this lesson, you will be able to describe the benefits of using custom rules and why we will use Snort syntax to write rules for your network intrusion detection system, or NIDS. You will also be able to categorize the different components of a rule and the purpose of each primary rule option. Finally, you will use this information to write a NIDS rule using the primary rule options introduced in this lesson. There are five topics for this lesson. After completing the introduction, you will review the reasons for and benefits of creating custom rules for your NIDS. The lesson will then discuss the benefits of using Snort syntax and how it may apply across multiple types of NIDS. Finally, you will learn about the components of a NIDS custom rule and how to write a simple custom rule. Rich Media Text Description, Course: D O D Intrusion Detection System (I D S) Analysis, Part 3, Module 2: DoD Network Intrusion Detection System (NIDS) Custom Rules Module, Lesson 2: NIDS Rule Fundamentals, For each screen you will hear a description. The description is cued by an audio tone. Listen to the description and then select the play audio narration button to continue. Screen 1 of 16. Lesson title: NIDS Rule Fundamental. Topic title: Introduction. Screen title: Objectives and Topics. Five learning objectives display in support of audio. Five topics display. The first topic is titled Introduction. The second topic is titled Need for Custom Rules. The third topic is titled Snort. The fourth topic is titled Components of NIDS Rules. The fifth and final topic is the Conclusion. disaidscr2_02 2 As Computer Network Defense Infrastructure Support, or CND-IS, personnel you have a great number of responsibilities, including the day-to-day tasks of maintaining sophisticated government and military networks, allocating resources to meet demand and provide security, and protecting your networks from various threats. As CND-IS personnel, you must consider the type of data that should and should not be on the network and the typical traffic patterns and peaks. And you can identify when a problem occurs in your organization's infrastructure. Because you cannot visually monitor everything all the time, you have installed a network intrusion detection system, or NIDS, as part of your detection-in-depth strategy, and CND analysts review the NIDS data. Yet, intrusions continue to occur. Are you adequately prepared for the multitude of targeted events on government and military networks? Screen 2 of 16. Topic Title: Need for Custom Rules. Screen title: I D S Administrator. The C N D-I S personnel image of a person sitting at a workstation with a visible monitor screen appears. The complex network image appears on screen containing multiple user workstations servers and a cloud labeled Trusted all on one side of a firewall. On the other side of the firewall are images of a server labeled S M T P server a router a cloud labeled Untrusted and a malicious actor. Additional servers and workstations appear to expand the trusted portion of the network. A line coming from the malicious actor is deflected by the firewall. The C N D I S personnel monitor displays ones and zeros streaming when one string of characters becomes highlighted in red. An explanation mark appears above the C N D I S showing frustration. The C N D I S image is reset. The C N D I S monitor shows a data usage line chart with peak loads circled. An explanation mark appears above the C N D I S showing frustration. The C N D I S image is replaced with just the computer monitor with ones and zeros streaming. Then the monitor is replaced with the C N D I S image. Smaller images of C N D I S personnel appear around the primary image. An explanation mark appears above the C N D I S showing frustration. The screen concludes with a large super imposed question mark. disaidscr2_03 3 Using an out-of-the-box, commercial NIDS has many advantages such as a quick installation. All NIDS come with a set of default rules preinstalled. While this feature gets your NIDS running quickly, using only the default rule set has its limitations. A variety of industries and organizations purchase NIDS products, so by design default rules discover the most common exploitation techniques across a variety of organizations. As a result, the default rules will likely detect a limited number of potential intrusions and will often miss targeted events. Highly-motivated individuals and organizations launch targeted malicious events against DoD networks. You should understand several factors about these targeted events in regard to your NIDS. They may know or infer what NIDS you run or speculate that it is one of the commonly used commercially available NIDS. If malicious actors can determine the type of NIDS, they can attempt to evade it. Malicious Actors know the default rule sets. To protect your organization's network, you should augment the vendor default rules by creating custom NIDS rules for your organization. Custom rules help you leverage the power of your NIDS! Screen 3 of 16. Screen title: NIDS and Targeted Attacks. Image of a server labeled NIDS appears. Text displays, out of the box NIDS. Bulleted text displays and states: Ship with default set of rules. Default rules. Discover common attacks. Miss targeted events. Image of malicious attacker with label Targeted Attacks appears. Text displays, Targeted Malicious Actors. Bulleted text displays and states: May know or infer the type