Snort mailing list archives
Re: Rule assist
From: Nathan Benson <nathan () sourcefire com>
Date: Tue, 12 Mar 2013 15:40:27 -0500
Hi James, Just eyeballing this quickly, your last content match is the 02, so your cursor would be directly *after* the 02 not before it. So the next byte would be 0x32, not 0x02: =================-v Using /R would put you here: 01 00 00 00 00 00 00 02 32 ==============--^ But not here. Also, is there a reason you didn't append the |02| in the content match to the end of your first content match (|01 00 00 01 00 00 00 00 00 00|)? If you were looking to include 02 in your pcre, remove the content match for 02 altogether, then your pcre as it stands should fire if you added the /R. I took your payload above and cooked up a quick pcap and put together a few examples of different ways to write what I think you are trying to do. If you are looking to examine a DNS request/response there are flags/bits you can test for using byte_test to ensure it's the type of request you want. I didn't do that in the examples below, and I removed your negative content match and added flow. Play around with these and see what kind of detection or performance you get. You may be surprised. There are folded versions of the rules at the bottom. alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( \ msg:"EXPLOIT-KIT Possible BEK host lookup"; \ flow:to_server; \ content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; \ content:"|02|"; within:1; \ pcre:"/\x02[0-9]{2}/m"; \ reference:url,urlquery.net/report.php?id=1313067; \ classtype:bad-unknown; \ sid:20000044; rev:1; \ ) # Your rule without the |02| content match alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( \ msg:"EXPLOIT-KIT Possible BEK host lookup"; \ flow:to_server; \ content:"|01 00 00 01 00 00 00 00 00 00|"; offset:2; depth:10; \ pcre:"/^\x02[0-9]{2}/R"; \ reference:url,urlquery.net/report.php?id=1313067; \ classtype:bad-unknown; \ sid:20000045; rev:1; \ ) # Your rule with the |02| added to the first content match alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( \ msg:"EXPLOIT-KIT Possible BEK host lookup"; \ flow:to_server; \ content:"|01 00 00 01 00 00 00 00 00 00 02|"; offset:2; depth:11; \ pcre:"/^[0-9]{2}/R"; \ reference:url,urlquery.net/report.php?id=1313067; \ classtype:bad-unknown; \ sid:20000046; rev:1; \ ) # Include your 02 as part of the first content match, and then anchor at the beginning. # ^.{2} == offset:2; alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( \ msg:"EXPLOIT-KIT Possible BEK host lookup"; \ flow:to_server; \ content:"|01 00 00 01 00 00 00 00 00 00 02|"; offset:2; depth:11; \ pcre:"/^.{2}\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00\x02[0-9]{2}/"; \ reference:url,urlquery.net/report.php?id=1313067; \ classtype:bad-unknown; \ sid:20000047; rev:1; \ ) # Same thing, just no pcre. The byte_tests are reading the hex value of the two bytes # and evaluating them. Note the different ways you can do this. alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( \ msg:"EXPLOIT-KIT Possible BEK host lookup"; \ flow:to_server; \ content:"|01 00 00 01 00 00 00 00 00 00 02|"; offset:2; depth:11; \ # # ASCII/decimal representation of [0-9]{2} (0x30-0x39) #byte_test:1,>=,0,0,relative,string; \ #byte_test:1,<=,9,0,relative,string; \ #byte_test:1,>=,0,1,relative,string; \ #byte_test:1,<=,9,1,relative,string; \ # # Hex representation of the ASCII [0-9]{2} byte_test:1,>=,0x30,0,relative; \ byte_test:1,<=,0x39,0,relative; \ byte_test:1,>=,0x30,1,relative; \ byte_test:1,<=,0x39,1,relative; \ reference:url,urlquery.net/report.php?id=1313067; \ classtype:bad-unknown; \ sid:20000048; rev:1; \ ) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"EXPLOIT-KIT Possible BEK host lookup"; flow:to_server; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|"; within:1; pcre:"/\x02[0-9]{2}/m"; reference:url,urlquery.net/report.php?id=1313067; classtype:bad-unknown; sid:20000044; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"EXPLOIT-KIT Possible BEK host lookup"; flow:to_server; content:"|01 00 00 01 00 00 00 00 00 00|"; offset:2; depth:10; pcre:"/^\x02[0-9]{2}/R"; reference:url, urlquery.net/report.php?id=1313067; classtype:bad-unknown; sid:20000045; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"EXPLOIT-KIT Possible BEK host lookup"; flow:to_server; content:"|01 00 00 01 00 00 00 00 00 00 02|"; offset:2; depth:11; pcre:"/^[0-9]{2}/R"; reference:url, urlquery.net/report.php?id=1313067; classtype:bad-unknown; sid:20000046; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"EXPLOIT-KIT Possible BEK host lookup"; flow:to_server; content:"|01 00 00 01 00 00 00 00 00 00 02|"; offset:2; depth:11; pcre:"/^.{2}\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00\x02[0-9]{2}/"; reference:url,urlquery.net/report.php?id=1313067; classtype:bad-unknown; sid:20000047; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"EXPLOIT-KIT Possible BEK host lookup"; flow:to_server; content:"|01 00 00 01 00 00 00 00 00 00 02|"; offset:2; depth:11; byte_test:1,>=,0x30,0,relative; byte_test:1,<=,0x39,0,relative; byte_test:1,>=,0x30,1,relative; byte_test:1,<=,0x39,1,relative; reference:url, urlquery.net/report.php?id=1313067; classtype:bad-unknown; sid:20000048; rev:1;) nb On Tue, Mar 12, 2013 at 11:01 AM, James Lay <jlay () slave-tothe-box net>wrote:
Hey all, Been trying to get this rule: alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"EXPLOIT-KIT Possible BEK host lookup"; content:!"in-addr"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|"; within:1; pcre:"/\x02[0-9]{2}/m"; reference:url,https://urlquery.net/report.php?id=1313067; classtype:bad-unknown; sid:10000044; rev:1;) To match and it's working, but I would like to tighten it up. Payload: 00000000 fd 64 01 00 00 01 00 00 00 00 00 00 02 32 30 10 .d...... .....20. 00000010 70 68 63 63 6f 66 63 61 6c 69 66 6f 72 6e 69 61 phccofca lifornia 00000020 03 63 6f 6d 00 00 01 00 01 .com.... . It always amazes me when I work with the pcre: function how little I understand it ;) I always want to treat it like a content: and start applying things like depth: and offset:. That being said, if I add a R to my pcre, it doesn't fire, which I don't understand. I understand R as a pcre: modifier to match the relative end of the last pattern match, which in my case would be matching the |02| yes? What am I missing in my logic? Thanks all. James ------------------------------------------------------------------------------ Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the endpoint security space. For insight on selecting the right partner to tackle endpoint security challenges, access the full report. http://p.sf.net/sfu/symantec-dev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Rule assist James Lay (Mar 12)
- Re: Rule assist rmkml (Mar 12)
- Re: Rule assist rmkml (Mar 12)
- Re: Rule assist Nathan Benson (Mar 12)
- Re: Rule assist James Lay (Mar 12)
- Re: Rule assist Joel Esler (Mar 12)
- Re: Rule assist rmkml (Mar 12)