Snort rules

1. Snort rules 2006.10.11 黃暉清

2. tools • Snort • MySQL • Analysis Console for Intrusion Database(ACID) • Php開發的web-base介面程式，觀看snort alert、管理db。 • ADODB：讓ACID有能力存取MySQL。 • PHPLot、JPGraph：使ACID可畫統計圖表。

3. Snort Rules • Rule file路徑： • var RULE_PATH ./rule • Download rules： • http://www.snort.org/pub-bin/downloads.cgi • Subscription release • Register user release • Unregistered user release • Community rules • 自訂： • Include $RULE_PATH/myrules.rules

4. Snort rules格式 Rules option Rule header • Alert tcp !$HOME_NET any -> $HOME_NET 445 (msg:”External NetBIOS Assess”;) • Example: • alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda .nws"; flow:to_server,established; content:"|00|.|00|N|00|W|00|S"; reference:url,www.f-secure.com/v-descs/nimda.shtml; classtype:bad-unknown; sid:1294; rev:10; Alert tcp any any -> any any (msg: “TCP Traffic”;)

5. Snort rules (cont.) • msg:警示名稱。 • Flow:to_server,established: • 由client向server發出請求信號，established為已建立連線之通訊。 • Content: • 掃描TCP payload內容的選項。 • 含16進位(用||包起來)及ASCII碼。 • 順序無影響。 • 含定位、掃描長度選項：offset-depth,distance-within

6. Snort rules (cont.) distance within • Example: • Content: “00”; depth:1 • Content: “|FF|SMB”; depth:4; offset:4 • Content: “I|00|P|00|C|00 24 00 00|”; distance:33; nocase; 相對位移 IP header TCP header content1 content2 絕對位移 offset depth

7. Snort rules (cont.) 000 : 00 00 00 52 FF 53 4D 42 75 00 00 00 00 18 07 C8 010 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FE 020 : 00 58 C0 00 04 FF 00 52 00 08 00 01 00 27 00 00 030 : 5C 00 5C 00 57 00 49 00 4E 00 53 00 4E 00 4F 00 040 : 52 00 54 00 5C 00 49 00 50 00 43 00 24 00 00 00 050 : 3F 3F 3F 3F 3F 00

8. Snort rules (cont.) • Byte_test: 1,>,127,7,relative; #判斷式比對 • Byte_test: 2,>,7,33,little,relative; • 08 00 → 0008 • Classtype: protocol-command-decode; • alert分類，分類及priority定義於/usr/local/etc/snort/classification.config • Sid:1294: rule編號。 • <100: 保留 • 100 ~ 1000,000: snort官方使用。 • > 1000,000: 用戶自行使用。

9. Snort rules (cont.) • Rev:4 ,用於定義目前rule版本。 • Uritent: snort會由此定義的關鍵字掃描URI。 • Example: cmd.exe, etc/password… • Example: “../..” ,”..%255c..” • Reference: 參考資訊。 • Byte_jump: 2,7,little,relative • 跳過X個byte不掃描，offset = offset + 7 + 2 + (X+1)

10. Snort rules (cont.) • 加入pcre比對語法： • Example: Alert tcp any any -> any 21 ( flow:to_server, established; content:”root” ; pcre:“/user\s+root/i”

11. Example rule - MsBlast • alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC ISystemActivator path overflow attempt little endian unicode"; flow:to_server,established; content:"|05|"; depth:1; byte_test:1,&,16,3,relative; content:"|5C 00 5C 00|"; byte_test:4,>,256,-8,little,relative; flowbits:isset,dce.isystemactivator.bind; reference:bugtraq,8205; reference:cve,2003-0352; reference:nessus,11808; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2351; rev:11;)

12. Example rule - Sasser • alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB lsass DsRolerUpgradeDownlevelServer WriteAndX unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; byte_test:4,>,256,0,little,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2514; rev:9;