Snort mailing list archives
Re: Creating Your Own Snort Rule?
From: Jeremy Hoel <jthoel () gmail com>
Date: Tue, 12 Mar 2013 17:26:33 +0000
Our EXE rules is CRAZY big.. because EVE gets used by CGI scripts and other web tools, in addition to downloading patches and the like.. so we have a lot of !Host:<domain> fields to make the alerts from that not as numerous.. We also made a few pass rules.. pass tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (sid:1000158; gid:1; flow:established,to_server; content:"GET"; nocase; http_method; pcre:"//cgi-bin/\S+.exe/iU"; msg:"PASS - DOWNLOAD - .EXE via PCRE - cgi-bin"; classtype:suspicious-filename-detect; rev:4; ) This helped reduce the false positive hits.. On Tue, Mar 12, 2013 at 5:14 PM, waldo kitty <wkitty42 () windstream net> wrote:
On 3/12/2013 11:28, Jeremy Golden wrote:Does anyone have a good rule they've created on their own? I need to make my own rule, but I want it to be simple, yet effective. For example, maybe a rule that alerts when an .exe file is being downloaded. Nothing too intense, but simple to understand. Any examples would be great.i just posted some extremely simple ones that catch everything... however, they make a decent starting point, too... for example: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"icmp traffic inbound"; sid:1; rev:1;) we'll change this to catch /any/ mention of ".exe" in /tcp/ traffic... alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:".exe mentioned in tcp traffic inbound"; content;".exe"; sid:x; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:".exe mentioned in tcp traffic outbound"; content;".exe"; sid:x; rev:1;) there's two... one for inbound and one for outbound... 1. we changed the protocol from "icmp" to "tcp". 2. we adjusted the msg text that is used. 3. we added a content field to look for. 4. only ".exe" is looked for... ".EXE" or ".Exe" or ".eXe" or such will not trigger. 5. you have to set the SID number to a unique number for your rules sets... the revision should be incremented each time you make a (major?) change in the rule. now, the above does not look for an actual executable file... it only looks for the four characters .exe all together... looking for actual binaries is a little bit tougher to do but the concept is still the same... you look for content... there are various buffers you can look in... you can go case insensitive... you can refine for specific examples via pcre... ------------------------------------------------------------------------------ Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the endpoint security space. For insight on selecting the right partner to tackle endpoint security challenges, access the full report. http://p.sf.net/sfu/symantec-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the endpoint security space. For insight on selecting the right partner to tackle endpoint security challenges, access the full report. http://p.sf.net/sfu/symantec-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Creating Your Own Snort Rule? Jeremy Golden (Mar 12)
- Re: Creating Your Own Snort Rule? waldo kitty (Mar 12)
- Re: Creating Your Own Snort Rule? Jeremy Hoel (Mar 12)
- Message not available
- Re: Creating Your Own Snort Rule? waldo kitty (Mar 12)
- Re: Creating Your Own Snort Rule? waldo kitty (Mar 12)