Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Creating Your Own Snort Rule?

From: waldo kitty <wkitty42 () windstream net>
Date: Tue, 12 Mar 2013 17:16:36 -0500

i have got to get my sig mess figured out... i don't provide private support... 
IM(H)O everything should go thru the list unless the data is too private to be 
dispersed... reply-to set to snort-users...

see inline for the rest of my reply...

On 3/12/2013 12:58, Jeremy Golden wrote:

Awesome. So I got the outbound one alerting when I download a .exe file from the Internet, but how would I go about 
getting the inbound to alert? I thought maybe carrying a .exe file from a USB would trigger it but it didn't. Maybe 
Im not understanding 'inbound'.


actually, outbound is outward from your network to the rest of the world... 
inbound from the rest of the world into your network...

the simple content of ".exe" won't catch binary exe files... it might but it 
will also alert on irc or email or web pages with .exe in them... binaries are a 
lot more involved and TBH are pretty much already handled in the existing rules 
sets available...

files carried on a USB stick won't set off snort because it doesn't scan USB 
sticks like an anti-virus might... the data has to actually travel over the 
network wire being monitored...


Thanks

On Mar 12, 2013, at 1:14 PM, waldo kitty<wkitty42 () windstream net>  wrote:


On 3/12/2013 11:28, Jeremy Golden wrote:

Does anyone have a good rule they've created on their own? I need to make my own rule, but I want it to be simple, 
yet effective.

For example, maybe a rule that alerts when an .exe file is being downloaded. Nothing too intense, but simple to 
understand.

Any examples would be great.


i just posted some extremely simple ones that catch everything... however, they
make a decent starting point, too...

for example:

alert icmp $EXTERNAL_NET any ->  $HOME_NET any (msg:"icmp traffic inbound";
sid:1; rev:1;)


we'll change this to catch /any/ mention of ".exe" in /tcp/ traffic...

alert tcp $EXTERNAL_NET any ->  $HOME_NET any (msg:".exe mentioned in tcp traffic
inbound"; content;".exe"; sid:x; rev:1;)

alert tcp $HOME_NET any ->  $EXTERNAL_NET any (msg:".exe mentioned in tcp traffic
outbound"; content;".exe"; sid:x; rev:1;)


there's two... one for inbound and one for outbound...

1. we changed the protocol from "icmp" to "tcp".

2. we adjusted the msg text that is used.

3. we added a content field to look for.

4. only ".exe" is looked for... ".EXE" or ".Exe" or ".eXe" or such will not trigger.

5. you have to set the SID number to a unique number for your rules sets... the
revision should be incremented each time you make a (major?) change in the rule.


now, the above does not look for an actual executable file... it only looks for
the four characters .exe all together... looking for actual binaries is a little
bit tougher to do but the concept is still the same... you look for content...
there are various buffers you can look in... you can go case insensitive... you
can refine for specific examples via pcre...



------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: