1 / 69

Writing Snort Rules A quick guide

Writing Snort Rules A quick guide. Brian Caswell. The life of a packet through Snort’s detection engine. Writing Snort Rules. Figure out what is "bad" Capture traffic that includes the "bad stuff" Learn the protocol Figure out why the "bad stuff" is bad Write a rule Test the rule.

pauld
Download Presentation

Writing Snort Rules A quick guide

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Writing Snort Rules A quick guide Brian Caswell

  2. The life of a packet through Snort’s detection engine

  3. Writing Snort Rules • Figure out what is "bad" • Capture traffic that includes the "bad stuff" • Learn the protocol • Figure out why the "bad stuff" is bad • Write a rule • Test the rule

  4. More process • Rewrite the rule • Test the rule • Rewrite the rule • Test the rule • Rewrite the rule • Test the rule • Rewrite the rule • Test the rule

  5. Even more process • Rewrite the rule • Test the rule • Rewrite the rule • Test the rule • Rewrite the rule • Test the rule • Rewrite the rule • Test the rule

  6. Rule Format - basic rule alert tcp 10.1.1.1 any -> 10.1.1.2 80 (msg:"foo"; content:"bar";)

  7. Rule Format – Action alert tcp 10.1.1.1 any -> 10.1.1.2 80 (msg:"foo"; content:"bar";) • Tells snort what the rule does • In our product • alert pass • In snort • alert log pass activate dynamic • In snort-inline • alert log pass activate dynamic drop sdrop

  8. Rule Format – Custom Actions • not supported in product ruletype suspicious { type log output log_tcpdump: suspicious.log } suspicious tcp 10.1.1.1 any -> 10.1.1.2 80 (msg:"foo"; content:"bar";)

  9. Rule Format – Protocol • alert tcp 10.1.1.1 any -> 10.1.1.2 80 (msg:"foo"; content:"bar";) • Tells snort to look for a specific protocol • Acceptable protocols: • TCP • UDP • ICMP • IP

  10. Rule Format - IP Address • alert tcp 10.1.1.1 any -> 10.1.1.2 80 (msg:"foo"; content:"bar";) • Examples 10.1.1.1 • duh 10.1.1.0/24 • 10.1.1.0 through 10.1.1.255 !10.1.1.0/24 • anything but 10.1.1.0 through 10.1.1.255 [10.1.0.0/24,10.2.0.0./24] • 10.1.0.0 through 10.1.0.255 or 10.2.0.0 through 10.2.0.255 ![10.1.0.0/24,10.2.0.0./24] • anything but 10.1.0.0 through 10.1.0.255 or 10.2.0.0 through 10.2.0.255

  11. Rule Format - Port • alert tcp 10.1.1.1 any -> 10.1.1.2 80 (msg:"foo"; content:"bar";) • Examples: any 80 1:1023 • 1 through 1023 (inclusive) :1023 • less than or equal to 1023 10: • greater than or equal to 10 !53 • not 53 !53:100 • not 53 through 100 (inclusive) NOTE: NO PORT LISTS. 80,8080 IS NOT VALID!!!!

  12. Rule Format - Direction • alert tcp 10.1.1.1 any -> 10.1.1.2 80 (msg:"foo"; content:"bar";) -> • From the first IP/Port to the second IP/Port <> • From either the first IP/Port to the second IP/Port OR • From either the first IP/Port to the second IP/Port

  13. Rule Format - ... Oh yeah, variables var EXTERNAL_NET any var HTTP_PORTS 80 var SMTP_SERVERS 10.1.1.1 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS $HTTP_PORTS

  14. Rule Format – Body • alert tcp 10.1.1.1 any -> 10.1.1.2 80 (msg:"foo"; content:"bar";) • meat of the detection capabilities • key value pairs (key:value;) • types of keywords • meta-data • Payload • non-payload • post-detection

  15. Meta-Data keywords • Msg • msg:"my evil attack"; • Reference • reference:url,www.snort.org; • sid • sid:100000; • Rev • rev:100000; • Classtype (see classification.config) • classtype:attempted-recon; • Priority • priority:3;

  16. Payload • Content • content:"foo"; • Nocase • content:"foo"; nocase; • Rawbytes • content:"foo"; rawbytes; • Depth • content:"foo"; depth:10; • Offset • content:"foo"; offset:10; • Uricontent • uricontent:"foo";

  17. Complicated Payload Options • distance • Within • Isdataat • byte_test • byte_jump • pcre

  18. Broken Payload Keywords • Regex • content-list • rpc

  19. Non-Payload options: • ack (TCP Acknowledge Number) • ack:0; • dsize (Packet Size) • dsize:>10; • id (IP ID) • id:10; • fragoffset (fragment offset) • fragoffset:0; • fragbits (IP fragment bits) • fragbits:MD;

