Snort mailing list archives
Re: Creating Your Own Snort Rule?
From: waldo kitty <wkitty42 () windstream net>
Date: Tue, 12 Mar 2013 17:16:36 -0500
i have got to get my sig mess figured out... i don't provide private support... IM(H)O everything should go thru the list unless the data is too private to be dispersed... reply-to set to snort-users... see inline for the rest of my reply... On 3/12/2013 12:58, Jeremy Golden wrote:
Awesome. So I got the outbound one alerting when I download a .exe file from the Internet, but how would I go about getting the inbound to alert? I thought maybe carrying a .exe file from a USB would trigger it but it didn't. Maybe Im not understanding 'inbound'.
actually, outbound is outward from your network to the rest of the world... inbound from the rest of the world into your network... the simple content of ".exe" won't catch binary exe files... it might but it will also alert on irc or email or web pages with .exe in them... binaries are a lot more involved and TBH are pretty much already handled in the existing rules sets available... files carried on a USB stick won't set off snort because it doesn't scan USB sticks like an anti-virus might... the data has to actually travel over the network wire being monitored...
Thanks On Mar 12, 2013, at 1:14 PM, waldo kitty<wkitty42 () windstream net> wrote:On 3/12/2013 11:28, Jeremy Golden wrote:Does anyone have a good rule they've created on their own? I need to make my own rule, but I want it to be simple, yet effective. For example, maybe a rule that alerts when an .exe file is being downloaded. Nothing too intense, but simple to understand. Any examples would be great.i just posted some extremely simple ones that catch everything... however, they make a decent starting point, too... for example: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"icmp traffic inbound"; sid:1; rev:1;) we'll change this to catch /any/ mention of ".exe" in /tcp/ traffic... alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:".exe mentioned in tcp traffic inbound"; content;".exe"; sid:x; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:".exe mentioned in tcp traffic outbound"; content;".exe"; sid:x; rev:1;) there's two... one for inbound and one for outbound... 1. we changed the protocol from "icmp" to "tcp". 2. we adjusted the msg text that is used. 3. we added a content field to look for. 4. only ".exe" is looked for... ".EXE" or ".Exe" or ".eXe" or such will not trigger. 5. you have to set the SID number to a unique number for your rules sets... the revision should be incremented each time you make a (major?) change in the rule. now, the above does not look for an actual executable file... it only looks for the four characters .exe all together... looking for actual binaries is a little bit tougher to do but the concept is still the same... you look for content... there are various buffers you can look in... you can go case insensitive... you can refine for specific examples via pcre...
------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Creating Your Own Snort Rule? Jeremy Golden (Mar 12)
- Re: Creating Your Own Snort Rule? waldo kitty (Mar 12)
- Re: Creating Your Own Snort Rule? Jeremy Hoel (Mar 12)
- Message not available
- Re: Creating Your Own Snort Rule? waldo kitty (Mar 12)
- Re: Creating Your Own Snort Rule? waldo kitty (Mar 12)