mod3 C02_M03 NIDS Advanced Rules links ../C02_M03/assets/coursemap.swf courseMenuBtn Course menu Course menu. Select this button to access the course menu. MainMenuButtonClicked moduleMapBtn Lesson Map Lesson Map. Select this button to access the lesson map. CourseMapButtonClicked glossaryBtn Glossary Glossary. Select this button open the glossary. GlossaryButtonClicked resourcesBtn Resources Resources. Select this button open the resources. ResourcesButtonClicked exitBtn Exit Exit. Select this button to exit the course. ExitButtonClicked replayBtn Replay Replay. Select this button to replay the current screen. ReplayButtonClicked pauseBtn Pause Pause. Select this button to pause the course. PauseButtonClicked resumeBtn Resume Resume. Select this button to resume the course. ResumeButtonClicked previousPgBtn Previous Page Previous. Select this button to go to the previous screen. PreviousButtonClicked nextPgBtn Next Page Next. Select this button to go to the next screen. NextButtonClicked disaidscr3_01 1 Welcome to the NIDS Advanced Rules lesson. When you have completed this lesson, you will be able to identify the advanced rule option flow and the rule content modifiers: offset, distance, depth, within, nocase, and established. You will be able to select the best rule options and modifiers. Finally, you will use this information to write a complex NIDS rule using flow. There are four topics for this lesson. After completing the introduction, you will learn about additional NIDS rule options. The lesson will also introduce NIDS rule modifiers and how those modifiers can be paired for efficient custom rule writing. Finally, you will write a complex NIDS custom rule using the rule options and modifiers you learned in this lesson. Rich Media Text Description, Course: D O D Intrusion Detection System (I D S) Analysis, Part 3, Module 2: DoD Network Intrusion Detection System (NIDS) Custom Rules Module, Lesson 3: NIDS Advanced Rules, For each screen you will hear a description. The description is cued by an audio tone. Listen to the description, and then select the play audio narration button to continue. Screen 1 of 10. Lesson title: NIDS Advanced Rules. Topic title: Introduction. Screen title: Objectives and Topics. Four learning objectives display in support of audio. Four topics display. The first topic is titled Introduction. The second topic is titled Additional Rule Options. The third topic is titled Rule Modifiers. The fourth and final topic is the Conclusion. disaidscr3_02 2 There are three types of detection rule options. Just like mail is sent in a variety of envelope types and sizes, a Snort rule can send multiple types of alerts or logging features. General detection options provide details about the rule and include "message" and "snort id". Just as a letter arriving through the mail requires opening the envelope and reading it to determine the contents, payload detection rule options focus on analyzing the content carried within the data packet and include options like "content" and "offset". Reviewing the envelope from a piece of mail will give you information regarding the recipient, the sender, and when the letter was mailed. Similarly, non-payload detection rule options focus on the aspects of the data packet not related to the content and include such options as flow and flags. Screen 2 of 10. Screen title: Rule Options Overview. Display reprise of rule image. Image of envelopes displays with label general detection rule options. The general detection rule options highlight in the rule image. Image of an envelope open with a letter coming out displays with the label payload detection rule options. The payload detection rule options highlight. Image of an envelope with postmark displays with label non-payload detection rule options. The nonpayload detection rule options highlight. disaidscr3_03 3 When writing custom NIDS rules, you can use several non-payload rule options. The Snort User Manual, available to you in the course Resources, addresses the complete list. One of the non-payload rule options is flow. Similar to the way the envelope identifies who receives the letter and who sent the letter, use flow to apply a rule to certain directions of traffic flow. The letter also carries a postmark verifying the letter has entered the mail. The modifier, established, limits the rule to monitoring data from existing connections, like a letter already working its way through the mail. Screen 3 of 10. Topic title: Additional Rule Options. Screen title: Non-Payload Detection. Reprise rule image displays. Snort logo displays and becomes a link to the Snort User Manual. Image of rule options displays over rule image. Reprised image of envelope with post mark displays. Flow displays in a call out box pointing to the flow portion of rule options image. Established displays in a call out box pointing to established portion of the rule options image. disaidscr3_04 4 Use the "flow" keyword option when you need to analyze the TCP protocol to identify the origin of the traffic. You have several options when using the keyword flow. Flow describes traffic movement between a client and a server. Let's take a look at the four most relevant options. Sometimes you need to analyze data coming from the server to the client. The to_client option will monitor the same traffic as the from_server option. In other cases, you will analyze traffic going from the client to the server. The to_server option will monitor the same traffic as from_client. You write the flow keyword option by typing flow colon, your chosen keyword word option, and a semi-colon to end. You can further define what your custom rule will monitor using established. Select established to learn more. disaidscr3_04_01 4 A keyword option that you can use to further define flow is "established." To help provide efficiency in your custom rule, when you only need to monitor tcp traffic on an existing connection, use the option "established." You write this keyword option following the keyword option by typing comma, established, and a semi-colon to end. establishedPopup 1 of 1. Popup title: established. Text displays, keyword option: established. Images of a computer and a server display. An arrow labeled tcp representing the link between the two displays. Bulleted text displays stating directs the rule to monitor established tcp connections only. Reprised flow rule image displays. Screen 4 of 10. Screen title: Non-payload Detection: flow. Text displays, keyword option: flow. Two lines of bulleted text displays, used only with T C P and indicates which traffic to analyze. A two column table displays with headers: option and description. The option to underscore client is defined as responses from server to client. The option from underscore server is defined as the same as to underscore client, server requests to client. The option to underscore server is defined as responses from client to server. The option from underscore client is defined as same as to underscore server, client requests to server. The last option, established is described as tcp connection only. Established become a link to a pop-up screen. Image of a computer and a server displays with arrows going from computer to server labeled from underscore client and to underscore server, and from server to computer labeled to underscore client and from underscore server. The flow image displays and states, flow colon from underscore client semicolon. Components of the flow image highlight in support of audio. disaidscr3_05 5 As you remember from our analogy, payload detection concerns the content that is carried by the envelope. The enclosed letter equals the data. You can use numerous payload detection rule options when writing custom NIDS rules. The Snort User Manual covers the complete list. You can limit the amount of data that needs analysis by stating where in the content to search. These custom rules leverage your NIDS to complete analysis more quickly. We will focus on the five modifiers for the "content" keyword to improve efficiency of the custom rules on your NIDS. Offset tells the rule where to start searching in the content. Depth indicates how many bytes to search. Distance tells the rule how many bytes to skip after the last content match. Within indicates how many bytes to search after the last match. "nocase" tells the rule to ignore the case of the content. Select each keyword option to learn more. disaidscr3_05_01 5 The content modifier offset indicates where the rule begins searching for the specified content pattern. By default, offset will begin searching at byte zero, so increasing efficiency by specifying where to begin searching reduces the amount of data to search. Offset is relative to each packet, not an aggregate stream or ASCII text lines. You should also know that the offset modifier defines where to begin, not end. Unless you pair it with depth, the entire data packet will be searched from the byte defined by offset. When using offset in a custom rule, you write it immediately following the content option of the rule by typing offset colon, the value you choose between negative 65535 and 65535, and a semicolon to complete the option. offsetPopup 1 of 5. Popup title: offset. Text displays, content modifier: offset. Bulleted text states: Indicates where to begin searching in the packet. Uses zero as the default, unless specified. Varies relative to the beginning of each payload, but not an aggregate stream or askee text lines in the packet. Final bullet displays, specifies where to begin but not where to end. P CAP image displays with highlight moving through characters representing each character from beginning to end being scanned. Offset rule image displays stating: offset colon ten semicolon. Components of offset image are highlighted in support of audio. disaidscr3_05_02 5 The content modifier depth indicates how many bytes deep in the packet the rule should search for the content text string. A value of 50 would have the rule search only the first 50 bytes of the data. The depth is relative to the beginning of each data packet. Like the offset modifier, it does not recognize aggregate streams or ASCII text lines. You must select a value between 1 and 65535. If paired with the offset modifier, the depth value must be at least one higher than the offset value. You write this modifier after the content or offset, if used, by typing depth colon, the value you choose between 1 and 65535, and a semi-colon at the end. depthPopup 2 of 5. Popup title: depth. Text displays, content modifier: depth. Bulleted text states: Indicator for how many bytes to search into the packet. Relative to the beginning of each packet. Minimum value is one, maximum value is sixty five thousand five hundred thirty five. P CAP image displays with a cut off line at the fiftieth byte. A scan moves through the p cap highlighting each character from the beginning to the fiftieth byte. Depth rule image displays stating: depth colon fifty semicolon. Components of depth image are highlighted in support of audio. disaidscr3_05_03 5 The content modifier distance indicates where the rule is to begin searching for the specified content pattern, relative to the end of the previous content match. Only use distance if more than one content string is written. The maximum value for distance modifier is 65535. You should also know that the distance modifier defines where to begin not end. Unless you pair it with the "within" modifier, the remainder of the data packet will be searched. Write this modifier immediately following the content option by typing distance colon, the