Snort mailing list archives
Re: Snort-sigs Digest, Vol 84, Issue 16
From: Joel Esler <jesler () sourcefire com>
Date: Wed, 15 May 2013 20:59:01 -0400
As a matter of etiquette, please trim digest emails to be relevant to just your response. On May 15, 2013, at 8:08 AM, John Cal <cal220101 () gmail com> wrote:
If you use compression and encryption, doesn't that usually bypass DLP? Simply raring a few files and sending back to the C2. I mean, even if you have a sig to hit on .rar leaving outbound, your sensitive data is already gone. On May 15, 2013 3:06 AM, <snort-sigs-request () lists sourceforge net> wrote: Send Snort-sigs mailing list submissions to snort-sigs () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-sigs or, via email, send a message with subject or body 'help' to snort-sigs-request () lists sourceforge net You can reach the person managing the list at snort-sigs-owner () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-sigs digest..." Today's Topics: 1. Re: Create a rule that takes its content from a file. (Tony Robinson) 2. Re: Create a rule that takes its content from a file. (arneu sneu) ---------------------------------------------------------------------- Message: 1 Date: Tue, 14 May 2013 20:38:08 -0400 From: Tony Robinson <deusexmachina667 () gmail com> Subject: Re: [Snort-sigs] Create a rule that takes its content from a file. To: arneu sneu <arneu99 () hotmail com>, "snort-sigs () lists sourceforge net" <snort-sigs () lists sourceforge net>, Joel Esler <jesler () sourcefire com> Message-ID: <CAOGUb=hvtHMhuwvxtMZdiNWtUnDsOhO7dW7umgPSaJTFvgyBdQ () mail gmail com> Content-Type: text/plain; charset="iso-8859-1" (CC'ing the mailing list; I got this direct response) In regards to blacklisted strings and terms, that almost sounds like DLP or DLP-like function you're looking for to detect if sensitive files or information leaves the network. You may want to have a look at the sensitive data preprocessor, in that case. In regards to the other stuff you want done, There are rules and rule categories that can do what it is you want snort to do: file-identify for file extensions you don't want to see flying over the network indicator-shellcode for shellcode over the network malware-[backdor|cnc|other] for CNC/malware, blacklist.rules for blacklisted user-agents and/or domains... and indicator-compromise.rules for suspicious activity. At this point it's less "how do I write a rule to do this" and more "What rules exist that will do what I want?" On Tue, May 14, 2013 at 11:20 AM, arneu sneu <arneu99 () hotmail com> wrote:Hi, Thank you for your reply. It is however not exactly what I was looking for. Maybe I have been unclear in my question. I am trying to find a way to create a rule that matches a list of strings. These strings can be located in a file, as it was the case for the content-list keyword. Please look at its definition here http://paginas.fe.up.pt/~mgi98020/pgr/writing_snort_rules.htm#content-list. The thing with the extension was just an example, but the principle I am trying understand can be anything else, like list of blacklisted shell commands or a list of blacklisted domain names, etc... Many thanks, Arneu ------------------------------ Date: Tue, 14 May 2013 10:29:10 -0400 Subject: Re: [Snort-sigs] Create a rule that takes its content from a file. From: deusexmachina667 () gmail com To: arneu99 () hotmail com Hm... You may want to look at the file-identify.rules category. This seems to be right up your alley. http://vrt-blog.snort.org/2011/11/say-hello-to-file-identify-category.html On Tue, May 14, 2013 at 10:07 AM, arneu sneu <arneu99 () hotmail com> wrote: Hi, I just installed Snort a few days ago and started to play with it by writing my own rules. I would like my rule to take its content from a file, but I haven't find any information on this topic, neither in the manual, nor on the Internet. I found that the content-list keyword once existed in Snort, but it has apparently been removed about 6 years ago. Too bad, because it was exactly what I was looking for. Would anybody have an idea on how to do such a thing with current snort features? I could write a rule for each of the lines of my file or use pcre with the list of possible values, but I was wondering if there was a way to do it with a rule taking its content from a file. If not, what is the correct approach to do this? As an example, if I have a file containing a whitelist of file extensions, I would like to raise an alert when an email attachment having an extension that is not in the list is seen in the network traffic. Many thanks for your help. Cheers Arneu ------------------------------------------------------------------------------ AlienVault Unified Security Management (USM) platform delivers complete security visibility with the essential security capabilities. Easily and efficiently configure, manage, and operate all of your security controls from a single console and one unified framework. Download a free trial. http://p.sf.net/sfu/alienvault_d2d _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! -- when does reality end? when does fantasy begin?