Snort Rule and Configuration Interview Q&A

Posted on 1:33 PM by Bharathvn

How Well Do You Know Snort Rules?
This question will determine whether you can identify an outside request for a Web page update. This is a common method for Web page defacement and it uses the HTTP PUT command.

alert tcp $EXTERNAL_NET any -> $MY_NET $HTTP_PORTS (msg:”LOCAL Put attempt”;
flow:to_server,established; tag:session,50,packets; pcre:”/^PUT /A”; sid:3000001;
rev:1;)

How Well Do You Know Snort Configurations?
This question establishes how well you know the SnortSam firewall agent. This rule sends a command to the firewall to block the source IP address for two minutes after the detection of an nmap xmas scan.

$MY_NET any (msg:”SCAN nmap XMAS”; flow:stateless; flags:FPU,12;
reference:arachnids,30; classtype:attempted-recon; sid:1228; rev:7; fwsam: src, 2
minutes;)