of NIDS. Will attempt to evade it. Know the default rule sets. Text displays reading Custom rules help you leverage the power of your NIDS! disaidscr2_04 4 During this course you will use Snort syntax to write custom rules. Snort is an open source network intrusion prevention and detection system that uses rule-driven language. Snort uses a variety of detection methods. Signature-based detection works much like anti-virus systems and uses previously identified exploit patterns to compare with current network flow. Anomaly-based detection establishes a baseline of normal network traffic and attempts to detect anomalous traffic that doesn't match the baseline. Protocol-based detection uses a set of rules running on the NIDS. The rules check for compliance with published protocol standards. Although many NIDS exist on the market, Snort remains the most commonly used. Even if you don't use Snort on your network, you should know it for several important reasons. Snort serves as the foundation for many commercial NIDS. Most NIDS will allow you to import and run custom rules using Snort syntax because of Snort 's similarity to most other syntax rules in deployment. Due to these similarities, if you can write a quality Snort rule, you can write a quality rule for most other NIDS. For more information or to download the Snort User Manual, view the website snort.org. A link is available in the Resources for this course. Screen 4 of 16. Screen title: Snort. The Snort logo a cartoonish image of a pig with an oversized snout appears on screen with website address www dot snort dot org. Text displays, what is Snort? Bulleted text displays and states: An open source NIDS. Uses rule-driven language. Signature based. Anomaly based. Protocol based, and finally, most common NIDS. The bulleted text signature based becomes a roll-over and states: Uses previously identified attack patterns or signatures to compare with current network traffic. The bulleted text anomaly based becomes a roll-over and states: Establishes a baseline of normal network traffic and attempts to detect anomalous traffic that doesn't match the baseline. The bulleted text protocol based becomes a roll-over and states: Uses a set of rules running on the NIDS. The rules check for compliance with published protocol standards. Text displays, Why do you care about Snort? Bulleted text displays and states: Some commercial I D S iz are built upon Snort. Most I D S iz can import Snort rules directly. Most other I D S syntax rules are similar. If you can write a quality Snort rule you can write a quality rule for most other I D S iz. disaidscr2_05 5 To write efficient and effective NIDS custom rules, you need to know the components of a rule and what those components mean. A NIDS rule consist of two parts: the header and options. The rule header describes what the rule does and identifies the IP addresses, protocol, and ports to be monitored. A rule header may tell a rule to send an alert or log a packet from a specific machine or port. The rule options define what the rule will monitor for and what message to send when a specific character string in the data is discovered. In addition, rule options uniquely identify the rule. As you will discover in this course, many rule options exist. Screen 5 of 16. Topic Title: Components of NIDS Rules. Screen title: Overview. Text displays A NIDS rule. The image of a NIDS rules displays, and the rule states: alert space t c p space any space any space dash greater than sign space eighty space open parentheses m s g colon open quotation mark upper case B lower case a d space upper case T lower case r a f f i c close quotation mark semicolon space c o n t e n t colon open quotation mark upper case B A D close quotation mark semicolon space s i d colon one million one semicolon space r e v colon one semicolon close parentheses. A portion of the rule stating: alert space t c p space any space any space dash greater than sign space eighty; is copied from the rule image into a new separate image and labeled rule header. The remaining portion of the rule image stating: open parentheses m s g colon open quotation mark upper case B lower case a d space upper case T lower case r a f f i c close quotation mark semicolon space c o n t e n t colon open quotation mark upper case B A D close quotation mark semicolon space s i d colon one million one semicolon space r e v colon one semicolon close parentheses; is copied into a separate new image file labeled rule options. Bulleted text displays below ruler header: Describes the actions or what the rule does. Identifies the I P addresses and ports. Bulleted text displays below rule options: Content. Message. Unique rule identifiers. disaidscr2_06 6 Let's take a look at a sample NIDS rule. The rule header consists of seven components; each will help identify the specific type of traffic that you wish to monitor. First is the Action. The action component describes what the rule will do. Next is the Protocol, which identifies the type of traffic being monitored. Source IP identifies the specific IP address or addresses with traffic coming from them that you want to monitor. The Destination IP Address, on the contrary, identifies the specific traffic going to a host or network that you want to monitor. Source Port identifies which port or ports with traffic coming from them that you would like this rule to monitor. Destination Port, again on the contrary, identifies which