[Snort-sigs] Snort-sigs Digest, Vol 84, Issue 16

John Cal cal220101 at ...2420...
Wed May 15 08:08:42 EDT 2013


If you use compression and encryption, doesn't that usually bypass DLP?
Simply raring a few files and sending back to the C2. I mean, even if you
have a sig to hit on .rar leaving outbound, your sensitive data is already
gone.
On May 15, 2013 3:06 AM, <snort-sigs-request at lists.sourceforge.net> wrote:

> Send Snort-sigs mailing list submissions to
>         snort-sigs at lists.sourceforge.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.sourceforge.net/lists/listinfo/snort-sigs
> or, via email, send a message with subject or body 'help' to
>         snort-sigs-request at lists.sourceforge.net
>
> You can reach the person managing the list at
>         snort-sigs-owner at lists.sourceforge.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Snort-sigs digest..."
>
>
> Today's Topics:
>
>    1. Re: Create a rule that takes its content from a file.
>       (Tony Robinson)
>    2. Re: Create a rule that takes its content from a file. (arneu sneu)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 14 May 2013 20:38:08 -0400
> From: Tony Robinson <deusexmachina667 at ...2420...>
> Subject: Re: [Snort-sigs] Create a rule that takes its content from a
>         file.
> To: arneu sneu <arneu99 at ...12...>,
>         "snort-sigs at lists.sourceforge.net" <
> snort-sigs at lists.sourceforge.net>,
>         Joel Esler <jesler at ...435...>
> Message-ID:
>         <CAOGUb=
> hvtHMhuwvxtMZdiNWtUnDsOhO7dW7umgPSaJTFvgyBdQ at ...2421...>
> Content-Type: text/plain; charset="iso-8859-1"
>
> (CC'ing the mailing list; I got this direct response)
>
>
> In regards to blacklisted strings and terms, that almost sounds like DLP or
> DLP-like function you're looking for to detect if sensitive files or
> information leaves the network. You may want to have a look at the
> sensitive data preprocessor, in that case.
>
>
> In regards to the other stuff you want done, There are rules and rule
> categories that can do what it is you want snort to do:
>
> file-identify for file extensions you don't want to see flying over the
> network
> indicator-shellcode for shellcode over the network
> malware-[backdor|cnc|other] for CNC/malware, blacklist.rules for
> blacklisted user-agents and/or domains...
> and indicator-compromise.rules for suspicious activity.
>
> At this point it's less "how do I write a rule to do this" and more "What
> rules exist that will do what I want?"
>
>
> On Tue, May 14, 2013 at 11:20 AM, arneu sneu <arneu99 at ...12...> wrote:
>
> > Hi,
> >
> > Thank you for your reply. It is however not exactly what I was looking
> > for. Maybe I have been unclear in my question.
> > I am trying to find a way to create a rule that matches a list of
> strings.
> > These strings can be located in a file, as it was the case for the
> > content-list keyword. Please look at its definition here
> >
> http://paginas.fe.up.pt/~mgi98020/pgr/writing_snort_rules.htm#content-list
> .
> > The thing with the extension was just an example, but the principle I am
> > trying understand can be anything else, like list of blacklisted shell
> > commands or a list of blacklisted domain names, etc...
> > Many thanks,
> >
> > Arneu
> >
> >
> > ------------------------------
> > Date: Tue, 14 May 2013 10:29:10 -0400
> > Subject: Re: [Snort-sigs] Create a rule that takes its content from a
> file.
> > From: deusexmachina667 at ...2420...
> > To: arneu99 at ...12...
> >
> >
> > Hm...
> >
> > You may want to look at the file-identify.rules category. This seems to
> be
> > right up your alley.
> >
> >
> http://vrt-blog.snort.org/2011/11/say-hello-to-file-identify-category.html
> >
> >
> > On Tue, May 14, 2013 at 10:07 AM, arneu sneu <arneu99 at ...12...>
> wrote:
> >
> > Hi,
> >
> > I just installed Snort a few days ago and started to play with it by
> > writing my own rules.
> > I would like my rule to take its content from a file, but I haven't find
> > any information on this topic, neither in the manual, nor on the
> Internet.
> > I found that the content-list keyword once existed in Snort, but it has
> > apparently been removed about 6 years ago. Too bad, because it was
> exactly
> > what I was looking for.
> > Would anybody have an idea on how to do such a thing with current snort
> > features? I could write a rule for each of the lines of my file or use
> pcre
> > with the list of possible values, but I was wondering if there was a way
> to
> > do it with a rule taking its content from a file. If not, what is the
> > correct approach to do this?
> >
> > As an example, if I have a file containing a whitelist of file
> extensions,
> > I would like to raise an alert when an email attachment having an
> extension
> > that is not in the list is seen in the network traffic.
> >
> > Many thanks for your help.
> >
> > Cheers
> >
> > Arneu
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> > AlienVault Unified Security Management (USM) platform delivers complete
> > security visibility with the essential security capabilities. Easily and
> > efficiently configure, manage, and operate all of your security controls
> > from a single console and one unified framework. Download a free trial.
> > http://p.sf.net/sfu/alienvault_d2d
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> > http://www.snort.org
> >
> >
> > Please visit http://blog.snort.org for the latest news about Snort!
> >
> >
> >
> >
> > --
> > when does reality end? when does fantasy begin?
> >
>
>
>
> --
> when does reality end? when does fantasy begin?
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
>
> Message: 2
> Date: Wed, 15 May 2013 08:01:36 +0000
> From: arneu sneu <arneu99 at ...12...>
