[Snort-sigs] Rule assist

Nathan Benson nathan at ...435...
Tue Mar 12 16:40:27 EDT 2013


Hi James,

Just eyeballing this quickly, your last content match is the 02, so your
cursor would be directly *after* the 02 not before it.  So the next byte
would be 0x32, not 0x02:

=================-v  Using /R would put you here:
01 00 00 00 00 00 00 02 32
==============--^   But not here.

Also, is there a reason you didn't append the |02| in the content match to
the end of your first content match (|01 00 00 01 00 00 00 00 00 00|)?  If
you were looking to include 02 in your pcre, remove the content match for
02 altogether, then your pcre as it stands should fire if you added the /R.

I took your payload above and cooked up a quick pcap and put together a few
examples of different ways to write what I think you are trying to do.  If
you are looking to examine a DNS request/response there are flags/bits you
can test for using byte_test to ensure it's the type of request you want.
 I didn't do that in the examples below, and I removed your negative
content match and added flow.

Play around with these and see what kind of detection or performance you
get.  You may be surprised.  There are folded versions of the rules at the
bottom.

alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( \
   msg:"EXPLOIT-KIT Possible BEK host lookup"; \
   flow:to_server; \
   content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; \
   content:"|02|"; within:1; \
   pcre:"/\x02[0-9]{2}/m"; \
   reference:url,urlquery.net/report.php?id=1313067; \
   classtype:bad-unknown; \
   sid:20000044; rev:1; \
)
# Your rule without the |02| content match
alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( \
   msg:"EXPLOIT-KIT Possible BEK host lookup"; \
   flow:to_server; \
   content:"|01 00 00 01 00 00 00 00 00 00|"; offset:2; depth:10; \
   pcre:"/^\x02[0-9]{2}/R"; \
   reference:url,urlquery.net/report.php?id=1313067; \
   classtype:bad-unknown; \
   sid:20000045; rev:1; \
)
# Your rule with the |02| added to the first content match
alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( \
   msg:"EXPLOIT-KIT Possible BEK host lookup"; \
   flow:to_server; \
   content:"|01 00 00 01 00 00 00 00 00 00 02|"; offset:2; depth:11; \
   pcre:"/^[0-9]{2}/R"; \
   reference:url,urlquery.net/report.php?id=1313067; \
   classtype:bad-unknown; \
   sid:20000046; rev:1; \
)
# Include your 02 as part of the first content match, and then anchor at
the beginning.
# ^.{2} == offset:2;
alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( \
   msg:"EXPLOIT-KIT Possible BEK host lookup"; \
   flow:to_server; \
   content:"|01 00 00 01 00 00 00 00 00 00 02|"; offset:2; depth:11; \
   pcre:"/^.{2}\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00\x02[0-9]{2}/"; \
   reference:url,urlquery.net/report.php?id=1313067; \
   classtype:bad-unknown; \
   sid:20000047; rev:1; \
)
# Same thing, just no pcre. The byte_tests are reading the hex value of the
two bytes
# and evaluating them.  Note the different ways you can do this.
alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( \
   msg:"EXPLOIT-KIT Possible BEK host lookup"; \
   flow:to_server; \
   content:"|01 00 00 01 00 00 00 00 00 00 02|"; offset:2; depth:11; \
   #
   # ASCII/decimal representation of [0-9]{2} (0x30-0x39)
   #byte_test:1,>=,0,0,relative,string; \
   #byte_test:1,<=,9,0,relative,string; \
   #byte_test:1,>=,0,1,relative,string; \
   #byte_test:1,<=,9,1,relative,string; \
   #
   # Hex representation of the ASCII [0-9]{2}
   byte_test:1,>=,0x30,0,relative; \
   byte_test:1,<=,0x39,0,relative; \
   byte_test:1,>=,0x30,1,relative; \
   byte_test:1,<=,0x39,1,relative; \
   reference:url,urlquery.net/report.php?id=1313067; \
   classtype:bad-unknown; \
   sid:20000048; rev:1; \
)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"EXPLOIT-KIT Possible BEK
host lookup"; flow:to_server; content:"|01 00 00 01 00 00 00 00 00 00|";
depth:10; offset:2; content:"|02|"; within:1; pcre:"/\x02[0-9]{2}/m";
reference:url,urlquery.net/report.php?id=1313067; classtype:bad-unknown;
sid:20000044; rev:1;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"EXPLOIT-KIT Possible BEK
host lookup"; flow:to_server; content:"|01 00 00 01 00 00 00 00 00 00|";
offset:2; depth:10; pcre:"/^\x02[0-9]{2}/R"; reference:url,
urlquery.net/report.php?id=1313067; classtype:bad-unknown; sid:20000045;
rev:1;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"EXPLOIT-KIT Possible BEK
host lookup"; flow:to_server; content:"|01 00 00 01 00 00 00 00 00 00 02|";
offset:2; depth:11; pcre:"/^[0-9]{2}/R"; reference:url,
urlquery.net/report.php?id=1313067; classtype:bad-unknown; sid:20000046;
rev:1;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"EXPLOIT-KIT Possible BEK
host lookup"; flow:to_server; content:"|01 00 00 01 00 00 00 00 00 00 02|";
offset:2; depth:11;
pcre:"/^.{2}\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00\x02[0-9]{2}/";
reference:url,urlquery.net/report.php?id=1313067; classtype:bad-unknown;
sid:20000047; rev:1;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"EXPLOIT-KIT Possible BEK
host lookup"; flow:to_server; content:"|01 00 00 01 00 00 00 00 00 00 02|";
offset:2; depth:11; byte_test:1,>=,0x30,0,relative;
byte_test:1,<=,0x39,0,relative; byte_test:1,>=,0x30,1,relative;
byte_test:1,<=,0x39,1,relative; reference:url,
urlquery.net/report.php?id=1313067; classtype:bad-unknown; sid:20000048;
rev:1;)


nb

On Tue, Mar 12, 2013 at 11:01 AM, James Lay <jlay at ...3266...>wrote:

> Hey all,
>
> Been trying to get this rule:
>
> alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"EXPLOIT-KIT Possible
> BEK host lookup"; content:!"in-addr"; content:"|01 00 00 01 00 00 00 00
> 00 00|"; depth:10; offset:2; content:"|02|"; within:1;
> pcre:"/\x02[0-9]{2}/m";
> reference:url,https://urlquery.net/report.php?id=1313067;
> classtype:bad-unknown; sid:10000044; rev:1;)
>
> To match and it's working, but I would like to tighten it up.  Payload:
>
> 00000000  fd 64 01 00 00 01 00 00  00 00 00 00 02 32 30 10 .d......
> .....20.
> 00000010  70 68 63 63 6f 66 63 61  6c 69 66 6f 72 6e 69 61 phccofca
> lifornia
> 00000020  03 63 6f 6d 00 00 01 00  01                      .com.... .
>
> It always amazes me when I work with the pcre: function how little I
> understand it ;)  I always want to treat it like a content: and start
> applying things like depth: and offset:.  That being said, if I add a R
> to my pcre, it doesn't fire, which I don't understand.  I understand R
> as a pcre: modifier to match the relative end of the last pattern match,
> which in my case would be matching the |02| yes?  What am I missing in
> my logic?  Thanks all.
>
> James
>
>
> ------------------------------------------------------------------------------
> Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester
> Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the
> endpoint security space. For insight on selecting the right partner to
> tackle endpoint security challenges, access the full report.
> http://p.sf.net/sfu/symantec-dev2dev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130312/ba155073/attachment.html>


More information about the Snort-sigs mailing list