port or ports with traffic incoming that you want this rule to monitor. Direction identifies the direction of data that the rule will monitor. Now that you know the NIDS Rule components, explore each of them deeper. Select each component to learn more. disaidscr2_06_01 6 What does a rule header action component do? In this example, "alert" is the action. The action component of the rule defines what will happen when a packet matching the criteria is discovered. There are several action commands that you can use when writing a custom rule. The three most commonly used actions are the "alert" action, which sends an IDS alert and logs the packet; the "log" action, which simply logs the packet, without sending an alert or performing any other activity; and the "pass" action, which ignores the packet. Other actions are available for flexible response and IPS modes of the NIDS. You can find out more about these actions in the Snort User Manual from Resources. ActionPopup 1 of 5. Popup title: Action. Reprise of rule header image displays with the text, alert highlighted. A table displays with two columns labeled action and description. Alert displays in the action column with the description, sends an I D S alert and logs the packet. The next row displays log in the action column and the description, logs the packet. The final row displays pass in the action column and the description ignores the packet. Text displays other actions are available for flexible response and I P S modes. Flexible response becomes and roll-over and reads: A command instructing the NIDS to issue reset commands when the rule is triggered. The text I P S becomes a roll-over and states: A command instructing the I D S to drop traffic when the rule is triggered. An I D S configured for this action is typically referred to as an intrusion prevention system or I P S. disaidscr2_06_02 6 The protocol component identifies which protocol the rule monitors. In this example, "tcp" serves as the protocol. Currently Snort only analyzes four protocols: IP, ICMP, TCP, and UDP. You should be aware that when using IP as the protocol component, Snort will automatically monitor IPv4 and IPv6 traffic. While most NIDS support IPv6, analysis of IPv6 traffic may not be fully accurate and the NIDS may miss some of this traffic because IPv6 is currently immature in its development. However, monitoring for IPv6 traffic is important. Machines running Microsoft operating systems Windows Vista and newer come dual stacked with both IPv4 and IPv6. Unless you have manually disabled IPv6 on these machines, you may have the IPv6 protocol running unmonitored on your internal network. How do you know? Have you tested your network for IPv6 traffic? Have you secured IPv6 traffic by regular monitoring of your network? ProtocolPopup 2 of 5. Popup title: Protocol. Reprise of rule header image displays with the text, t c p highlighted. The protocols: I p, t c p, I c m p, and u d p; display on the screen. Text displays, using I P protocol monitors both I P v 4 and I P v 6 traffic. Additional text displays, do you know? All Windows O S versions since Windows Vista are dual stacked with I P v 4 and I P v 6. Machines may be running I P v 6 internally undetected. Have you tested for it? Have you secured it? The text, have you tested for it becomes a roll-over and states: How do you know? Have you tested your network for I P v 6 traffic? The text, have you secured it, becomes a roll-over and states: Have you secured I P v 6 traffic by regular monitoring of your network? disaidscr2_06_03 6 Now we'll look at the source and destination IP address. In this example, "any" represents the source IP address component of the rule header. The source IP address identifies which address or addresses you would like your rule to monitor for originating traffic. In this example, the destination IP address is also "any." The destination IP identifies the addresses to which the network traffic is sent. You can write the custom NIDS rule to monitor an individual IP address, blocks of addresses, or a series of individual addresses. To write a custom rule to apply to traffic originating from all IP addresses, use "any." To monitor traffic from a specific source, you can use the individual IP address. The same applies if you want to monitor an IPv6 address. You can also write a rule to monitor traffic originating from a classless inter-domain routing, or CIDR, block. To designate the subnet of addresses to monitor, use forward slash and the appropriate CIDR notation. In our example, 192.168.1.0/24, the rule will be applied to all traffic originating from 192.168.1.1 through 192.168.1.255. To monitor traffic from multiple sources, list the specific IP addresses separated by a comma inside of square brackets. Be sure not to use spaces between IP addresses. Using a space may cause the rule to miss data. To write a custom rule to monitor all originating IP traffic except for specific addresses, use the negation operator. By writing an exclamation mark before a specific IP address you will exclude that address from monitoring. To exclude multiple addresses you can write an exclamation mark before the opening bracket. Remember, there is NO space between the exclamation mark and the IP address or bracket. Source and Destination IP AddressPopup 3 of 5. Popup title: Source and Destination I P Address. Reprise of rule header image displays with the first and third text any highlighted. The first any displays a pointer labeled Source I P Address and the second any displays pointer labeled Destination I P Address. A table displays with two columns labeled Example Syntax and Description. The table lists the following syntax and description pairs: any described as any I P address. 