PHASE: Snort Rules33% COMPLETION
Abort Mission
MODULE 14

Network Intrusion Detection

Writing Snort/Suricata rules to detect attacks.

Snort Rules

< div class="space-y-4" >

IDS rules look like firewall rules, but for payload content.

< div class= "bg-black p-4 rounded border border-zinc-700 font-mono text-xs text-green-400 break-all" > alert tcp $EXTERNAL_NET any -> $HOME_NET 21(msg: "FTP Root Login"; content: "USER root"; sid: 1000001; rev: 1;)
< ul class="list-disc list-inside text-sm text-zinc-400 pt-2" >
  • Header: alert tcp any -> any 21
  • Option: msg, content, sid (Signature ID)