[Snort-sigs] Snort-sigs Digest, Vol 84, Issue 16

Tony Robinson deusexmachina667 at ...2420...
Wed May 15 10:00:46 EDT 2013


Not entirely sure on that, actually.

If I'm not mistaken, the HTTP preproccessor can be configured to decompress
regular zipped data, but .rar files and/or .7z, etc. I don't think there's
much snort would be able to do there, specially if the archives were
password protected. and if the attacker is using a non http port, well... I
think you may be right on the mark.

In that case, you'd probably want a rule to detect .zip, .rar and/or .7z
files traveling outbound from your target network.


On Wed, May 15, 2013 at 8:08 AM, John Cal <cal220101 at ...2420...> wrote:

> If you use compression and encryption, doesn't that usually bypass DLP?
> Simply raring a few files and sending back to the C2. I mean, even if you
> have a sig to hit on .rar leaving outbound, your sensitive data is already
> gone.
> On May 15, 2013 3:06 AM, <snort-sigs-request at lists.sourceforge.net> wrote:
>
>> Send Snort-sigs mailing list submissions to
>>         snort-sigs at lists.sourceforge.net
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>>         https://lists.sourceforge.net/lists/listinfo/snort-sigs
>> or, via email, send a message with subject or body 'help' to
>>         snort-sigs-request at lists.sourceforge.net
>>
>> You can reach the person managing the list at
>>         snort-sigs-owner at lists.sourceforge.net
>>
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of Snort-sigs digest..."
>>
>>
>> Today's Topics:
>>
>>    1. Re: Create a rule that takes its content from a file.
>>       (Tony Robinson)
>>    2. Re: Create a rule that takes its content from a file. (arneu sneu)
>>
>>
>> ----------------------------------------------------------------------
>>
>> Message: 1
>> Date: Tue, 14 May 2013 20:38:08 -0400
>> From: Tony Robinson <deusexmachina667 at ...2420...>
>> Subject: Re: [Snort-sigs] Create a rule that takes its content from a
>>         file.
>> To: arneu sneu <arneu99 at ...12...>,
>>         "snort-sigs at lists.sourceforge.net" <
>> snort-sigs at lists.sourceforge.net>,
>>         Joel Esler <jesler at ...435...>
>> Message-ID:
>>         <CAOGUb=
>> hvtHMhuwvxtMZdiNWtUnDsOhO7dW7umgPSaJTFvgyBdQ at ...2421...>
>> Content-Type: text/plain; charset="iso-8859-1"
>>
>> (CC'ing the mailing list; I got this direct response)
>>
>>
>> In regards to blacklisted strings and terms, that almost sounds like DLP
>> or
>> DLP-like function you're looking for to detect if sensitive files or
>> information leaves the network. You may want to have a look at the
>> sensitive data preprocessor, in that case.
>>
>>
>> In regards to the other stuff you want done, There are rules and rule
>> categories that can do what it is you want snort to do:
>>
>> file-identify for file extensions you don't want to see flying over the
>> network
>> indicator-shellcode for shellcode over the network
>> malware-[backdor|cnc|other] for CNC/malware, blacklist.rules for
>> blacklisted user-agents and/or domains...
>> and indicator-compromise.rules for suspicious activity.
>>
>> At this point it's less "how do I write a rule to do this" and more "What
>> rules exist that will do what I want?"
>>
>>
>> On Tue, May 14, 2013 at 11:20 AM, arneu sneu <arneu99 at ...12...> wrote:
>>
>> > Hi,
>> >
>> > Thank you for your reply. It is however not exactly what I was looking
>> > for. Maybe I have been unclear in my question.
>> > I am trying to find a way to create a rule that matches a list of
>> strings.
>> > These strings can be located in a file, as it was the case for the
>> > content-list keyword. Please look at its definition here
>> >
>> http://paginas.fe.up.pt/~mgi98020/pgr/writing_snort_rules.htm#content-list
>> .
>> > The thing with the extension was just an example, but the principle I am
>> > trying understand can be anything else, like list of blacklisted shell
>> > commands or a list of blacklisted domain names, etc...
>> > Many thanks,
>> >
>> > Arneu
>> >
>> >
>> > ------------------------------
>> > Date: Tue, 14 May 2013 10:29:10 -0400
>> > Subject: Re: [Snort-sigs] Create a rule that takes its content from a
>> file.
>> > From: deusexmachina667 at ...2420...
>> > To: arneu99 at ...12...
>> >
>> >
>> > Hm...
>> >
>> > You may want to look at the file-identify.rules category. This seems to
>> be
>> > right up your alley.
>> >
>> >
>> http://vrt-blog.snort.org/2011/11/say-hello-to-file-identify-category.html