1 9 2 dot 1 6 8 dot 1 dot 1 described as a specific I P address. F e 8 0 colon colon 3 d c 1 colon d 0 a 2 colon c 2 a colon c 8 7 described as I P v 6 also works. 1 9 2 dot 1 6 8 dot 1 dot 0 forward slash 24 described as a CIDR netblock. A call out from this row displays and states, 1 9 2 dot 1 6 8 dot 1 dot 0 forward slash 24 monitors 1 9 2 dot 1 6 8 dot 1 dot 0 through 1 9 2 dot 1 6 8 dot 1 dot 2 5 5. The acronym CIDR becomes a roll-over and reads: classless inter-domain routing. The next row in the table states open square bracket 1 9 2 dot 1 6 8 dot 1 dot 2 comma 1 9 2 dot 1 6 8 dot 1 dot 7 close square bracket described as individual I P addresses. The last table entry is exclamation mark open square bracket 1 9 2 dot 1 6 8 dot 1 dot 1 comma 1 9 2 dot 1 6 8 dot 1 dot 9 close square bracket described as not these I Peas. Outside of the table text displays No space between I P addresses in a series. No space between the exclamation mark and I P address or opening bracket. disaidscr2_06_04 6 Let's take a look at the source port in the rule header. In this example, "any" is the source port component of the rule header. The source port identifies which port or range of ports you want the rule to test against. In this example, the destination port is 80. The destination port identifies which ports to monitor traffic being sent. To write custom rules to apply to traffic originating from all ports, use "any." To monitor traffic from a specific source, you can use the individual port number, also called a static port. You can write custom rules to monitor a range of ports using the range operator, which is represented by a colon, between the first port in the range and the last port. You can write custom rules to monitor ports from a beginning port number and higher by writing the port number and range operator. To write a rule to monitor all ports, except for a specific port or range of ports, use the negation operator. Source and Destination PortPopup 4 of 5. Popup title: Source and Destination Port. Reprise of rule header image displays with the second any and the 80 highlighted. The second any displays a pointer labeled Source Port and the 80 displays pointer labeled Destination Port. A table displays with two columns labeled Example Syntax and Description. The table lists the following syntax and description pairs: any described as any port. 80 described as a specific port. One thousand twenty four colon six thousand described as port range one thousand twenty four through six thousand. one thousand twenty four colon described as port range one thousand twenty four and higher through sixty five thousand five hundred thirty five. The last table entry is exclamation mark twenty three described as not this port. disaidscr2_06_05 6 Now we'll discuss the direction component of the rule header. When discussing the direction of the rule, the term source refers to the source IP and source port written in the rule. The term destination refers to the destination IP and destination port of the rule. In this example, the rule monitors traffic coming from the source to the destination. This option identifies the direction you want the rule to test against. There are only two direction operators available. To write a custom rule to apply to traffic originating from the source and sent to the destination, use a dash followed by the greater than sign. You can monitor traffic flowing in either direction by using the bidirectional operator, which is the combination of the less than sign and the greater than sign. The reverse directional operator is not valid and will not work. You can write a rule testing for data flowing in the opposite direction by switching the source components with the destination components. DirectionPopup 5 of 5. Popup title: Direction. Reprise of rule header image displays with the dash greater than sign highlighted. A table displays with two columns labeled Example Syntax and Description. The table lists the following syntax and description pairs: the directional indicator dash greater than sign described as data flow from the client to the server. The directional indicator, less than sign greater than sign, described as data flowing in either direction. Text outside of the table displays the directional indicator less than sign dash is not valid. To represent data flowing from server to client swap the source and destination rule components. Screen 6 of 16. Screen title: Ruler Header Details. The rule image displays. The rule header: alert space t c p space any space any space dash greater than sign space eighty; is extracted enlarged and copied into a separate image. Five text labels display on screen. The first states: Action describes what the rule does; and with a line points to the text alert in rule header image. The second label states: Protocol identifies which protocol will be monitored; and with a line points to the text t c p in the rule header image. The third states Source and Destination I P identifies which address or addresses will be monitored; and with a line points to the first and third any in the rule header image. The fourth states Source and Destination Port identifies which