Explain this snort rule

Please explain the following Snort rule. Describe the meanings of all the options and modifiers used in the rule

alert tcp $ EXTERNAL_NET any -> $ SQL_SERVERS 1433 (msg:”Attack Detected”; flow:to_server,established; content:”|02|”;depth:1;content:”sa”;depth:2;offset:39; nocase; detection_filter:track_by_src,count 5,seconds 2;)

Detect repeating bits with snort

I am new to snort and I am trying to make a rule that will detect repeating bits in a packet. I set it to offset to the 100th bit and the depth is 105 bits. The problem I am having is I can’t figure out how to make it detect a random pattern of bits that repeat. For example FF FF FF FF FF or 21 21 21 21. Is Snort actually capable of doing this, and if so then how? Any information would be much appreciated.

Can Snort inline/blocking mode block traffic from one host to another on internal LAN?

I’m putting Snort on a wifi router. My understanding is when in inline/blocking mode, I have to bridge a LAN interface to the WAN interface for packet inspection. If this is the case, it does not seem possible to detect/block an attack from one host to another host on the same LAN because the traffic will not go out the WAN interface.

Is this correct? If so, is there a configuration that would support detecting / blocking an attack from host to host on the same LAN?

Stateful detection in Snort

From whatever I have read of Snort, it can analyse a single packet at a time and raise an alert based on its rules.

What if I wish to have a rule based on multiple packets such as analysis of a protocol situation that can maintain its states, e.g. TCP or TLS?

Stateful detection in Snort

From whatever I have read of Snort, it can analyse a single packet at a time and raise an alert based on its rules.

What if I wish to have a rule based on multiple packets such as analysis of a protocol situation that can maintain its states, e.g. TCP or TLS?

Ubuntu 18.04 snort protection

Recently I installed Snort on my Ubuntu server 18.04 And also wrote some rules in local.rules . it will perfectly detect my rules like ping , simple dos attacks etc.

I have 4 questions :

  1. How can i block specific ip address , in Snort Detection rules ? (for example in dos detection rules)

  2. Does Snort store any data about detection like IPs, contents etc. in some database ? with apt-get install snort , mysql has been installed to .

  3. Is it possible to run a script on alert ?

  4. When i used reject action and start snort in console mode , I got

connection refused

error on ssh , and cant login to ssh anymore until restart the server . The rule is :

reject tcp any any -> $ HOME_NET any (msg:"simple dos attack"; threshold:type both, count 50 , seconds 5 , track by_dst ; sid:1000001 )

Ubuntu 18.04 snort protection

Recently I installed Snort on my Ubuntu server 18.04 And also wrote some rules in local.rules . it will perfectly detect my rules like ping , simple dos attacks etc.

I have 4 questions :

  1. How can i block specific ip address , in Snort Detection rules ? (for example in dos detection rules)

  2. Does Snort store any data about detection like IPs, contents etc. in some database ? with apt-get install snort , mysql has been installed to .

  3. Is it possible to run a script on alert ?

  4. When i used reject action and start snort in console mode , I got

connection refused

error on ssh , and cant login to ssh anymore until restart the server . The rule is :

reject tcp any any -> $ HOME_NET any (msg:"simple dos attack"; threshold:type both, count 50 , seconds 5 , track by_dst ; sid:1000001 )