value you choose between 1 and 65535, and a semi-colon to complete the option. distancePopup 3 of 5. Popup title: distance. Text displays, content modifier: distance. Bulleted text states: indicates how many bytes into the packet to begin search. Relative to the end of the previous content match. Maximum value is sixty five thousand five hundred and thirty five. Final bullet displays, specifies where to begin, so entire packet will be searched unless paired with modifier “within”. P CAP image displays with starting line at the twentieth byte. A scan moves through the p cap highlighting each character from the starting line at byte 20 through the end. Distance rule image displays stating: distance colon twenty semicolon. Components of distance image are highlighted in support of audio. disaidscr3_05_04 5 The content modifier "within" indicates how many bytes deep in the packet the rule should search for the content text string. Within is relative to the end of the previous content match. A value of 40 would have the rule search the 40 bytes of data following the previous content match. You write this modifier after the content option or the distance modifier, if used, by typing within colon, the value you choose between 1 and 65535, and a semi-colon at the end. withinPopup 4 of 5. Popup title: within. Text displays, content modifier: within. Bulleted text states: Indicator for how many bytes to search into the packet. Relative to the previous content match. P CAP image displays with starting line at the twentieth byte, and ending line at sixtieth byte. A scan moves through the p cap highlighting each character from the starting line at byte 20, for 40 bytes, ending at byte 60. Within rule image displays stating: within colon forty semicolon. Components of within image are highlighted in support of audio. disaidscr3_05_05 5 The content modifier "nocase" instructs the rule to ignore letter case when searching for the content text string. Nocase is important as content searches are case sensitive by default. A nocase modifier only applies to the previous content option. If your rule has multiple content options, you will need multiple nocase modifiers. Include nocase in the rule after the content option and any related modifiers. Type nocase and a semi-colon to complete the option. nocasePopup 5 of 5. Popup title: nocase. Text displays, content modifier: no case. Bulleted text states: Allows the rule to search for any combination of cases for the text string. Searches content as case sensitive by default. Final bullet states: modifies the previous content option. Single line of the P CAP image displays with a scan moving through the p cap highlighting any case combination of bad. No case rule image displays stating: no case semicolon. Components of within image are highlighted in support of audio. Screen 5 of 10. Topic Title: Rule Modifiers. Screen title: Payload Detection Rules. Reprise of Payload Detection Rule image, open envelope with letter, displays. Reprised image of complete rule displays. Reprise of rule options image displays. Reprise of Snort logo linked to the Snort User Manual displays. Five textboxes display pointing to the associated portion of the rule image: offset, depth, nocase, distance, and within. Each textbox becomes a popup link, and text displays stating, select each keyword option to learn more. disaidscr3_06 6 Now that you have learned about each of the content modifiers, let's discuss using them effectively in writing custom rules. You will often see offset and depth modifiers paired because they search relative to the beginning of the data packet. By default, offset begins and depth ends at byte zero. Use them in conjunction with the first content option of the rule. Distance modifiers often pair within modifiers because they search relative to the previous content match. Use the distance-within modifier pair for all subsequent content options in the rule. Screen 6 of 10. Screen title: Content Modifier Pairs. Reprised image of complete rule displays. Reprise of rule options image displays. Four textboxes display: offset, depth, distance, and within. The offset and depth textboxes merge to form a new textbox labeled, Offset-Depth, and described as relative to the beginning of the data packet. The distance and within textboxes merge to form a new textbox labeled, Distance-Within, and described as relative to previous content match. A reprise of p cap image displays with highlight from byte 10 to byte 50 matching the offset-depth textbox color, and a second highlight from byte 71 to 110 matching the distance-within textbox color. disaidscr3_07 7 Let's review a few NIDS custom rule examples to apply what we have covered in this lesson. In this rule, the message "Bad Traffic" will be sent for any data packet containing the text BAD and BAD2 in any order if both appear in all capital letters. So a packet containing "BAD2 test BAD test" would trigger the alert. If you modify the rule by adding nocase and removing the second content rule option, the rule will send an alert for any data packet containing any version of the text "bad." A data packet containing the text "b, capital A, d" would trigger the alert, as would "b, a, capital D," or any other case combination. You can modify the rule further by adding the modifiers distance and within to clarify the rule. So in this example, an alert will be sent if any case combination of the text "bad" occurs within the bytes of 20 to 50 in a data packet. This rule will not analyze past byte 50 for any content. To make the custom rule more precise, you can add a second content option and use distance and within modifiers. So now this custom rule will send an alert only if any case combination of bad occurs between bytes 20 through 40, and the exact text BAD2 occurs 10 bytes after