  20. More non-payload options • ttl (IP Time To Live) • ttl:1; • tos (IP TOS) • tos:30; • ipopts (IP option) • ipopts:lsrr; • flags (TCP flags) • flags:SF; • flow (TCP State) • flow:to_server,established;

  21. Even more non-payload options: • seq (TCP Sequence Number) • seq:0; • ttl (IP Time To Live) • ttl:10; • window (TCP Window Size) • window:55808; • itype (ICMP Type) • itype:8; • icode (ICMP Code) • icode:0;

  22. Even more non-payload options (again) • icmp_id (ICMP ID) • icmp_id:0; • icmp_seq (ICMP Sequence Number) • icmp_seq:0; • ip_proto (IP Protocol) • ip_proto:6; • sameip (Are the IPs the same) • sameip; • stateless (Not part of a flow) • stateless;

  23. The complicated options • distance • Within • isdataat • byte_test • byte_jump • pcre

  24. Distance content:”SITE”; content:”EXEC”; distance:0; 53 49 54 45 20 20 20 20 20 45 58 45 43 20 65 76 SITE EXEC ev 69 6C 66 6F 6F 0A ilfoo.

  25. Distance content:”SITE”; content:”EXEC”; distance:0; 53 49 54 45 20 20 20 20 20 45 58 45 43 20 65 76 SITE EXEC ev 69 6C 66 6F 6F 0A ilfoo.

  26. Distance content:”SITE”; content:”EXEC”; distance:0; 53 49 54 45 20 20 20 20 20 45 58 45 43 20 65 76 SITE EXEC ev 69 6C 66 6F 6F 0A ilfoo.

  27. Distance content:”SITE”; content:”EXEC”; distance:0; 53 49 54 45 20 20 20 20 20 45 58 45 43 20 65 76 SITE EXEC ev 69 6C 66 6F 6F 0A ilfoo.

  28. Within content:”SITE”; content:!”|0a|”; within:50; 53 49 54 45 20 20 20 20 20 45 58 45 43 20 65 76 SITE EXEC ev 69 6C 66 6F 6F 0A ilfoo.

  29. Within content:”SITE”; content:!”|0a|”; within:50; 53 49 54 45 20 20 20 20 20 45 58 45 43 20 65 76 SITE EXEC ev 69 6C 66 6F 6F 0A ilfoo.

  30. Within content:”SITE”; content:!”|0a|”; within:50; 53 49 54 45 20 20 20 20 20 45 58 45 43 20 65 76 SITE EXEC ev 69 6C 66 6F 6F 0A ilfoo.

  31. Within content:”SITE”; content:!”|0a|”; within:50; 53 49 54 45 20 20 20 20 20 45 58 45 43 20 65 76 SITE EXEC ev 69 6C 66 6F 6F 0A ilfoo.

  32. Isdataat content:”SITE”; content:!”|0a|”; within:50; 53 49 54 45 20 SITE

  33. Isdataat content:”SITE”; content:!”|0a|”; within:50; 53 49 54 45 20 SITE

  34. Isdataat content:”SITE”; content:!”|0a|”; within:50; 53 49 54 45 20 SITE

  35. Isdataat content:”SITE”; isdataat:50,relative; content:!”|0a|”; within:50; 53 49 54 45 20 SITE

  36. Byte Test content:" LSUB |22|"; content:"|22| {"; distance:0; byte_test:5,>,256,0,string,dec,relative; 31 20 4C 53 55 42 20 22 22 20 7B 31 30 36 34 7D 1 LSUB "" {1064}

  37. Byte Test content:" LSUB |22|"; content:"|22| {"; distance:0; byte_test:5,>,256,0,string,dec,relative; 31 20 4C 53 55 42 20 22 22 20 7B 31 30 36 34 7D 1 LSUB "" {1064}

  38. Byte Test content:" LSUB |22|"; content:"|22| {"; distance:0; byte_test:5,>,256,0,string,dec,relative; 31 20 4C 53 55 42 20 22 22 20 7B 31 30 36 34 7D 1 LSUB "" {1064}

  39. Byte Test content:" LSUB |22|"; content:"|22| {"; distance:0; byte_test:5,>,256,0,string,dec,relative; 31 20 4C 53 55 42 20 22 22 20 7B 31 30 36 34 7D 1 LSUB "" {1064}

  40. Byte Test content:" LSUB |22|"; content:"|22| {"; distance:0; byte_test:5,>,256,0,string,dec,relative; 31 20 4C 53 55 42 20 22 22 20 7B 31 30 36 34 7D 1 LSUB "" {1064}

  41. Byte Test content:" LSUB |22|"; content:"|22| {"; distance:0; byte_test:5,>,256,0,string,dec,relative; 31 20 4C 53 55 42 20 22 22 20 7B 31 30 36 34 7D 1 LSUB "" {1064}

