Signature Detection and Alerting an Admin Lab
As stated in the IDS and Syslog lab, “Traffic flow fingerprints can be defined using layer specific header field values and or content derived from data. These fingerprints are known as signatures and can be defined through SNORT rules and stored in files called rulesets.” In this lab, we will create SNORT rules used to detect traffic flows. Because this is an IDS, it does not stop the attack from going through, but is designed to alert the presence of significant threats. We will also demonstrate how an IDS can alert a sysadmin via email when a significant threat is detected.
Overview
As stated in the IDS and Syslog lab, “Traffic flow fingerprints can be defined using layer specific header field values and or content derived from data. These fingerprints are known as signatures and can be defined through SNORT rules and stored in files called rulesets.” In this lab, we will create SNORT rules used to detect traffic flows. Because this is an IDS, it does not stop the attack from going through, but is designed to alert the presence of significant threats. We will also demonstrate how an IDS can alert a sysadmin via email when a significant threat is detected.
