Study the snort rule given below and interpret the rule:
alert tcp any any --> 192.168.1.0/24 111 (content:"|00 01 86 a5|"; msg: "mountd access";)
A.
An alert is generated when a TCP packet is generated from any IP on the 192.168.1.0 subnet and destined to any IP on port 111
B.
An alert is generated when any packet other than a TCP packet is seen on the network and destined for the 192.168.1.0 subnet
C.
An alert is generated when a TCP packet is originated from port 111 of any IP address to the 192.168.1.0 subnet
D.
An alert is generated when a TCP packet originating from any IP address is seen on the network and destined for any IP address on the 192.168.1.0 subnet on port 111
This means: Alert on TCP traffic from any IP and any port, going to any host in the 192.168.1.0/24 subnet on destination port 111.
The content "|00 01 86 a5|" identifies a mountd access signature pattern.
Port 111 is used by SunRPC (commonly associated with mountd in UNIX environments).
From CEH v13 Courseware:
Module 13: IDS, Firewalls and Honeypots → Understanding Snort Rules
[Reference:Snort User Manual – Rule Syntax and Interpretation, ==================================================================, ]
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit