Writing Snort Rules A quick guide Brian Caswell. 2 The life of a packet through Snort’s detection engine.

Writing Snort Rules A quick guide Brian Caswell

2 The life of a packet through Snort’s detection engine

3 Writing Snort Rules Figure out what is "bad" Capture traffic that includes the "bad stuff" Learn the protocol Figure out why the "bad stuff" is bad Write a rule Test the rule Figure out what is "bad" Capture traffic that includes the "bad stuff" Learn the protocol Figure out why the "bad stuff" is bad Write a rule Test the rule

4 More process Rewrite the rule Test the rule Rewrite the rule Test the rule Rewrite the rule Test the rule Rewrite the rule Test the rule Rewrite the rule Test the rule Rewrite the rule Test the rule Rewrite the rule Test the rule Rewrite the rule Test the rule

5 Even more process Rewrite the rule Test the rule Rewrite the rule Test the rule Rewrite the rule Test the rule Rewrite the rule Test the rule Rewrite the rule Test the rule Rewrite the rule Test the rule Rewrite the rule Test the rule Rewrite the rule Test the rule

6 Rule Format - basic rule alert tcp 10.1.1.1 any -> 10.1.1.2 80 (msg:"foo"; content:"bar";)

7 Rule Format – Action alert tcp 10.1.1.1 any -> 10.1.1.2 80 (msg:"foo"; content:"bar";) Tells snort what the rule does –In our product alert pass –In snort alert log pass activate dynamic –In snort-inline alert log pass activate dynamic drop sdrop alert tcp 10.1.1.1 any -> 10.1.1.2 80 (msg:"foo"; content:"bar";) Tells snort what the rule does –In our product alert pass –In snort alert log pass activate dynamic –In snort-inline alert log pass activate dynamic drop sdrop

8 Rule Format – Custom Actions not supported in product ruletype suspicious { type log output log_tcpdump: suspicious.log } suspicious tcp 10.1.1.1 any -> 10.1.1.2 80 (msg:"foo"; content:"bar";) not supported in product ruletype suspicious { type log output log_tcpdump: suspicious.log } suspicious tcp 10.1.1.1 any -> 10.1.1.2 80 (msg:"foo"; content:"bar";)

9 Rule Format – Protocol alert tcp 10.1.1.1 any -> 10.1.1.2 80 (msg:"foo"; content:"bar";) Tells snort to look for a specific protocol Acceptable protocols: –TCP –UDP –ICMP –IP alert tcp 10.1.1.1 any -> 10.1.1.2 80 (msg:"foo"; content:"bar";) Tells snort to look for a specific protocol Acceptable protocols: –TCP –UDP –ICMP –IP

10 Rule Format - IP Address alert tcp 10.1.1.1 any -> 10.1.1.2 80 (msg:"foo"; content:"bar";) Examples 10.1.1.1 duh 10.1.1.0/24 10.1.1.0 through 10.1.1.255 !10.1.1.0/24 anything but 10.1.1.0 through 10.1.1.255 [10.1.0.0/24,10.2.0.0./24] 10.1.0.0 through 10.1.0.255 or 10.2.0.0 through 10.2.0.255 ![10.1.0.0/24,10.2.0.0./24] anything but 10.1.0.0 through 10.1.0.255 or 10.2.0.0 through 10.2.0.255 alert tcp 10.1.1.1 any -> 10.1.1.2 80 (msg:"foo"; content:"bar";) Examples 10.1.1.1 duh 10.1.1.0/24 10.1.1.0 through 10.1.1.255 !10.1.1.0/24 anything but 10.1.1.0 through 10.1.1.255 [10.1.0.0/24,10.2.0.0./24] 10.1.0.0 through 10.1.0.255 or 10.2.0.0 through 10.2.0.255 ![10.1.0.0/24,10.2.0.0./24] anything but 10.1.0.0 through 10.1.0.255 or 10.2.0.0 through 10.2.0.255

11 Rule Format - Port alert tcp 10.1.1.1 any -> 10.1.1.2 80 (msg:"foo"; content:"bar";) Examples: any 80 1:1023 1 through 1023 (inclusive) :1023 less than or equal to 1023 10: greater than or equal to 10 !53 not 53 !53:100 not 53 through 100 (inclusive) NOTE: NO PORT LISTS. 80,8080 IS NOT VALID!!!! alert tcp 10.1.1.1 any -> 10.1.1.2 80 (msg:"foo"; content:"bar";) Examples: any 80 1:1023 1 through 1023 (inclusive) :1023 less than or equal to 1023 10: greater than or equal to 10 !53 not 53 !53:100 not 53 through 100 (inclusive) NOTE: NO PORT LISTS. 80,8080 IS NOT VALID!!!!

12 Rule Format - Direction alert tcp 10.1.1.1 any -> 10.1.1.2 80 (msg:"foo"; content:"bar";) -> –From the first IP/Port to the second IP/Port <> From either the first IP/Port to the second IP/Port OR From either the first IP/Port to the second IP/Port alert tcp 10.1.1.1 any -> 10.1.1.2 80 (msg:"foo"; content:"bar";) -> –From the first IP/Port to the second IP/Port <> From either the first IP/Port to the second IP/Port OR From either the first IP/Port to the second IP/Port

13 Rule Format -... Oh yeah, variables var EXTERNAL_NET any var HTTP_PORTS 80 var SMTP_SERVERS 10.1.1.1 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS $HTTP_PORTS var EXTERNAL_NET any var HTTP_PORTS 80 var SMTP_SERVERS 10.1.1.1 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS $HTTP_PORTS

14 Rule Format – Body alert tcp 10.1.1.1 any -> 10.1.1.2 80 (msg:"foo"; content:"bar";) meat of the detection capabilities key value pairs (key:value;) types of keywords meta-data Payload non-payload post-detection alert tcp 10.1.1.1 any -> 10.1.1.2 80 (msg:"foo"; content:"bar";) meat of the detection capabilities key value pairs (key:value;) types of keywords meta-data Payload non-payload post-detection

15 Meta-Data keywords Msg –msg:"my evil attack"; Reference –reference:url,www.snort.org; sid –sid:100000; Rev –rev:100000; Classtype (see classification.config) –classtype:attempted-recon; Priority –priority:3; Msg –msg:"my evil attack"; Reference –reference:url,www.snort.org; sid –sid:100000; Rev –rev:100000; Classtype (see classification.config) –classtype:attempted-recon; Priority –priority:3;

16 Payload Content –content:"foo"; Nocase –content:"foo"; nocase; Rawbytes –content:"foo"; rawbytes; Depth –content:"foo"; depth:10; Offset –content:"foo"; offset:10; Uricontent –uricontent:"foo"; Content –content:"foo"; Nocase –content:"foo"; nocase; Rawbytes –content:"foo"; rawbytes; Depth –content:"foo"; depth:10; Offset –content:"foo"; offset:10; Uricontent –uricontent:"foo";

17 Complicated Payload Options distance Within Isdataat byte_test byte_jump pcre distance Within Isdataat byte_test byte_jump pcre

18 Broken Payload Keywords Regex content-list rpc Regex content-list rpc

19 Non-Payload options: ack (TCP Acknowledge Number) –ack:0; dsize (Packet Size) –dsize:>10; id (IP ID) –id:10; fragoffset (fragment offset) –fragoffset:0; fragbits (IP fragment bits) –fragbits:MD; ack (TCP Acknowledge Number) –ack:0; dsize (Packet Size) –dsize:>10; id (IP ID) –id:10; fragoffset (fragment offset) –fragoffset:0; fragbits (IP fragment bits) –fragbits:MD;

20 More non-payload options ttl (IP Time To Live) –ttl:1; tos (IP TOS) –tos:30; ipopts (IP option) –ipopts:lsrr; flags (TCP flags) –flags:SF; flow (TCP State) –flow:to_server,established; ttl (IP Time To Live) –ttl:1; tos (IP TOS) –tos:30; ipopts (IP option) –ipopts:lsrr; flags (TCP flags) –flags:SF; flow (TCP State) –flow:to_server,established;

