Re: Creating Your Own Snort Rule?

[Jeremy Hoel <jthoel () gmail com>]

Our EXE rules is CRAZY big.. because EVE gets used by CGI scripts and
other web tools, in addition to downloading patches and the like.. so
we have a lot of !Host:<domain> fields to make the alerts from that
not as numerous..

We also made a few pass rules..

pass tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (sid:1000158;
gid:1; flow:established,to_server; content:"GET"; nocase; http_method;
pcre:"//cgi-bin/\S+.exe/iU"; msg:"PASS - DOWNLOAD - .EXE via PCRE -
cgi-bin"; classtype:suspicious-filename-detect; rev:4; )

This helped reduce the false positive hits..




On Tue, Mar 12, 2013 at 5:14 PM, waldo kitty <wkitty42 () windstream net> wrote:
> On 3/12/2013 11:28, Jeremy Golden wrote:
> > Does anyone have a good rule they've created on their own? I need to make my own rule, but I want it to be simple, 
> > yet effective.
> >
> > For example, maybe a rule that alerts when an .exe file is being downloaded. Nothing too intense, but simple to 
> > understand.
> >
> > Any examples would be great.
>
> i just posted some extremely simple ones that catch everything... however, they
> make a decent starting point, too...
>
> for example:
>
> alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"icmp traffic inbound";
> sid:1; rev:1;)
>
>
> we'll change this to catch /any/ mention of ".exe" in /tcp/ traffic...
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:".exe mentioned in tcp traffic
> inbound"; content;".exe"; sid:x; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:".exe mentioned in tcp traffic
> outbound"; content;".exe"; sid:x; rev:1;)
>
>
> there's two... one for inbound and one for outbound...
>
> 1. we changed the protocol from "icmp" to "tcp".
>
> 2. we adjusted the msg text that is used.
>
> 3. we added a content field to look for.
>
> 4. only ".exe" is looked for... ".EXE" or ".Exe" or ".eXe" or such will not trigger.
>
> 5. you have to set the SID number to a unique number for your rules sets... the
> revision should be incremented each time you make a (major?) change in the rule.
>
>
> now, the above does not look for an actual executable file... it only looks for
> the four characters .exe all together... looking for actual binaries is a little
> bit tougher to do but the concept is still the same... you look for content...
> there are various buffers you can look in... you can go case insensitive... you
> can refine for specific examples via pcre...
>
>
> ------------------------------------------------------------------------------
> Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester
> Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the
> endpoint security space. For insight on selecting the right partner to
> tackle endpoint security challenges, access the full report.
> http://p.sf.net/sfu/symantec-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester  
Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the  
endpoint security space. For insight on selecting the right partner to 
tackle endpoint security challenges, access the full report. 
http://p.sf.net/sfu/symantec-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!