Re: Create a rule that takes its content from a file.

[arneu sneu <arneu99 () hotmail com>]

Thank you Tony for your answer.
I checked the sensitive data preprocessor, it can be interesting if I manage to describe the patterns I am looking for 
with the limited regular expression syntax available there.
I also check the reputation preprocessor, it's very similar to what I wanted to achieve but it's only for IP addresses.
I guess you're right, some rules already exist written in a way different than the one I was thinking of.


Date: Tue, 14 May 2013 20:38:08 -0400
Subject: Re: [Snort-sigs] Create a rule that takes its content from a file.
From: deusexmachina667 () gmail com
To: arneu99 () hotmail com; snort-sigs () lists sourceforge net; jesler () sourcefire com

(CC'ing the mailing list; I got this direct response)


In regards to blacklisted strings and terms, that almost sounds 
like DLP or DLP-like function you're looking for to detect if sensitive 
files or information leaves the network. You may want to have a look at 
the sensitive data preprocessor, in that case.


In regards to the other stuff you want done, There are rules and rule categories that can do what it is you want snort 
to do:

file-identify for file extensions you don't want to see flying over the network

indicator-shellcode for shellcode over the network
malware-[backdor|cnc|other] for CNC/malware, blacklist.rules for blacklisted user-agents and/or domains...
and indicator-compromise.rules for suspicious activity.


At this point it's less "how do I write a rule to do this" and more "What rules exist that will do what I want?"


On Tue, May 14, 2013 at 11:20 AM, arneu sneu <arneu99 () hotmail com> wrote:




Hi,

Thank you for your reply. It is however not exactly what I was looking for. Maybe I have been unclear in my question.
I am trying to find a way to create a rule that matches a list of strings. These strings can be located in a file, as 
it was the case for the content-list keyword. Please look at its definition here 
http://paginas.fe.up.pt/~mgi98020/pgr/writing_snort_rules.htm#content-list.

The thing with the extension was just an example, but the principle I am trying understand can be anything else, like 
list of blacklisted shell commands or a list of blacklisted domain names, etc...
Many thanks,


Arneu


Date: Tue, 14 May 2013 10:29:10 -0400
Subject: Re: [Snort-sigs] Create a rule that takes its content from a file.
From: deusexmachina667 () gmail com

To: arneu99 () hotmail com

Hm...

You may want to look at the file-identify.rules category. This seems to be right up your alley.


http://vrt-blog.snort.org/2011/11/say-hello-to-file-identify-category.html



On Tue, May 14, 2013 at 10:07 AM, arneu sneu <arneu99 () hotmail com> wrote:




Hi,

I just installed Snort a few days ago and started to play with it by writing my own rules.
I would like my rule to take its content from a file, but I haven't find any information on this topic, neither in the 
manual, nor on the Internet. I found that the content-list keyword once existed in Snort, but it has apparently been 
removed about 6 years ago. Too bad, because it was exactly what I was looking for.


Would anybody have an idea on how to do such a thing with current snort features? I could write a rule for each of the 
lines of my file or use pcre with the list of possible values, but I was wondering if there was a way to do it with a 
rule taking its content from a file. If not, what is the correct approach to do this?



As an example, if I have a file containing a whitelist of file extensions, I would like to raise an alert when an email 
attachment having an extension that is not in the list is seen in the network traffic.

Many thanks for your help.



Cheers

Arneu

                                          

------------------------------------------------------------------------------

AlienVault Unified Security Management (USM) platform delivers complete

security visibility with the essential security capabilities. Easily and

efficiently configure, manage, and operate all of your security controls

from a single console and one unified framework. Download a free trial.

http://p.sf.net/sfu/alienvault_d2d
_______________________________________________

Snort-sigs mailing list

Snort-sigs () lists sourceforge net

https://lists.sourceforge.net/lists/listinfo/snort-sigs

http://www.snort.org





Please visit http://blog.snort.org for the latest news about Snort!


-- 
when does reality end? when does fantasy begin?
                                          


-- 
when does reality end? when does fantasy begin?

------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!