port will be monitored; and with a line points to the second any and eighty text in the rule header image. The final label states Direction identifies the flow of the data to be monitored; and with a line point to the dash greater than sign in the rule header image. Each label becomes a link to a pop-up and text displays, select each rule header component to learn more. disaidscr2_07 7 The rule options of a NIDS rule consists of various components depending upon what you are trying to monitor. No matter what components are present, the rule option syntax will always remain the same. When writing the rule option of the NIDS rule, make sure to enclose it in parentheses. Use a colon to separate keyword-option pairs. Do not insert a space before or after the colon. You will use a semicolon to separate multiple keyword-option pairs. Be sure to include the final semicolon after the last keyword-option pair and before the closing parentheses. Screen 7 of 16. Screen title: Rule Option Syntax. Reprise of rule image displays. The rule option: open parentheses m s g colon open quotation mark upper case B lower case a d space upper case T lower case r a f f i c close quotation mark semicolon space c o n t e n t colon open quotation mark upper case B A D close quotation mark semicolon space s i d colon one million one semicolon space r e v colon one semicolon closed parentheses; is extracted enlarged and copied into a separate rule option image. Text displays syntax for rule options. Bulleted text displays written inside of parentheses. While audio plays the open and close parentheses highlight. The second bullet displays Keyword-option pair separated by a colon. While audio plays the m s g colon open quotation mark upper case B lower case a d space upper case T lower case r a f f i c close quotation mark and c o n t e n t colon open quotation mark upper case B A D close quotation mark and s i d colon one million one and r e v colon one. The bulleted text keyword-option becomes a roll-over and states: The rule option component consisting of the keyword and content separated by a colon. The third bulleted text displays multiple keyword-option pairs separated by a semicolon. While the audio plays the semicolons are highlighted in the rule option image. Last bulleted text display final semicolon is required after the last option. disaidscr2_08 8 You have many choices to select from when writing rule options. There are several commonly used keyword options that are important to know. They are: message, content, Snort ID, revision, and classification type. Select each keyword-option to learn more. disaidscr2_08_01 8 The message keyword option identifies what message to send or log as part of the alert. The message content may contain any text. If your text string contains a character like a colon, which may conflict with the rule parser, use the escape character, backslash. You need to know the format for writing a message option in a rule. The message keyword option is identified by msg colon, followed by the message content enclosed in quotation marks, and completed with a semicolon. MessagePopup 1 of 5. Popup title: Message. Text displays, keyword option: message. Bulleted text displays: Defines what message to send with the alert. May contain any text. Use the backslash to escape a character. For example, the colon character would be written backslash colon. Image of message rule option appears with corresponding portions highlighted in support of audio. disaidscr2_08_02 8 The content keyword option is one of the most important functions for writing NIDS rules. It defines exactly what character string to search for in the data packet. Content rule option searches for plain text or ASCII characters, hexadecimal content, or a combination of these two. When you use ASCII or plain text characters in the content option, the characters are case sensitive by default. If your character string contains ASCII text such as a semicolon, which may conflict with the rule parser, use the escape character, backslash. Here is the format to write a content rule option searching for a character string containing only ASCII content. The content keyword option is identified by content colon, followed by the content character string enclosed in quotation marks, and completed with a semicolon. You will use the same format when searching for a string containing hexadecimal content, but will use the pipe symbol to enclose the hexadecimal character string, with no space before or after the pipe symbol. You can separate single bytes of data with a space. In this example, you can see the pipe symbols used to enclose the hexadecimal characters. When you need a search string containing both ASCII and hexadecimal content, the same rule parameters apply for each content type, with the pipe symbol enclosing the hexadecimal character string whenever it appears in the content. ContentPopup 2 of 5. Popup title: Content. Text displays, keyword option: content. Bulleted text displays: Defines what character string to match against the data packet, and searches askee hexadecimal or a combination of character strings. Column title displays, askee content. Bulleted text displays: case sensitive by default, and use the backslash to escape a character. For example, the semicolon character would be written backslash semicolon. Rule option content image displays and states, content colon open quotation marks upper case B A D close quotation