[Snort-sigs] Create a rule that takes its content from a file.

Tony Robinson deusexmachina667 at ...2420...
Tue May 14 20:38:08 EDT 2013


(CC'ing the mailing list; I got this direct response)


In regards to blacklisted strings and terms, that almost sounds like DLP or
DLP-like function you're looking for to detect if sensitive files or
information leaves the network. You may want to have a look at the
sensitive data preprocessor, in that case.


In regards to the other stuff you want done, There are rules and rule
categories that can do what it is you want snort to do:

file-identify for file extensions you don't want to see flying over the
network
indicator-shellcode for shellcode over the network
malware-[backdor|cnc|other] for CNC/malware, blacklist.rules for
blacklisted user-agents and/or domains...
and indicator-compromise.rules for suspicious activity.

At this point it's less "how do I write a rule to do this" and more "What
rules exist that will do what I want?"


On Tue, May 14, 2013 at 11:20 AM, arneu sneu <arneu99 at ...12...> wrote:

> Hi,
>
> Thank you for your reply. It is however not exactly what I was looking
> for. Maybe I have been unclear in my question.
> I am trying to find a way to create a rule that matches a list of strings.
> These strings can be located in a file, as it was the case for the
> content-list keyword. Please look at its definition here
> http://paginas.fe.up.pt/~mgi98020/pgr/writing_snort_rules.htm#content-list.
> The thing with the extension was just an example, but the principle I am
> trying understand can be anything else, like list of blacklisted shell
> commands or a list of blacklisted domain names, etc...
> Many thanks,
>
> Arneu
>
>
> ------------------------------
> Date: Tue, 14 May 2013 10:29:10 -0400
> Subject: Re: [Snort-sigs] Create a rule that takes its content from a file.
> From: deusexmachina667 at ...2420...
> To: arneu99 at ...12...
>
>
> Hm...
>
> You may want to look at the file-identify.rules category. This seems to be
> right up your alley.
>
> http://vrt-blog.snort.org/2011/11/say-hello-to-file-identify-category.html
>
>
> On Tue, May 14, 2013 at 10:07 AM, arneu sneu <arneu99 at ...12...> wrote:
>
> Hi,
>
> I just installed Snort a few days ago and started to play with it by
> writing my own rules.
> I would like my rule to take its content from a file, but I haven't find
> any information on this topic, neither in the manual, nor on the Internet.
> I found that the content-list keyword once existed in Snort, but it has
> apparently been removed about 6 years ago. Too bad, because it was exactly
> what I was looking for.
> Would anybody have an idea on how to do such a thing with current snort
> features? I could write a rule for each of the lines of my file or use pcre
> with the list of possible values, but I was wondering if there was a way to
> do it with a rule taking its content from a file. If not, what is the
> correct approach to do this?
>
> As an example, if I have a file containing a whitelist of file extensions,
> I would like to raise an alert when an email attachment having an extension
> that is not in the list is seen in the network traffic.
>
> Many thanks for your help.
>
> Cheers
>
> Arneu
>
>
>
> ------------------------------------------------------------------------------
> AlienVault Unified Security Management (USM) platform delivers complete
> security visibility with the essential security capabilities. Easily and
> efficiently configure, manage, and operate all of your security controls
> from a single console and one unified framework. Download a free trial.
> http://p.sf.net/sfu/alienvault_d2d
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
>
>
>
> --
> when does reality end? when does fantasy begin?
>



-- 
when does reality end? when does fantasy begin?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130514/217e8bd1/attachment.html>


More information about the Snort-sigs mailing list