>> >
>> >
>> > On Tue, May 14, 2013 at 10:07 AM, arneu sneu <arneu99 at ...12...>
>> wrote:
>> >
>> > Hi,
>> >
>> > I just installed Snort a few days ago and started to play with it by
>> > writing my own rules.
>> > I would like my rule to take its content from a file, but I haven't find
>> > any information on this topic, neither in the manual, nor on the
>> Internet.
>> > I found that the content-list keyword once existed in Snort, but it has
>> > apparently been removed about 6 years ago. Too bad, because it was
>> exactly
>> > what I was looking for.
>> > Would anybody have an idea on how to do such a thing with current snort
>> > features? I could write a rule for each of the lines of my file or use
>> pcre
>> > with the list of possible values, but I was wondering if there was a
>> way to
>> > do it with a rule taking its content from a file. If not, what is the
>> > correct approach to do this?
>> >
>> > As an example, if I have a file containing a whitelist of file
>> extensions,
>> > I would like to raise an alert when an email attachment having an
>> extension
>> > that is not in the list is seen in the network traffic.
>> >
>> > Many thanks for your help.
>> >
>> > Cheers
>> >
>> > Arneu
>> >
>> >
>> >
>> >
>> ------------------------------------------------------------------------------
>> > AlienVault Unified Security Management (USM) platform delivers complete
>> > security visibility with the essential security capabilities. Easily and
>> > efficiently configure, manage, and operate all of your security controls
>> > from a single console and one unified framework. Download a free trial.
>> > http://p.sf.net/sfu/alienvault_d2d
>> > _______________________________________________
>> > Snort-sigs mailing list
>> > Snort-sigs at lists.sourceforge.net
>> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
>> > http://www.snort.org
>> >
>> >
>> > Please visit http://blog.snort.org for the latest news about Snort!
>> >
>> >
>> >
>> >
>> > --
>> > when does reality end? when does fantasy begin?
>> >
>>
>>
>>
>> --
>> when does reality end? when does fantasy begin?
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>>
>> ------------------------------
>>
>> Message: 2
>> Date: Wed, 15 May 2013 08:01:36 +0000
>> From: arneu sneu <arneu99 at ...12...>
>> Subject: Re: [Snort-sigs] Create a rule that takes its content from a
>>         file.
>> To: Tony Robinson <deusexmachina667 at ...2420...>,
>>         "snort-sigs at lists.sourceforge.net" <
>> snort-sigs at lists.sourceforge.net>,
>>         Joel    Esler <jesler at ...435...>
>> Message-ID: <DUB116-W125CABDFCC9053ED3E3EAF3A2A20 at ...2915...>
>> Content-Type: text/plain; charset="iso-8859-1"
>>
>> Thank you Tony for your answer.
>> I checked the sensitive data preprocessor, it can be interesting if I
>> manage to describe the patterns I am looking for with the limited regular
>> expression syntax available there.
>> I also check the reputation preprocessor, it's very similar to what I
>> wanted to achieve but it's only for IP addresses.
>> I guess you're right, some rules already exist written in a way different
>> than the one I was thinking of.
>>
>>
>> Date: Tue, 14 May 2013 20:38:08 -0400
>> Subject: Re: [Snort-sigs] Create a rule that takes its content from a
>> file.
>> From: deusexmachina667 at ...2420...
>> To: arneu99 at ...12...; snort-sigs at lists.sourceforge.net;
>> jesler at ...435...
>>
>> (CC'ing the mailing list; I got this direct response)
>>
>>
>> In regards to blacklisted strings and terms, that almost sounds
>> like DLP or DLP-like function you're looking for to detect if sensitive
>> files or information leaves the network. You may want to have a look at
>> the sensitive data preprocessor, in that case.
>>
>>
>> In regards to the other stuff you want done, There are rules and rule
>> categories that can do what it is you want snort to do:
>>
>> file-identify for file extensions you don't want to see flying over the
>> network
>>
>> indicator-shellcode for shellcode over the network
>> malware-[backdor|cnc|other] for CNC/malware, blacklist.rules for
>> blacklisted user-agents and/or domains...
>> and indicator-compromise.rules for suspicious activity.
>>
>>
>> At this point it's less "how do I write a rule to do this" and more "What
>> rules exist that will do what I want?"
>>
>>
>> On Tue, May 14, 2013 at 11:20 AM, arneu sneu <arneu99 at ...12...> wrote:
>>
>>
>>
>>
>> Hi,
>>
>> Thank you for your reply. It is however not exactly what I was looking