marks semicolon. A second column title displays, hexadecimal content. Bulleted text displays, use pipe symbol to enclose. Second bulleted text displays, no space before or after the pipe symbol. The final bulleted text displays and states, separate single bytes of data with white space. For example, zero zero space zero one space five c. A second rule option content image displays and states, content colon pipe zero zero space two zero space five d pipe close quotation mark semicolon. Third column title displays, askee and hexadecimal content. The two rule option images merge to form a new image stating: content colon open quotation marks upper case BAD pipe zero zero space two zero space five d pipe close quotation marks semicolon. disaidscr2_08_03 8 The Snort ID, or sid, identifies each rule. You need to use a unique sid for each new custom rule. The sid for custom rules should begin at 1,000,000. The reason for this starting number is that numbers 0 through 99 are reserved for future use. The range from 100 to 999,999 is used for default rules, leaving 1,000,000 and higher for you to use when writing custom rules. You need to know the format for writing a Snort ID option in a rule. Sid colon, followed by the unique ID number, and completed with a semicolon identifies the Snort ID keyword option. Snort IDPopup 3 of 5. Popup title: Snort ID. Text displays, keyword option: Snort I D. Bulleted text displays: Unique rule identifier. Each rule must have unique SID. Custom SID should begin at one million. A table displays with two columns labeled: Sid Number and Description. The table lists the following sid numbers and descriptions: zero through ninety-nine described as reserved. One hundred through nine hundred thousand nine hundred ninety nine described as reserved for official snort rules. The final row states one million and higher described for custom rule use. The sid rule option image displays stating: sid colon one million one semicolon. disaidscr2_08_04 8 The revision option is used to track changes as you modify rules. As a best practice, you will want to use the revision option to ensure the most recent rule is running on your NIDS. You need to know the format for writing a revision option in a rule. You can identify the revision option by noting rev colon, followed by the unique id number, and completed with a semicolon. RevisionPopup 4 of 5. Popup title: Revision. Text displays, keyword option: revision. Bulleted text displays: Tracks updates to rules. Ensures most recent rule is running on NIDS. The revision rule option image appears stating: rev colon one semicolon. disaidscr2_08_05 8 The classification keyword identifies an event by type of exploit to better organize NIDS data. Snort has a default classification table for you to use. High, medium, and low priority represents the default classifications. You need to know the format for writing a classification option in a rule. You can identify the classification keyword option by noting classtype colon, followed by the appropriate classtype from the default classification table, and completed with a semicolon. To view the Snort Table of Classification, select table of classification. You can also find this document in the Resources of this course. ClasstypePopup 5 of 5. Popup title: Classtype. Text displays, keyword option: classtype. Bulleted text displays: Identifies event by exploit type. Uses default table of classifications by Snort. Organized from high medium or low. The text, table of classifications, becomes a link to the Snort default classification P D F document located in resources. The classtype rule option image appears stating: classtype colon attempted-recon semicolon. Screen 8 of 16. Screen title: Rule Options. The reprised rule image displays behind the reprised rule options image. Five text labels display on screen. The first states: Message with a line pointing to the message in the rule option image. The second label states: Content and with a line pointing to the content in the rule option image. The third states: Snort ID and with a line pointing to the sid in the rule option image. The fourth states: Revision with a line pointing to the rev in the rule option image. The final label states: classtype. Each label becomes a link to a pop-up and text displays, select each keyword option to learn more. disaidscr2_09 9 Now that you have learned the fundamentals of NIDS rules, you can apply these custom rules in action. You are a systems administrator for a military hospital. You want to check the effectiveness of the installed NIDS. Specific to your organization you know that network security measures are in place, protected health information, or PHI, transactions must be encrypted for patient privacy, and PHI transactions can occur via a number of protocols, including databases, file transfers, and emails. To verify the information on your network is protected, you decide to test your NIDS to see whether any unencrypted PHI transactions exit the network. You know that HIPAA transaction codes should not be visible if the data is encrypted correctly. You decide to search for the transaction code 004010X092, which is a string of text distinct from non-PHI traffic. Screen 9 of 16. Screen title: Example - P H I Transaction. Image displays of a hospital exterior. Text displays, Systems Administrator for V A Facility. Bulleted text displays: Check effectiveness of data security. P H I transactions must be encrypted. P