> Subject: Re: [Snort-sigs] Create a rule that takes its content from a
>         file.
> To: Tony Robinson <deusexmachina667 at ...2420...>,
>         "snort-sigs at lists.sourceforge.net" <
> snort-sigs at lists.sourceforge.net>,
>         Joel    Esler <jesler at ...435...>
> Message-ID: <DUB116-W125CABDFCC9053ED3E3EAF3A2A20 at ...2915...>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Thank you Tony for your answer.
> I checked the sensitive data preprocessor, it can be interesting if I
> manage to describe the patterns I am looking for with the limited regular
> expression syntax available there.
> I also check the reputation preprocessor, it's very similar to what I
> wanted to achieve but it's only for IP addresses.
> I guess you're right, some rules already exist written in a way different
> than the one I was thinking of.
>
>
> Date: Tue, 14 May 2013 20:38:08 -0400
> Subject: Re: [Snort-sigs] Create a rule that takes its content from a file.
> From: deusexmachina667 at ...2420...
> To: arneu99 at ...12...; snort-sigs at lists.sourceforge.net;
> jesler at ...435...
>
> (CC'ing the mailing list; I got this direct response)
>
>
> In regards to blacklisted strings and terms, that almost sounds
> like DLP or DLP-like function you're looking for to detect if sensitive
> files or information leaves the network. You may want to have a look at
> the sensitive data preprocessor, in that case.
>
>
> In regards to the other stuff you want done, There are rules and rule
> categories that can do what it is you want snort to do:
>
> file-identify for file extensions you don't want to see flying over the
> network
>
> indicator-shellcode for shellcode over the network
> malware-[backdor|cnc|other] for CNC/malware, blacklist.rules for
> blacklisted user-agents and/or domains...
> and indicator-compromise.rules for suspicious activity.
>
>
> At this point it's less "how do I write a rule to do this" and more "What
> rules exist that will do what I want?"
>
>
> On Tue, May 14, 2013 at 11:20 AM, arneu sneu <arneu99 at ...12...> wrote:
>
>
>
>
> Hi,
>
> Thank you for your reply. It is however not exactly what I was looking
> for. Maybe I have been unclear in my question.
> I am trying to find a way to create a rule that matches a list of strings.
> These strings can be located in a file, as it was the case for the
> content-list keyword. Please look at its definition here
> http://paginas.fe.up.pt/~mgi98020/pgr/writing_snort_rules.htm#content-list
> .
>
> The thing with the extension was just an example, but the principle I am
> trying understand can be anything else, like list of blacklisted shell
> commands or a list of blacklisted domain names, etc...
> Many thanks,
>
>
> Arneu
>
>
> Date: Tue, 14 May 2013 10:29:10 -0400
> Subject: Re: [Snort-sigs] Create a rule that takes its content from a file.
> From: deusexmachina667 at ...2420...
>
> To: arneu99 at ...12...
>
> Hm...
>
> You may want to look at the file-identify.rules category. This seems to be
> right up your alley.
>
>
> http://vrt-blog.snort.org/2011/11/say-hello-to-file-identify-category.html
>
>
>
> On Tue, May 14, 2013 at 10:07 AM, arneu sneu <arneu99 at ...12...> wrote:
>
>
>
>
> Hi,
>
> I just installed Snort a few days ago and started to play with it by
> writing my own rules.
> I would like my rule to take its content from a file, but I haven't find
> any information on this topic, neither in the manual, nor on the Internet.
> I found that the content-list keyword once existed in Snort, but it has
> apparently been removed about 6 years ago. Too bad, because it was exactly
> what I was looking for.
>
>
> Would anybody have an idea on how to do such a thing with current snort
> features? I could write a rule for each of the lines of my file or use pcre
> with the list of possible values, but I was wondering if there was a way to
> do it with a rule taking its content from a file. If not, what is the
> correct approach to do this?
>
>
>
> As an example, if I have a file containing a whitelist of file extensions,
> I would like to raise an alert when an email attachment having an extension
> that is not in the list is seen in the network traffic.
>
> Many thanks for your help.
>
>
>
> Cheers
>
> Arneu
>
>
>
>
> ------------------------------------------------------------------------------
>
> AlienVault Unified Security Management (USM) platform delivers complete
>
> security visibility with the essential security capabilities. Easily and
>
> efficiently configure, manage, and operate all of your security controls
>
> from a single console and one unified framework. Download a free trial.
>
> http://p.sf.net/sfu/alienvault_d2d
> _______________________________________________
>
> Snort-sigs mailing list
>
> Snort-sigs at lists.sourceforge.net
>
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
> http://www.snort.org
>
>
>
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
>
> --
> when does reality end? when does fantasy begin?
>
>
>
> --
> when does reality end? when does fantasy begin?
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
>
>
> ------------------------------------------------------------------------------
> AlienVault Unified Security Management (USM) platform delivers complete
> security visibility with the essential security capabilities. Easily and
> efficiently configure, manage, and operate all of your security controls
> from a single console and one unified framework. Download a free trial.
> http://p.sf.net/sfu/alienvault_d2d
>
> ------------------------------
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> End of Snort-sigs Digest, Vol 84, Issue 16
> ******************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130515/0715b504/attachment.html>


More information about the Snort-sigs mailing list