通过IPS自定义Snort规则过滤访问淘宝网站。
1.定义Snort规则文件
在PC上新建“taobao.rules”,编辑增加如下四条规则。编辑完成的文件见附件。
Snort规则共四条,分别检测DNS,HTTP,HTTPS协议请求:
(1)alert udp any any -> any 53 (msg:"DNS Query for *.***.***"; flow:established,to_server; content:"|06|taobao|03|com"; fast_pattern:only; nocase; classtype:not-suspicious; sid:2016001; rev:1;)
检测UDP传输DNS协议请求域名字段是否含有|06|taobao|03|com
(2)alert tcp any any -> any 53 (msg:"DNS Query for a *.***.***"; flow:established,to_server; content:"|06|taobao|03|com"; fast_pattern:only; nocase; classtype:not-suspicious; sid:2016002; rev:1;)
检测TCP传输DNS协议请求域名字段是否含有|06|taobao|03|com
(3)alert tcp any any -> any 80 (msg:"HTTP Request for *.***.***"; flow:established,to_server; content:".***.***"; fast_pattern:only; nocase; http_header; pcre:"/Host\x3A\x20[^\n]{0,16}\x2Etaobao\x2Ecom/Hi"; classtype:not-suspicious; sid:2016003; rev:1;)
检测HTTP请求host字段是否含有.***.***
(4)alert tcp any 443 -> any any (msg:"HTTPS Request for *.***.***"; flow:established,to_client; content:"|24|Alibaba (China) Technology Co., Ltd"; fast_pattern:only; nocase; classtype:not-suspicious; sid:2016004; rev:1;)
检测https证书字段是否含有$Alibaba (China) Technology Co., Ltd
2.导入Snort文件至设备
[H3C]ips signature import snort tftp://10.88.8.196/taobao.rules(或者先通过tftp或者ftp方式上传至设备)
3.在自定义IPS策略上使能规则
<H3C>dis ips signature user-defined
User-defined signatures total:4 failed:0
Flag:
Pre: predefined User: user-defined
Type Sig-ID Direction Severity Fidelity Category Protocol
User 538886913 To-server Low Low UDP
User 538886914 To-server Low Low TCP
User 538886915 To-server Low Low TCP
User 538886916 To-client Low Low TCP
[H3C]ips policy test
[H3C-ips-policy-test]signature override user-defined 538886913 enable reset logging
[H3C-ips-policy-test]signature override user-defined 538886914 enable reset logging
[H3C-ips-policy-test]signature override user-defined 538886915 enable reset logging
[H3C-ips-policy-test]signature override user-defined 538886916 enable reset logging
4.在域间策略中调用IPS策略
5.激活策略
[H3C]inspect activate
Rule&#39;s activity begin:100%
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作