  42. Byte Jump content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 F3|"; offset:16; depth:4; content:"|00 00 00 07|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; 00 00 0F 9C 36 51 D5 2B 00 00 00 00 00 00 00 02 ....6Q.+........ 00 01 86 F3 00 00 00 01 00 00 00 07 00 00 00 01 ................ 00 00 00 20 37 5E D1 6A 00 00 00 09 6C 6F 63 61 ... 7^.j....loca 6C 68 6F 73 74 00 00 00 00 00 00 00 00 00 00 00 lhost........... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0F FF ................ 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA

  43. Byte Jump content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 F3|"; offset:16; depth:4; content:"|00 00 00 07|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; 00 00 0F 9C 36 51 D5 2B 00 00 00 00 00 00 00 02 ....6Q.+........ 00 01 86 F3 00 00 00 01 00 00 00 07 00 00 00 01 ................ 00 00 00 20 37 5E D1 6A 00 00 00 09 6C 6F 63 61 ... 7^.j....loca 6C 68 6F 73 74 00 00 00 00 00 00 00 00 00 00 00 lhost........... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0F FF ................ 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA

  44. Byte Jump content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 F3|"; offset:16; depth:4; content:"|00 00 00 07|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; 00 00 0F 9C 36 51 D5 2B 00 00 00 00 00 00 00 02 ....6Q.+........ 00 01 86 F3 00 00 00 01 00 00 00 07 00 00 00 01 ................ 00 00 00 20 37 5E D1 6A 00 00 00 09 6C 6F 63 61 ... 7^.j....loca 6C 68 6F 73 74 00 00 00 00 00 00 00 00 00 00 00 lhost........... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0F FF ................ 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA

  45. Byte Jump content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 F3|"; offset:16; depth:4; content:"|00 00 00 07|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; 00 00 0F 9C 36 51 D5 2B 00 00 00 00 00 00 00 02 ....6Q.+........ 00 01 86 F3 00 00 00 01 00 00 00 07 00 00 00 01 ................ 00 00 00 20 37 5E D1 6A 00 00 00 09 6C 6F 63 61 ... 7^.j....loca 6C 68 6F 73 74 00 00 00 00 00 00 00 00 00 00 00 lhost........... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0F FF ................ 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA

  46. Byte Jump content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 F3|"; offset:16; depth:4; content:"|00 00 00 07|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; 00 00 0F 9C 36 51 D5 2B 00 00 00 00 00 00 00 02 ....6Q.+........ 00 01 86 F3 00 00 00 01 00 00 00 07 00 00 00 01 ................ 00 00 00 20 37 5E D1 6A 00 00 00 09 6C 6F 63 61 ... 7^.j....loca 6C 68 6F 73 74 00 00 00 00 00 00 00 00 00 00 00 lhost........... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0F FF ................ 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA

  47. Byte Jump content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 F3|"; offset:16; depth:4; content:"|00 00 00 07|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; 00 00 0F 9C 36 51 D5 2B 00 00 00 00 00 00 00 02 ....6Q.+........ 00 01 86 F3 00 00 00 01 00 00 00 07 00 00 00 01 ................ 00 00 00 20 37 5E D1 6A 00 00 00 09 6C 6F 63 61 ... 7^.j....loca 6C 68 6F 73 74 00 00 00 00 00 00 00 00 00 00 00 lhost........... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0F FF ................ 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA

  48. Byte Jump content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 F3|"; offset:16; depth:4; content:"|00 00 00 07|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; 00 00 0F 9C 36 51 D5 2B 00 00 00 00 00 00 00 02 ....6Q.+........ 00 01 86 F3 00 00 00 01 00 00 00 07 00 00 00 01 ................ 00 00 00 20 37 5E D1 6A 00 00 00 09 6C 6F 63 61 ... 7^.j....loca 6C 68 6F 73 74 00 00 00 00 00 00 00 00 00 00 00 lhost........... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0F FF ................ 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA

  49. Byte Jump content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 F3|"; offset:16; depth:4; content:"|00 00 00 07|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; 00 00 0F 9C 36 51 D5 2B 00 00 00 00 00 00 00 02 ....6Q.+........ 00 01 86 F3 00 00 00 01 00 00 00 07 00 00 00 01 ................ 00 00 00 20 37 5E D1 6A 00 00 00 09 6C 6F 63 61 ... 7^.j....loca 6C 68 6F 73 74 00 00 00 00 00 00 00 00 00 00 00 lhost........... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0F FF ................ 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA

  50. PCRE • Perl Compatable Regular Expressions • a few snort specific options • when using, ALWAYS include a regular content • NOT PART OF FAST PATTERN MATCHER! • Read Mastering Regular Expressions

More Related