-- when does reality end? when does fantasy begin? -------------- next part -------------- An HTML attachment was scrubbed... ------------------------------ Message: 2 Date: Wed, 15 May 2013 08:01:36 +0000 From: arneu sneu <arneu99 () hotmail com> Subject: Re: [Snort-sigs] Create a rule that takes its content from a file. To: Tony Robinson <deusexmachina667 () gmail com>, "snort-sigs () lists sourceforge net" <snort-sigs () lists sourceforge net>, Joel Esler <jesler () sourcefire com> Message-ID: <DUB116-W125CABDFCC9053ED3E3EAF3A2A20 () phx gbl> Content-Type: text/plain; charset="iso-8859-1" Thank you Tony for your answer. I checked the sensitive data preprocessor, it can be interesting if I manage to describe the patterns I am looking for with the limited regular expression syntax available there. I also check the reputation preprocessor, it's very similar to what I wanted to achieve but it's only for IP addresses. I guess you're right, some rules already exist written in a way different than the one I was thinking of. Date: Tue, 14 May 2013 20:38:08 -0400 Subject: Re: [Snort-sigs] Create a rule that takes its content from a file. From: deusexmachina667 () gmail com To: arneu99 () hotmail com; snort-sigs () lists sourceforge net; jesler () sourcefire com (CC'ing the mailing list; I got this direct response) In regards to blacklisted strings and terms, that almost sounds like DLP or DLP-like function you're looking for to detect if sensitive files or information leaves the network. You may want to have a look at the sensitive data preprocessor, in that case. In regards to the other stuff you want done, There are rules and rule categories that can do what it is you want snort to do: file-identify for file extensions you don't want to see flying over the network indicator-shellcode for shellcode over the network malware-[backdor|cnc|other] for CNC/malware, blacklist.rules for blacklisted user-agents and/or domains... and indicator-compromise.rules for suspicious activity. At this point it's less "how do I write a rule to do this" and more "What rules exist that will do what I want?" On Tue, May 14, 2013 at 11:20 AM, arneu sneu <arneu99 () hotmail com> wrote: Hi, Thank you for your reply. It is however not exactly what I was looking for. Maybe I have been unclear in my question. I am trying to find a way to create a rule that matches a list of strings. These strings can be located in a file, as it was the case for the content-list keyword. Please look at its definition here http://paginas.fe.up.pt/~mgi98020/pgr/writing_snort_rules.htm#content-list. The thing with the extension was just an example, but the principle I am trying understand can be anything else, like list of blacklisted shell commands or a list of blacklisted domain names, etc... Many thanks, Arneu Date: Tue, 14 May 2013 10:29:10 -0400 Subject: Re: [Snort-sigs] Create a rule that takes its content from a file. From: deusexmachina667 () gmail com To: arneu99 () hotmail com Hm... You may want to look at the file-identify.rules category. This seems to be right up your alley. http://vrt-blog.snort.org/2011/11/say-hello-to-file-identify-category.html On Tue, May 14, 2013 at 10:07 AM, arneu sneu <arneu99 () hotmail com> wrote: Hi, I just installed Snort a few days ago and started to play with it by writing my own rules. I would like my rule to take its content from a file, but I haven't find any information on this topic, neither in the manual, nor on the Internet. I found that the content-list keyword once existed in Snort, but it has apparently been removed about 6 years ago. Too bad, because it was exactly what I was looking for. Would anybody have an idea on how to do such a thing with current snort features? I could write a rule for each of the lines of my file or use pcre with the list of possible values, but I was wondering if there was a way to do it with a rule taking its content from a file. If not, what is the correct approach to do this? As an example, if I have a file containing a whitelist of file extensions, I would like to raise an alert when an email attachment having an extension that is not in the list is seen in the network traffic. Many thanks for your help. Cheers Arneu ------------------------------------------------------------------------------ AlienVault Unified Security Management (USM) platform delivers complete security visibility with the essential security capabilities. Easily and efficiently configure, manage, and operate all of your security controls from a single console and one unified framework. Download a free trial. http://p.sf.net/sfu/alienvault_d2d _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! -- when does reality end? when does fantasy begin? -- when does reality end? when does fantasy begin? -------------- next part -------------- An HTML attachment was scrubbed... ------------------------------ ------------------------------------------------------------------------------ AlienVault Unified Security Management (USM) platform delivers complete security visibility with the essential security capabilities. Easily and efficiently configure, manage, and operate all of your security controls from a single console and one unified framework. Download a free trial. http://p.sf.net/sfu/alienvault_d2d ------------------------------ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! End of Snort-sigs Digest, Vol 84, Issue 16 ****************************************** ------------------------------------------------------------------------------ AlienVault Unified Security Management (USM) platform delivers complete security visibility with the essential security capabilities. Easily and efficiently configure, manage, and operate all of your security controls from a single console and one unified framework. Download a free trial. http://p.sf.net/sfu/alienvault_d2d_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ AlienVault Unified Security Management (USM) platform delivers complete security visibility with the essential security capabilities. Easily and efficiently configure, manage, and operate all of your security controls from a single console and one unified framework. Download a free trial. http://p.sf.net/sfu/alienvault_d2d
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: Snort-sigs Digest, Vol 84, Issue 16 John Cal (May 15)
- Re: Snort-sigs Digest, Vol 84, Issue 16 Tony Robinson (May 15)
- Re: Snort-sigs Digest, Vol 84, Issue 16 Joel Esler (May 15)