21 Even more non-payload options: seq (TCP Sequence Number) –seq:0; ttl (IP Time To Live) –ttl:10; window (TCP Window Size) –window:55808; itype (ICMP Type) –itype:8; icode (ICMP Code) –icode:0; seq (TCP Sequence Number) –seq:0; ttl (IP Time To Live) –ttl:10; window (TCP Window Size) –window:55808; itype (ICMP Type) –itype:8; icode (ICMP Code) –icode:0;

22 Even more non-payload options (again) icmp_id (ICMP ID) –icmp_id:0; icmp_seq (ICMP Sequence Number) –icmp_seq:0; ip_proto (IP Protocol) –ip_proto:6; sameip (Are the IPs the same) –sameip; stateless (Not part of a flow) –stateless; icmp_id (ICMP ID) –icmp_id:0; icmp_seq (ICMP Sequence Number) –icmp_seq:0; ip_proto (IP Protocol) –ip_proto:6; sameip (Are the IPs the same) –sameip; stateless (Not part of a flow) –stateless;

23 The complicated options distance Within isdataat byte_test byte_jump pcre distance Within isdataat byte_test byte_jump pcre

24 Distance content:”SITE”; content:”EXEC”; distance:0; 53 49 54 45 20 20 20 20 20 45 58 45 43 20 65 76 SITE EXEC ev 69 6C 66 6F 6F 0A ilfoo. 53 49 54 45 20 20 20 20 20 45 58 45 43 20 65 76 SITE EXEC ev 69 6C 66 6F 6F 0A ilfoo.

25 53 49 54 45 20 20 20 20 20 45 58 45 43 20 65 76 SITE EXEC ev 69 6C 66 6F 6F 0A ilfoo. 53 49 54 45 20 20 20 20 20 45 58 45 43 20 65 76 SITE EXEC ev 69 6C 66 6F 6F 0A ilfoo. Distance content:”SITE”; content:”EXEC”; distance:0;

28 Within content:”SITE”; content:!”|0a|”; within:50; 53 49 54 45 20 20 20 20 20 45 58 45 43 20 65 76 SITE EXEC ev 69 6C 66 6F 6F 0A ilfoo. 53 49 54 45 20 20 20 20 20 45 58 45 43 20 65 76 SITE EXEC ev 69 6C 66 6F 6F 0A ilfoo.

29 53 49 54 45 20 20 20 20 20 45 58 45 43 20 65 76 SITE EXEC ev 69 6C 66 6F 6F 0A ilfoo. 53 49 54 45 20 20 20 20 20 45 58 45 43 20 65 76 SITE EXEC ev 69 6C 66 6F 6F 0A ilfoo. Within content:”SITE”; content:!”|0a|”; within:50;

32 53 49 54 45 20 SITE Isdataat content:”SITE”; content:!”|0a|”; within:50;

33 53 49 54 45 20 SITE Isdataat content:”SITE”; content:!”|0a|”; within:50;

34 53 49 54 45 20 SITE Isdataat content:”SITE”; content:!”|0a|”; within:50; content:”SITE”; content:!”|0a|”; within:50;

35 53 49 54 45 20 SITE Isdataat content:”SITE”; isdataat:50,relative; content:!”|0a|”; within:50;

36 31 20 4C 53 55 42 20 22 22 20 7B 31 30 36 34 7D 1 LSUB "" {1064} Byte Test content:" LSUB |22|"; content:"|22| {"; distance:0; byte_test:5,>,256,0,string,dec,relative;

42 00 00 0F 9C 36 51 D5 2B 00 00 00 00 00 00 00 02....6Q.+........ 00 01 86 F3 00 00 00 01 00 00 00 07 00 00 00 01................ 00 00 00 20 37 5E D1 6A 00 00 00 09 6C 6F 63 61... 7^.j....loca 6C 68 6F 73 74 00 00 00 00 00 00 00 00 00 00 00 lhost........... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0F FF................ 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 00 00 0F 9C 36 51 D5 2B 00 00 00 00 00 00 00 02....6Q.+........ 00 01 86 F3 00 00 00 01 00 00 00 07 00 00 00 01................ 00 00 00 20 37 5E D1 6A 00 00 00 09 6C 6F 63 61... 7^.j....loca 6C 68 6F 73 74 00 00 00 00 00 00 00 00 00 00 00 lhost........... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0F FF................ 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA Byte Jump content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 F3|"; offset:16; depth:4; content:"|00 00 00 07|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative;

