[Snort-sigs] Snort-sigs Digest, Vol 84, Issue 16

Joel Esler jesler at ...435...
Wed May 15 20:59:01 EDT 2013


As a matter of etiquette, please trim digest emails to be relevant to just your response.


On May 15, 2013, at 8:08 AM, John Cal <cal220101 at ...2420...> wrote:

> If you use compression and encryption, doesn't that usually bypass DLP? Simply raring a few files and sending back to the C2. I mean, even if you have a sig to hit on .rar leaving outbound, your sensitive data is already gone.
> 
> On May 15, 2013 3:06 AM, <snort-sigs-request at lists.sourceforge.net> wrote:
> Send Snort-sigs mailing list submissions to
>         snort-sigs at lists.sourceforge.net
> 
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.sourceforge.net/lists/listinfo/snort-sigs
> or, via email, send a message with subject or body 'help' to
>         snort-sigs-request at lists.sourceforge.net
> 
> You can reach the person managing the list at
>         snort-sigs-owner at lists.sourceforge.net
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Snort-sigs digest..."
> 
> 
> Today's Topics:
> 
>    1. Re: Create a rule that takes its content from a file.
>       (Tony Robinson)
>    2. Re: Create a rule that takes its content from a file. (arneu sneu)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Tue, 14 May 2013 20:38:08 -0400
> From: Tony Robinson <deusexmachina667 at ...2420...>
> Subject: Re: [Snort-sigs] Create a rule that takes its content from a
>         file.
> To: arneu sneu <arneu99 at ...12...>,
>         "snort-sigs at lists.sourceforge.net" <snort-sigs at ...1744...net>,
>         Joel Esler <jesler at ...435...>
> Message-ID:
>         <CAOGUb=hvtHMhuwvxtMZdiNWtUnDsOhO7dW7umgPSaJTFvgyBdQ at ...2421...>
> Content-Type: text/plain; charset="iso-8859-1"
> 
> (CC'ing the mailing list; I got this direct response)
> 
> 
> In regards to blacklisted strings and terms, that almost sounds like DLP or
> DLP-like function you're looking for to detect if sensitive files or
> information leaves the network. You may want to have a look at the
> sensitive data preprocessor, in that case.
> 
> 
> In regards to the other stuff you want done, There are rules and rule
> categories that can do what it is you want snort to do:
> 
> file-identify for file extensions you don't want to see flying over the
> network
> indicator-shellcode for shellcode over the network
> malware-[backdor|cnc|other] for CNC/malware, blacklist.rules for
> blacklisted user-agents and/or domains...
> and indicator-compromise.rules for suspicious activity.
> 
> At this point it's less "how do I write a rule to do this" and more "What
> rules exist that will do what I want?"
> 
> 
> On Tue, May 14, 2013 at 11:20 AM, arneu sneu <arneu99 at ...12...> wrote:
> 
> > Hi,
> >
> > Thank you for your reply. It is however not exactly what I was looking
> > for. Maybe I have been unclear in my question.
> > I am trying to find a way to create a rule that matches a list of strings.
> > These strings can be located in a file, as it was the case for the
> > content-list keyword. Please look at its definition here
> > http://paginas.fe.up.pt/~mgi98020/pgr/writing_snort_rules.htm#content-list.
> > The thing with the extension was just an example, but the principle I am
> > trying understand can be anything else, like list of blacklisted shell
> > commands or a list of blacklisted domain names, etc...
> > Many thanks,
> >
> > Arneu
> >
> >
> > ------------------------------
> > Date: Tue, 14 May 2013 10:29:10 -0400
> > Subject: Re: [Snort-sigs] Create a rule that takes its content from a file.
> > From: deusexmachina667 at ...2420...
> > To: arneu99 at ...12...
> >
> >
> > Hm...
> >
> > You may want to look at the file-identify.rules category. This seems to be
> > right up your alley.
> >
> > http://vrt-blog.snort.org/2011/11/say-hello-to-file-identify-category.html
> >
> >
> > On Tue, May 14, 2013 at 10:07 AM, arneu sneu <arneu99 at ...12...> wrote:
> >
> > Hi,
> >
> > I just installed Snort a few days ago and started to play with it by
> > writing my own rules.
