1 / 21

Snort Rules (How to keep your insanity?)

Snort Rules (How to keep your insanity?). Anatomy of a Rule. Composed of two parts; Header Rule Options This is what we will be using to dissect;

samara
Download Presentation

Snort Rules (How to keep your insanity?)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Snort Rules(How to keep your insanity?)

  2. Anatomy of a Rule • Composed of two parts; • Header • Rule Options • This is what we will be using to dissect; Alert tcp $EXTERNAL_NET any ->$ HTTP_SERVERS $HTTP_PORTS (msg:”WEB_ISS CodeRed v2 root.exe access”; flow:to_server, established; uricontent:”/root.exe”nocase;reference:url,www.cert.org/advisories/CA-2001-19.thml;classtype:web-application-attack;sid:1256; rev:8;) May I go home now? Do you think it is easy to type this?

  3. Header Alert tcp $EXTERNAL_NET any ->$ HTTP_SERVERS $HTTP_PORTS (msg:”WEB_ISS CodeRed v2 root.exe access”; flow:to_server, established; uricontent:” /root.exe”nocase;reference:url,www.cert.org/ advisories/CA-2001-19.thml;classtype: web-application-attack; sid:1256; rev:8;)

  4. Dissect Header Alert tcp $EXTERNAL_NET any ->$ HTTP_SERVERS $HTTP_PORTS • Actions: The first element is the action, our example shows that our action is “Alert” • There are 8 possible actions • Most common actions are alert, pass, drop, reject and sdrop

  5. Dissect HeaderAlert tcp $EXTERNAL_NET any ->$HTTP_SERVERS $HTTP_PORTS • Protocols: Single word describing protocol • TCP, UDP, ICMP, or IP or GRE, ESP, AH • Next, we have basic IP and port matching, we can use individual IP or range of IPs classified by only CIDR notation, in other words • You cannot specify range by 10.1-3.0.0 or 192.168.*.3 • Snort will exit on load • This is the first place that we can use variable

  6. Dissect HeaderAlert tcp $EXTERNAL_NET any ->$HTTP_SERVERS $HTTP_PORTS • Var <variable name> <value> • Separated by space • Most useful instances are to specify your local network IP range or the ports which you allow HTTP traffic where your proxy on ports other than 80 • Var HOME_NET 192.168.1.0/24 • These variables allow you to customize every rule

  7. Dissect HeaderAlert tcp $EXTERNAL_NET any ->$HTTP_SERVERS $HTTP_PORTS • Ports: Next we specify the port • You can match on both source and destination ports • You can define single or range of ports • No broken range or list of ports • Example; define any port from 20 through 53 inclusive, 20:53. • If you want to match on any port except 443, you would specify !443 • Alert tcp $Home_NET any -> $EXTERNAL_NET 80

  8. Options Part (msg:”WEB_ISS CodeRed v2 root.exe access”; flow:to_server, established; uricontent:” /root.exe”nocase; reference: url, www.cert.org/advisories/CA-2001- 19.html; classtype: web-application-attack;sid:1256; rev:8;) • Anything inside the parenthesis part is the options part

  9. Rule Title (msg: ”WEB_IIS CodeRed v2 root.exe access”; flow:to_server, established; uricontent:” /root.exe”nocase; reference: url, www.cert.org/advisories/CA-2001- 19.html; classtype: web-application-attack;sid:1256; rev:8;) • First option, in our example it is msg, message • All rules have unique Security Identifier (SID) or rule ID • No duplicate message rules • Snort does not complaint but the order is good for accuracy

  10. Flow (msg: ”WEB_IIS CodeRed v2 root.exe access”; flow: to_server, established; uricontent:” /root.exe”nocase; reference: url, www.cert.org/advisories/CA-2001- 19.html; classtype: web-application-attack;sid:1256; rev:8;) • Flow has several options • To_server, from_server, to_client, from_client, established, stateless • Established tells the detection engine to look only in streams that started a full three-way TCP handshake and data flowing • Stateless, says this packet could be out there all alone, out of normal order, so do not use the reassembled output from the stream preprocessor • Not applicable to UDP (stateless)

  11. (msg: ”WEB_IIS CodeRed v2 root.exe access”; flow:to_server, established; uricontent: ”/root.exe”nocase; reference: url, www.cert.org/advisories/CA-2001- 19.html; classtype: web-application-attack;sid:1256; rev:8;) • Content: Content and uricontent are similar • Content is simple match • Uricontent looks in the normalized output of the HTTP preprocessor • Uricontent: “/root.exe” means to match if there is a URL out of the HTTP preprocessor that contains the string /root.exe. Telltale request made by a Code Red-infected host as it tries to spread its badness

  12. Modifiers of Content • Depth: says we care only whether you see this content in the first X bytes of the packet Content:: “GET”; depth:10; • Offset: does the opposite and says to ignore the first X bytes of the packet and look until the end of the packet • Content: “attack code”; offset:50; look for the content match, but to skip the first 50 bytes of the payload

  13. Modifiers of Content • Within: If we have two content matches, but we want to make sure they are a certain distance from each other. We use within modifier • Works like depth but it works from the end of the previous match • Content: “George”; content: “is a Ruck” within:20: This to tell me if you find the string George, and then is a Ruck starts within 20 bytes of the end of George. Even if the distance is one byte, the match will be good.

  14. Modifiers of Content • Distance: if we wanted to make sure the second match was at least 20 bytes from the first, we would use distance • This tells Snort to ignore the next X bytes after the previous match and then start looking • George is a Ruck • George Bumbler is a Ruck • George in White House is a Ruck • George never seems ok and he is a real Ruck

  15. Modifiers of Content • Rawbytes: Rarely used • For example: the Telnet decoder takes all the little packets with single characters Without the preprocessor, you would have to match on six different packets to catch the string “George” If you are trying to detect a Telnet exploit that relied on inserting special characters in between those characters, the preprocessor would strip out, and HTTP preprocessor would normalize that into ASCII rawbytes would let you get to that string before it s normalized

  16. Metadata • The remainder of our example rule reference: url, www.cert.org/advisories/CA-2001- 19.html; classtype: web-application-attack;sid:1256; rev:8;) • These have no business to detect of data or packets • Helps to identify the rule • They are usually at the end

  17. Metadata • Reference: it is good to include references to remember why you wrote this rule and purpose of it • Always add references to your rule you will be glad you did in the months and years to come • Classtype: is a classification tool, event manager oriented • Allows you to prioritize events based on the type after they have been generated

  18. classtype: web-application-attack; sid:1256; rev:8;) • Example: rules that catch users in chat rooms are less important in a real-time sense than port scanning and exploits against Web servers that allow root access • Config classification: web-application-attack, Web Application Attack, 1 • Config classification: misc-activity, Misc Activity, 3

  19. sid:1256; rev:8;) • Sid: is very important option • Snort will run without it • If you are using database output plug-ins then they will have events without sid • Sid is a unique identifier that all rules must have • Sid ranges from 100-1,000,000 • Sid ranges from 1,000,001-1,999,999 are reserved for local use not for public repository • Sid 2,000,000-2,999,999 are used by the Bleeding Edge Threats repository

  20. sid:1256; rev:8;) • Rev option refers to Revision number • It is good for the history of the rules

  21. Conclusion • There are much to learn about Snort rules • Don’t be discouraged, think about how much you learned so far • If the Internet and Network Security would be your field than it is best to learn this tool to protect your systems form outside and inside intruders FIN21

More Related