50 PCRE Perl Compatable Regular Expressions a few snort specific options when using, ALWAYS include a regular content NOT PART OF FAST PATTERN MATCHER! Read Mastering Regular Expressions Perl Compatable Regular Expressions a few snort specific options when using, ALWAYS include a regular content NOT PART OF FAST PATTERN MATCHER! Read Mastering Regular Expressions

51 PCRE Format pcre:[!]"(/ /|m )[i smxAEGRUB]"; Examples –pcre:"/blah.*blah/"; –pcre:"m?blah/.*blah?"; –pcre:"/blah.*blah/i"; –pcre:!"/blah/i"; –content:"foo"; pcre:!"/blah/R"; pcre:[!]"(/ /|m )[i smxAEGRUB]"; Examples –pcre:"/blah.*blah/"; –pcre:"m?blah/.*blah?"; –pcre:"/blah.*blah/i"; –pcre:!"/blah/i"; –content:"foo"; pcre:!"/blah/R";

52 PCRE basic options pcre:"/blah.*blah/OPTIONS_GO_HERE"; i –case insensitive s –include newlines in the dot metacharacter m –match on all line breaks x –ignore whitespace in rules pcre:"/blah.*blah/OPTIONS_GO_HERE"; i –case insensitive s –include newlines in the dot metacharacter m –match on all line breaks x –ignore whitespace in rules

53 PCRE options PCRE specific pcre:"/blah.*blah/OPTIONS_GO_HERE"; A –the pattern must match only at the start of the buffer (same as ^) E –$ only matches end of string G –Invert greedyness (match as little as possible) pcre:"/blah.*blah/OPTIONS_GO_HERE"; A –the pattern must match only at the start of the buffer (same as ^) E –$ only matches end of string G –Invert greedyness (match as little as possible)

54 PCRE options Snort specific pcre:"/blah.*blah/OPTIONS_GO_HERE"; R –Relative Match (same as distance:0;) U –URI match (same as uricontent) B –Do not use the decoded buffers (same as rawbytes) pcre:"/blah.*blah/OPTIONS_GO_HERE"; R –Relative Match (same as distance:0;) U –URI match (same as uricontent) B –Do not use the decoded buffers (same as rawbytes)

55 PCRE Regex metacharacters \ –Quote the next metacharacter ^ – Match the beginning of the line. –Match any character (except newline) $ –Match the end of the line (or before newline at the end) | –Alternation () –Grouping [] –Character class pcre:"/^(foo|bar)$/"; \ –Quote the next metacharacter ^ – Match the beginning of the line. –Match any character (except newline) $ –Match the end of the line (or before newline at the end) | –Alternation () –Grouping [] –Character class pcre:"/^(foo|bar)$/";

56 PCRE patterns \t –tab \n –newline (LN) \r –return (CR) \033 –octal char (think of a PDP-11) \x0a –hex char \t –tab \n –newline (LN) \r –return (CR) \033 –octal char (think of a PDP-11) \x0a –hex char

57 more PCRE patterns \x{263a} –wide hex char (Unicode SMILEY) \l –lowercase next char (think vi) \u –uppercase next char (think vi) \L –lowercase till \E (think vi) \U –uppercase till \E (think vi) \Q –quote (disable) pattern metacharacters till \E \E –end case modification (think vi) \x{263a} –wide hex char (Unicode SMILEY) \l –lowercase next char (think vi) \u –uppercase next char (think vi) \L –lowercase till \E (think vi) \U –uppercase till \E (think vi) \Q –quote (disable) pattern metacharacters till \E \E –end case modification (think vi)

