Rule Options 105 alert udp EXTERNAL_NET any - HOME_NET 1900 \ msg:MISC UPNP malformed advertisement; \ content:NOTIFY ; nocase; classtype:misc-attack; \ reference:cve,CAN-2001-0876; reference:cve, \ CAN-2001-0877; sid:1384; rev:2; This rule generates the following entry in varlogsnortalert file: [] [1:1384:2] MISC UPNP malformed advertisement [] [Classification: Misc Attack] [Priority: 2] 1201-15:25:21.792758 192.168.1.1:1901 - 239.255.255.250:1900 UDP TTL:150 TOS:0x0 ID:9 IpLen:20 DgmLen:341 Len: 321 [Xref = cve CAN-2001-0877][Xref = cve CAN-2001-0876] The last line of this alert shows a reference where more information about this alert can be found. The reference.config file plays an important role because it contains the actual URL to reach a particular reference. For example, the following line in reference.config file will reach the actual URL using the last line of the alert message. config reference: cve http:cve.mitre.orgcgi-bin cvename.cgi?name= When you add CAN-2001-0876 at the end of this URL, you will reach the web site containing information about this alert. So the actual URL for information about this alert is http:cve.mitre.orgcgi-bincvename.cgi?name= CAN-2001-0876. Multiple references can be placed in a rule. References are also used by tools like ACID 3 to provide additional information about a particular vulnerability. The same log message, when displayed in an ACID window, will look like Figure 3-4. In this figure, the URL is already inserted under the “Triggered Signature” heading. You can click on it to go to the CVE web site for more information.

3.6.23 The resp Keyword

The resp keyword is a very important keyword. It can be used to knock down hacker activity by sending response packets to the host that originates a packet match- ing the rule. The keyword is also known as Flexible Response or simply FlexResp and is based on the FlexResp plug-in. The plug-in should be compiled into Snort, as explained in Chapter 2, using the command line option --with-flexresp in the 3. ACID is discussed in Chapter 6. 106 Chapter 3 • Working with Snort Rules Figure 3-4 Use of reference keyword in ACID window.