> > I would like my rule to take its content from a file, but I haven't find
> > any information on this topic, neither in the manual, nor on the Internet.
> > I found that the content-list keyword once existed in Snort, but it has
> > apparently been removed about 6 years ago. Too bad, because it was exactly
> > what I was looking for.
> > Would anybody have an idea on how to do such a thing with current snort
> > features? I could write a rule for each of the lines of my file or use pcre
> > with the list of possible values, but I was wondering if there was a way to
> > do it with a rule taking its content from a file. If not, what is the
> > correct approach to do this?
> >
> > As an example, if I have a file containing a whitelist of file extensions,
> > I would like to raise an alert when an email attachment having an extension
> > that is not in the list is seen in the network traffic.
> >
> > Many thanks for your help.
> >
> > Cheers
> >
> > Arneu
> >
> >
> >
> > ------------------------------------------------------------------------------
> > AlienVault Unified Security Management (USM) platform delivers complete
> > security visibility with the essential security capabilities. Easily and
> > efficiently configure, manage, and operate all of your security controls
> > from a single console and one unified framework. Download a free trial.
> > http://p.sf.net/sfu/alienvault_d2d
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> > http://www.snort.org
> >
> >
> > Please visit http://blog.snort.org for the latest news about Snort!
> >
> >
> >
> >
> > --
> > when does reality end? when does fantasy begin?
> >
> 
> 
> 
> --
> when does reality end? when does fantasy begin?
> -------------- next part --------------
> An HTML attachment was scrubbed...
> 
> ------------------------------
> 
> Message: 2
> Date: Wed, 15 May 2013 08:01:36 +0000
> From: arneu sneu <arneu99 at ...12...>
> Subject: Re: [Snort-sigs] Create a rule that takes its content from a
>         file.
> To: Tony Robinson <deusexmachina667 at ...2420...>,
>         "snort-sigs at lists.sourceforge.net" <snort-sigs at ...1744...net>,
>         Joel    Esler <jesler at ...435...>
> Message-ID: <DUB116-W125CABDFCC9053ED3E3EAF3A2A20 at ...2915...>
> Content-Type: text/plain; charset="iso-8859-1"
> 
> Thank you Tony for your answer.
> I checked the sensitive data preprocessor, it can be interesting if I manage to describe the patterns I am looking for with the limited regular expression syntax available there.
> I also check the reputation preprocessor, it's very similar to what I wanted to achieve but it's only for IP addresses.
> I guess you're right, some rules already exist written in a way different than the one I was thinking of.
> 
> 
> Date: Tue, 14 May 2013 20:38:08 -0400
> Subject: Re: [Snort-sigs] Create a rule that takes its content from a file.
> From: deusexmachina667 at ...2420...
> To: arneu99 at ...12...; snort-sigs at lists.sourceforge.net; jesler at ...435...
> 
> (CC'ing the mailing list; I got this direct response)
> 
> 
> In regards to blacklisted strings and terms, that almost sounds
> like DLP or DLP-like function you're looking for to detect if sensitive
> files or information leaves the network. You may want to have a look at
> the sensitive data preprocessor, in that case.
> 
> 
> In regards to the other stuff you want done, There are rules and rule categories that can do what it is you want snort to do:
> 
> file-identify for file extensions you don't want to see flying over the network
> 
> indicator-shellcode for shellcode over the network
> malware-[backdor|cnc|other] for CNC/malware, blacklist.rules for blacklisted user-agents and/or domains...
> and indicator-compromise.rules for suspicious activity.
> 
> 
> At this point it's less "how do I write a rule to do this" and more "What rules exist that will do what I want?"
> 
> 
> On Tue, May 14, 2013 at 11:20 AM, arneu sneu <arneu99 at ...12...> wrote:
> 
> 
> 
> 
> Hi,
> 
> Thank you for your reply. It is however not exactly what I was looking for. Maybe I have been unclear in my question.
