# Snort (continued)

This final exercise will guide you in implementing one (simplified) Snort rule from the **ruleset community**.

> ```alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"APP-DETECT Acunetix web vulnerability scanner authentication attempt"; flow:to_server,established; http_uri; content:"password=g00dPa$$w0rD", fast_pattern, nocase; metadata:ruleset community; service:http; reference:url,www.acunetix.com; classtype:web-application-attack; sid:25360; rev:2; )```

As this a realistic rule, it also a more complex. Most of the *static* conditions we will ignore and we will focus on the regular expression. The rule will be simplified to: 

> all **TCP** traffic (irrespective of addresses and/or ports) that have in their TCP payload: **password=g00dPa$$w0rD** will be alerted to the security engineer.

Try to go over the dataset again and count the number alerts that should be raised. Don't forget to run the code block below first.

In [2]:
from lib.dataset import NIDSDataset

data_file = 'data/dataset_packets_v2.npy'
labels_file = 'data/dataset_labels_v1.npy'

dataset = NIDSDataset(data_file, labels_file)

As you might know, there are standardised encodings to transfer characters to numbers and back. Searching for a string "password=g00dPa$$w0rD" can only be achieved if the correct coding is applied. To make your life a bit easier, this cumbersome task is done for you. 

<center>
<img src="images/12_utf8_encoding.png"/>
</center>

It is pointed out that for every character the corresponding 'inverted case' is also given. Also note that there is no difference between an upper-case and lower-case \<space\>.

Although the Snort rule above dictates that this should be searched for, irrespective of the case (```nocase```), you can start with ignoring this: just search literally for the string. If you have additional time to spend, try make your parsing case-insensitive.

In [3]:
framecounter = 0
number_of_alerts = 0
pattern = "password=g00dPa$$w0rD"

# loop over all datasets
for d in dataset:

    wordcounter = 0

    # loop over all words
    for word in d:
        
        wordcounter += 1
    
    # end of iteration over words
    framecounter += 1
# end of iteration over datasets

# print summary
print("\nWe've received %d frames" % framecounter)
print("\t%d alerts are given" % number_of_alerts)



We've received 1314 frames
	0 alerts are given


<center><div style="background-color: #10FF107f;">The code above should report that there are 130 frames in the dataset. All of which are IPv4 and TCP.</div></center>

<hr/>
<center>
Continue with the <a href="20_counting.ipynb">next notebook</a> in a new browser tab.<br/><br/>
<img src="images/footer.png"/>
</center>