the first content match and before 40 bytes after the first content match. By the way, did you notice the revision id changed with each rule modification? It is a best practice to track the version of the rule. Screen 7 of 10. Screen title: Examples. This lesson is comprised of four examples, each with a modified rule. Example 1 rule image states: alert t c p any any directional indicator any 80 open parentheses m s g colon open quotation mark upper case B lower case a d space upper case T lower case r a f f I c close quotation mark semicolon space content colon open quotation mark all upper case B A D close quotation mark semicolon space content colon open quotation mark all upper case B A D 2 close quotation mark semicolon space sid colon one million one semicolon space rev colon one semicolon close parentheses. Text displays: upper case BAD lower case test upper case BAD 2 lower case test. Check mark appears next to text in support of audio. Example 2 rule image states: alert t c p any any directional indicator any 80 open parentheses m s g colon open quotation mark upper case B lower case a d space upper case T lower case r a f f I c close quotation mark semicolon space content colon open quotation mark all upper case B A D close quotation mark semicolon space no case semicolon space sid colon one million one semicolon space rev colon two semicolon close parentheses. Text displays nine upper and lower case combinations for BAD. Check mark appears next to text in support of audio. Example 3 rule image states: alert t c p any any directional indicator any 80 open parentheses m s g colon open quotation mark upper case B lower case a d space upper case T lower case r a f f i c close quotation mark semicolon space content colon open quotation mark all upper case B A D close quotation mark semicolon space distance colon twenty semicolon space within colon fifty semicolon space no case semicolon space sid colon one million one semicolon space rev colon three semicolon close parentheses. Text displays upper case B A D, and found between bytes 20 to 50. Check mark appears next to text in support of audio. Example 4 rule image states: alert t c p any any directional indicator any 80 open parentheses m s g colon open quotation mark upper case B lower case a d space, upper case T lower case r a f f i c close quotation mark semicolon space content colon open quotation mark all upper case B A D close quotation mark semicolon space distance colon twenty semicolon space within colon fifty semicolon space no case semicolon space content colon open quotation mark all upper case B A D 2 close quotation mark semicolon space offset colon ten semicolon space depth colon forty semicolon space sid colon one million one semicolon space rev colon four semicolon close parentheses. Text displays lower case bad, found between bytes 20 to 40, and all upper case B A D 2, found between 10 to 50 bytes from bad. Check mark appears next to text in support of audio. disaidscr3_08 8 Knowledge Check 1 500 550 Which Snort® rule option would you use for the most encompassing content analysis? Question 1 of 4. flow offset - depth distance - within nocase Correct. The nocase rule option tells the rule to search for the content text string regardless of case, providing the largest number of possible matches. Incorrect. The nocase rule option tells the rule to search for the content text string regardless of case, providing the largest number of possible matches. Which Snort® rule option would you use to isolate events coming from a client on your network? Question 2 of 4. flow offset - depth distance - within nocase Correct. The flow option allows the rule to determine origination of events. Incorrect. The flow option allows the rule to determine origination of events. Which Snort® rule option would you use to narrow the content search relative from the beginning of the data packet? Question 3 of 4. flow offset - depth distance - within nocase Correct. Use the offset-depth rule option pair to narrow the search area relative to the beginning of the data packet. Incorrect. Use the offset-depth rule option pair to narrow the search area relative to the beginning of the data packet. Which Snort® rule option would you use to ignore packet data that has already matched defined rule content? Question 4 of 4. flow offset - depth distance - within nocase Correct. Use the distance-within rule option pair for additional content searches; this pair works relative to the previous content match. Incorrect. Use the distance-within rule option pair for additional content searches; this pair works relative to the previous content match. Now check your knowledge. Screen 8 of 10. Topic title: Knowledge Check. Screen title: Knowledge Check 1. This knowledge check consists of one question and four possible answers. Select the best response, and select done. Use the keyboard to cycle through the answers. disaidscr3_09 9 Knowledge Check 1 0 0 Now apply your knowledge of NIDS rule fundamentals to write a complex NIDS rule for the scenario. Screen 9 of 10. Screen title: Knowledge Check 2. This is a free response knowledge check. The scenario and question are supported by a P D F document P CAP and I R C stream. Type the response in the answer field and select done when complete. disaidscr3_10 10 Congratulations! You have completed the NIDS Advanced Rules lesson. You should now be able to identify advanced rule options and content modifiers. You should be able to select the best rule option and modifiers for the challenge. Finally, you should be able to write a complex NIDS custom rule. Screen 10 of 10. Topic title: Conclusion. Screen title: Summary and Conclusion. The word Congratulations appears in large text. Text displays in support of audio. Objectives bullets change to checkmarks in sync with audio.