H I transactions occur in multiple protocols. Image appears of a checklist with text stating, Test it! Additional text displays, HIPAA transaction code zero zero four zero one zero x zero nine two. disaidscr2_10 10 Male Narrator: Hmmmm, what action will be best for this rule? I need to know when the system detects a HIPAA transaction code, and I want to save a copy of the packet for further investigation. "Alert" represents the best action. I could test several protocols, but "tcp" would be the most commonly used protocol. I want to check all machines inside the firewall, so that is "$HOME_NET." This information could leave the network in multiple formats, so I will test on all ports. That means I should use the "any" command. I should check all traffic both coming and going from the network, so only the bidirectional operator makes sense. I should use "$EXTERNAL_NET" to test for any destination outside of the network and "any" as the destination port. Now that I have a complete header, what options will work best? Of course I will need a message, and it should read "Unencrypted HIPAA Transaction (Health Care Eligibility Benefit Inquiry and Response)." I don't need the escape character since the parentheses fall inside of the quotation marks. Oh, I can't forget the semicolon. Let's see, I will set the content next. The colon goes between the command and content, which is an easy command to remember. I am searching for 004010X092 in quotation marks, followed by a semicolon. This qualifies as a policy violation. Classtype colon represents that command. Where is that chart? Here it is. Policy-violation is the operator, which is a high-priority operator. The unique rule id is 1000092, and it's the first version of the rule, so I'll use rev colon one. Close the parentheses and that completes the rule. Phew! I think I've got it! Main Narrator: Roll over each of the rule components to review. Screen 10 of 16. Screen title: Example - P H I Transaction Rule. Computer monitor screen image displays. In support of audio text appears on computer monitor image. After rule is completed rules components become rollovers. alert t c p $ HOME_NET any <> $ EXTERNAL_NET any is described as rule Header tells the action. This example will send an alert for T C P traffic sent between HOME_NET and EXTERNAL_NET on any port that match the rule options. Open parentheses m s g colon open quotation mark Unencrypted HIPAA Transaction Health Care Eligibility Benefit Inquiry and Response close quotation mark semicolon displays the message component that states the exact text of the alert message. content colon open quotation marks zero zero four zero x zero nine two close quotation marks semicolon rollover displays, the content component determines what the rule searches for within the data packet. In this example, the rule searches for zero zero four zero x zero nine two. Classtype colon policy dash violation semicolon, rollover displays, the classtype component categorizes the rule. In this example he selected policy violation which is a high priority. Sid colon one million ninety two semicolon, rollover displays, the description the Snort ID identifies the rule with a unique number. The last rollover, rev colon one semicolon close parentheses displays, the description the revision helps track version of the rule. disaidscr2_11 11 From the previous example we can glean several results. Once configured with the new custom rule, the NIDS sent hundreds of alerts for unencrypted traffic from $HOME_NET to the internet. Many were true positives, meaning unencrypted protected health information was being sent over the internet, a violation of policy. The default rules missed this data spill, but your new custom rule caught it. As this example demonstrates, custom rules written for the specific mission of the network can catch violations that standard vendor written rules could not, underscoring the importance of knowing your network and knowing your organization. In our scenario mistakes, not malicious activities caused the violations. Errors and omissions cause many IT security failures. Administrators unaware of the PHI policy misconfigured the systems. Typically mistakes underlie the vulnerabilities in our networks more so than malice does. As such, custom NIDS rules often find more mistakes than malice, but they can and do discover malicious acts. As CND professionals, we should consider errors and omissions just as important to identify as malicious events. Screen 11 of 16. Screen title: Mistakes versus malice. Image of a computer displays on screen. Text displays the results. Bulleted text displays: Hundreds of alerts for unencrypted traffic. Many true positives. Default rules missed the leak. Custom rule caught it. Text displays, the cause. Bulleted text states: Mistakes not malicious activities. Errors and omissions cause of most disasters. Systems misconfigured. In support of audio text displays, often more mistakes than malice and errors and omissions are just as important as malice. disaidscr2_12 12 Knowledge Check 1 550 550 Which of the following are benefits of using Snort® syntax to write custom NIDS rules? Most commonly deployed NIDS All commercial NIDS are built upon Snort® syntax Snort® is an open source NIDS Snort® is a de facto industry standard Correct. Snort® is the most commonly deployed NIDS, is open source, and is a de facto industry standard. Many, but not all, commercial NIDS are built upon