Write a rule that sends an alert when source and destination

Write a rule that sends an alert when source and destination address are same. [1]

Write a rule that detects an SMTP connection in a machine. [2]

Write a rule that generates an alert when somebody is using Facebook. [2]

Suppose a rule:

alert tcp any any -> 192.168.1.0/24 23 (msg :”______”)

What would be an appropriate message for this rule? [2]

Solution

alert tcp any any -> 192.168.1.0/24 23 (msg :”______”)

Ans:
  
alert tcp any any -> 192.168.1.0/24 23 (content:\"|00 01 86 a5|\"; msg: \"mountd access\";)

-->The text up to the first parenthesis is the rule header and the section enclosed in parenthesis is the rule options.
-->The words before the colons in the rule options section are called option keywords.
-->Note that the rule options section is not specifically required by any rule, they are just used for the sake of making tighter definitions of packets to collect or alert on .
-->All of the elements in that make up a rule must be true for the indicated rule action to be taken.
-->When taken together, the elements can be considered to form a logical AND statement. At the same time, the various rules in a Snort rules library file can be considered to
form a large logical OR statement.

Write a rule that detects an SMTP connection in a machine.

Ans:The maximum number of simultaneous SMTP connections to the server. If this value is set to zero, an unlimited number of simultaneous connections will be allowed. By default,
the value is set to zero.