> I am trying to find a way to create a rule that matches a list of strings. These strings can be located in a file, as it was the case for the content-list keyword. Please look at its definition here http://paginas.fe.up.pt/~mgi98020/pgr/writing_snort_rules.htm#content-list.
> 
> The thing with the extension was just an example, but the principle I am trying understand can be anything else, like list of blacklisted shell commands or a list of blacklisted domain names, etc...
> Many thanks,
> 
> 
> Arneu
> 
> 
> Date: Tue, 14 May 2013 10:29:10 -0400
> Subject: Re: [Snort-sigs] Create a rule that takes its content from a file.
> From: deusexmachina667 at ...2420...
> 
> To: arneu99 at ...12...
> 
> Hm...
> 
> You may want to look at the file-identify.rules category. This seems to be right up your alley.
> 
> 
> http://vrt-blog.snort.org/2011/11/say-hello-to-file-identify-category.html
> 
> 
> 
> On Tue, May 14, 2013 at 10:07 AM, arneu sneu <arneu99 at ...12...> wrote:
> 
> 
> 
> 
> Hi,
> 
> I just installed Snort a few days ago and started to play with it by writing my own rules.
> I would like my rule to take its content from a file, but I haven't find any information on this topic, neither in the manual, nor on the Internet. I found that the content-list keyword once existed in Snort, but it has apparently been removed about 6 years ago. Too bad, because it was exactly what I was looking for.
> 
> 
> Would anybody have an idea on how to do such a thing with current snort features? I could write a rule for each of the lines of my file or use pcre with the list of possible values, but I was wondering if there was a way to do it with a rule taking its content from a file. If not, what is the correct approach to do this?
> 
> 
> 
> As an example, if I have a file containing a whitelist of file extensions, I would like to raise an alert when an email attachment having an extension that is not in the list is seen in the network traffic.
> 
> Many thanks for your help.
> 
> 
> 
> Cheers
> 
> Arneu
> 
> 
> 
> ------------------------------------------------------------------------------
> 
> AlienVault Unified Security Management (USM) platform delivers complete
> 
> security visibility with the essential security capabilities. Easily and
> 
> efficiently configure, manage, and operate all of your security controls
> 
> from a single console and one unified framework. Download a free trial.
> 
> http://p.sf.net/sfu/alienvault_d2d
> _______________________________________________
> 
> Snort-sigs mailing list
> 
> Snort-sigs at lists.sourceforge.net
> 
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 
> http://www.snort.org
> 
> 
> 
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!
> 
> 
> --
> when does reality end? when does fantasy begin?
> 
> 
> 
> --
> when does reality end? when does fantasy begin?
> 
> -------------- next part --------------
> An HTML attachment was scrubbed...
> 
> ------------------------------
> 
> ------------------------------------------------------------------------------
> AlienVault Unified Security Management (USM) platform delivers complete
> security visibility with the essential security capabilities. Easily and
> efficiently configure, manage, and operate all of your security controls
> from a single console and one unified framework. Download a free trial.
> http://p.sf.net/sfu/alienvault_d2d
> 
> ------------------------------
> 
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!
> 
> End of Snort-sigs Digest, Vol 84, Issue 16
> ******************************************
> ------------------------------------------------------------------------------
> AlienVault Unified Security Management (USM) platform delivers complete
> security visibility with the essential security capabilities. Easily and
> efficiently configure, manage, and operate all of your security controls
> from a single console and one unified framework. Download a free trial.
> http://p.sf.net/sfu/alienvault_d2d_______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130515/04fad68d/attachment.html>


More information about the Snort-sigs mailing list