Snort® syntax. Incorrect. Snort® is the most commonly deployed NIDS, is open source, and is a de facto industry standard. Many, but not all, commercial NIDS are built upon Snort® syntax. Now check your knowledge. Screen 12 of 16. Topic Title: Knowledge Check. Screen title: Knowledge Check. This knowledge check consists of one question and four possible answers. Select all answers that apply and select done. Use the keyboard to cycle through the answers. disaidscr2_13 13 Knowledge Check 1 550 550 Message Rule Header for Statement: Message Rule Option for Statement: Message Correct. The message is located in the rule option, labeled as <b>msg</b>. Incorrect. The message is located in the rule option, labeled as <b>msg</b>. Source Port Rule Header for Statement: Source Port Rule Option for Statement: Source Port Correct. Source Port is part of the rule header indicating the origination port to monitor. Incorrect. Source Port is part of the rule header indicating the origination port to monitor. Revision ID Rule Header for Statement: Revision ID Rule Option for Statement: Revision ID Correct. Revision ID is located in the rule option, labeled as <b>rev</b>. Incorrect. Revision ID is located in the rule option, labeled as <b>rev</b>. Direction Rule Header for Statement: Direction Rule Option for Statement: Direction Correct. Direction is part of the rule header indicating the direction of data to monitor. Incorrect. Direction is part of the rule header indicating the direction of data to monitor. Snort® ID Rule Header for Statement: Snort® ID Rule Option for Statement: Snort® ID Correct. Snort® ID is located in the rule option, labeled as <b>sid</b>. Incorrect. Snort® ID is located in the rule option, labeled as <b>sid</b>. Classification Rule Header for Statement: Classification Rule Option for Statement: Classification Correct. Classification is located in the rule option, labeled as <b>classtype</b>. Incorrect. Classification is located in the rule option, labeled as <b>classtype</b>. Action Rule Header for Statement: Action Rule Option for Statement: Action Correct. Action is part of the rule header indicating what the rule will do. Incorrect. Action is part of the rule header indicating what the rule will do. Content Rule Header for Statement: Content Rule Option for Statement: Content Correct. Content is located in the rule option, labeled as <b>content</b>. Incorrect. Content is located in the rule option, labeled as <b>content</b>. Now try this question. Screen 13 of 16. Screen title: Knowledge Check. This knowledge check consists of two answer columns rule header and rule option. You will select the correct answer for each of the eight rule components. Use the keyboard to cycle through the answers. Select done when completed. disaidscr2_14 14 Knowledge Check 1 500 550 Enclose rule option components in parentheses. True for Statement: Enclose rule option components in parentheses. False for Statement: Enclose rule option components in parentheses. Correct. The rule option components are enclosed in parentheses. Incorrect. The rule option components are enclosed in parentheses. A semicolon is required after the last option. True for Statement: A semicolon is required after the last option. False for Statement: A semicolon is required after the last option. Correct. A final semicolon is required after the last keyword-option pair when writing NIDS rules. Incorrect. A final semicolon is required after the last keyword-option pair when writing NIDS rules. Keyword-option pairs are separated by a semicolon. True for Statement: Keyword-option pairs are separated by a semicolon. False for Statement: Keyword-option pairs are separated by a semicolon. Correct. Keyword-option pairs are separated by a colon, i.e. sid:1000094 Incorrect. Keyword-option pairs are separated by a colon, i.e. sid:1000094 Multiple keyword-option pairs are separated by a semicolon. True for Statement: Multiple keyword-option pairs are separated by a semicolon. False for Statement: Multiple keyword-option pairs are separated by a semicolon. Correct. Multiple keyword-option pairs are separated by a semicolon, i.e. sid:1000094; rev:1 Incorrect. Multiple keyword-option pairs are separated by a semicolon, i.e. sid:1000094; rev:1 Now try this one. Screen 14 of 16. Screen title: Knowledge Check. This is a true false knowledge check. There are four statements to decide if they are true or false. Use your keyboard to cycle through the answers. Select done when completed. disaidscr2_15 15 Knowledge Check 1 0 0 Now apply your knowledge of NIDS rule fundamentals to write a simple NIDS rule for the scenario. Screen 15 of 16. Screen title: Knowledge Check. This is a free response knowledge check. The scenario and question are supported by the linked P D F documents: P CAP file and filtered I R C. Type the response in the answer field and select done when complete. disaidscr2_16 16 Congratulations! You have completed the NIDS Rule Fundamentals lesson. You should now be able to indicate the benefits of using custom rules and Snort syntax. You should be able to categorize the components of a NIDS rule and identify the rule option parameters. Finally, you should be able to identify the purpose of each primary rule option. Screen 16 of 16. Topic title: Conclusion. Screen title: Summary and Conclusion. The word Congratulations appears in large text. Text displays in support of audio. Objectives bullets change to checkmarks in sync with audio.