58 Even more PCRE patterns \w –Match a "word" character (alphanumeric plus "_") \W –Match a non-"word" character \s –Match a whitespace character \S –Match a non-whitespace character \d –Match a digit character \D –Match a non-digit character Example –"/\w\s\w/“ –Matches: "FOO BAR“ –Doesn't Match: "FOO "; \w –Match a "word" character (alphanumeric plus "_") \W –Match a non-"word" character \s –Match a whitespace character \S –Match a non-whitespace character \d –Match a digit character \D –Match a non-digit character Example –"/\w\s\w/“ –Matches: "FOO BAR“ –Doesn't Match: "FOO ";

59 PCRE Quantifiers * –Match 0 or more times + –Match 1 or more times ? –Match 1 or 0 times {n} –Match exactly n times {n,} –Match at least n times {n,m} –Match at least n but not more than m times Example pcre:"/\w{3,5}}/"; * –Match 0 or more times + –Match 1 or more times ? –Match 1 or 0 times {n} –Match exactly n times {n,} –Match at least n times {n,m} –Match at least n but not more than m times Example pcre:"/\w{3,5}}/";

61 PCRE Example (regex) Attack rcpt to: | /bin/id OR rcpt to: ; /bin/id PCRE /rcpt to: | \/bin\/id/ OR /rcpt to: ; \/bin\/id/ Attack rcpt to: | /bin/id OR rcpt to: ; /bin/id PCRE /rcpt to: | \/bin\/id/ OR /rcpt to: ; \/bin\/id/

62 PCRE Example (character classes) Attack rcpt to: | /bin/id OR rcpt to: ; /bin/id PCRE /rcpt to: [;|] \/bin\/id/ Attack rcpt to: | /bin/id OR rcpt to: ; /bin/id PCRE /rcpt to: [;|] \/bin\/id/

63 PCRE Example (remove command) Attack rcpt to: | /bin/id OR rcpt to: ; /bin/id PCRE /rcpt to: [;|]/ Attack rcpt to: | /bin/id OR rcpt to: ; /bin/id PCRE /rcpt to: [;|]/

64 PCRE Example (remove : and ;) Attack rcpt to: | /bin/id OR rcpt to: ; /bin/id PCRE /rcpt to\x3a [\x3b|]/ Attack rcpt to: | /bin/id OR rcpt to: ; /bin/id PCRE /rcpt to\x3a [\x3b|]/

65 PCRE Example (remove evasion) Attack rcpt to: | /bin/id OR rcpt to: ; /bin/id PCRE /rcpt to\x3a\s*[\x3b|]/i Attack rcpt to: | /bin/id OR rcpt to: ; /bin/id PCRE /rcpt to\x3a\s*[\x3b|]/i

66 PCRE Example (remove false positives) Attack rcpt to: | /bin/id OR rcpt to: ; /bin/id PCRE /^rcpt to\x3a\s*[\x3b|]/mi Attack rcpt to: | /bin/id OR rcpt to: ; /bin/id PCRE /^rcpt to\x3a\s*[\x3b|]/mi

67 PCRE completed example alert tcp any any -> any 25 (flow:to_server,established; content:"rcpt to\:"; nocase; pcre:"/^rcpt\s+to\x3a\s*[|\x3b]/mi";)

68 The required bits rule header - action ip port direction ip port Msg content (if you can) Classtype Sid Rev flow/stateless (for TCP rules) rule header - action ip port direction ip port Msg content (if you can) Classtype Sid Rev flow/stateless (for TCP rules)

69 A few notes when multiple rules match at a time, longest content "wins“ long contents are good multiple contents are ok, split up instead of being evaded pcre without content is bad include many references test test test test test use variables, they are there for a reason when multiple rules match at a time, longest content "wins“ long contents are good multiple contents are ok, split up instead of being evaded pcre without content is bad include many references test test test test test use variables, they are there for a reason

Writing Snort Rules A quick guide Brian Caswell. 2 The life of a packet through Snort’s detection engine.

Similar presentations

Presentation on theme: "Writing Snort Rules A quick guide Brian Caswell. 2 The life of a packet through Snort’s detection engine."— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Writing Snort Rules A quick guide Brian Caswell. 2 The life of a packet through Snort’s detection engine.

Similar presentations

Presentation on theme: "Writing Snort Rules A quick guide Brian Caswell. 2 The life of a packet through Snort’s detection engine."— Presentation transcript:

Similar presentations

About project

Feedback