>> for. Maybe I have been unclear in my question.
>> I am trying to find a way to create a rule that matches a list of
>> strings. These strings can be located in a file, as it was the case for the
>> content-list keyword. Please look at its definition here
>> http://paginas.fe.up.pt/~mgi98020/pgr/writing_snort_rules.htm#content-list
>> .
>>
>> The thing with the extension was just an example, but the principle I am
>> trying understand can be anything else, like list of blacklisted shell
>> commands or a list of blacklisted domain names, etc...
>> Many thanks,
>>
>>
>> Arneu
>>
>>
>> Date: Tue, 14 May 2013 10:29:10 -0400
>> Subject: Re: [Snort-sigs] Create a rule that takes its content from a
>> file.
>> From: deusexmachina667 at ...2420...
>>
>> To: arneu99 at ...12...
>>
>> Hm...
>>
>> You may want to look at the file-identify.rules category. This seems to
>> be right up your alley.
>>
>>
>> http://vrt-blog.snort.org/2011/11/say-hello-to-file-identify-category.html
>>
>>
>>
>> On Tue, May 14, 2013 at 10:07 AM, arneu sneu <arneu99 at ...12...> wrote:
>>
>>
>>
>>
>> Hi,
>>
>> I just installed Snort a few days ago and started to play with it by
>> writing my own rules.
>> I would like my rule to take its content from a file, but I haven't find
>> any information on this topic, neither in the manual, nor on the Internet.
>> I found that the content-list keyword once existed in Snort, but it has
>> apparently been removed about 6 years ago. Too bad, because it was exactly
>> what I was looking for.
>>
>>
>> Would anybody have an idea on how to do such a thing with current snort
>> features? I could write a rule for each of the lines of my file or use pcre
>> with the list of possible values, but I was wondering if there was a way to
>> do it with a rule taking its content from a file. If not, what is the
>> correct approach to do this?
>>
>>
>>
>> As an example, if I have a file containing a whitelist of file
>> extensions, I would like to raise an alert when an email attachment having
>> an extension that is not in the list is seen in the network traffic.
>>
>> Many thanks for your help.
>>
>>
>>
>> Cheers
>>
>> Arneu
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>>
>> AlienVault Unified Security Management (USM) platform delivers complete
>>
>> security visibility with the essential security capabilities. Easily and
>>
>> efficiently configure, manage, and operate all of your security controls
>>
>> from a single console and one unified framework. Download a free trial.
>>
>> http://p.sf.net/sfu/alienvault_d2d
>> _______________________________________________
>>
>> Snort-sigs mailing list
>>
>> Snort-sigs at lists.sourceforge.net
>>
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>
>> http://www.snort.org
>>
>>
>>
>>
>>
>> Please visit http://blog.snort.org for the latest news about Snort!
>>
>>
>> --
>> when does reality end? when does fantasy begin?
>>
>>
>>
>> --
>> when does reality end? when does fantasy begin?
>>
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>>
>> ------------------------------
>>
>>
>> ------------------------------------------------------------------------------
>> AlienVault Unified Security Management (USM) platform delivers complete
>> security visibility with the essential security capabilities. Easily and
>> efficiently configure, manage, and operate all of your security controls
>> from a single console and one unified framework. Download a free trial.
>> http://p.sf.net/sfu/alienvault_d2d
>>
>> ------------------------------
>>
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>> http://www.snort.org
>>
>>
>> Please visit http://blog.snort.org for the latest news about Snort!
>>
>> End of Snort-sigs Digest, Vol 84, Issue 16
>> ******************************************
>>
>
>
> ------------------------------------------------------------------------------
> AlienVault Unified Security Management (USM) platform delivers complete
> security visibility with the essential security capabilities. Easily and
> efficiently configure, manage, and operate all of your security controls
> from a single console and one unified framework. Download a free trial.
> http://p.sf.net/sfu/alienvault_d2d
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>



-- 
when does reality end? when does fantasy begin?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130515/5dbada65/attachment.html>


More information about the Snort-sigs mailing list