[Snort-sigs] Sig writing help

Al Lewis (allewi) allewi at ...3865...
Thu Nov 17 10:52:54 EST 2016


Sorry.. forgot to include the files…


Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi at ...3865...<mailto:allewi at ...3865...>

From: allewi <allewi at ...3865...<mailto:allewi at ...3865...>>
Date: Thursday, November 17, 2016 at 10:23 AM
To: Alex Cermak <alex.cermak at ...4198...<mailto:alex.cermak at ...4198...>>
Cc: "snort-sigs at lists.sourceforge.net<mailto:snort-sigs at lists.sourceforge.net>" <snort-sigs at lists.sourceforge.net<mailto:snort-sigs at lists.sourceforge.net>>
Subject: Re: [Snort-sigs] Sig writing help

Hello Alex,

Not sure if this was answered already but I get an alert… see below…

Is there any reason you are using 2.9.7 still?

[root at ...42... snort-2.9.8.3]# ./bin/snort -c etc/cermak.conf -r etc/cermak.pcap -Acmg -k none -q

11/17-09:57:56.118000  [**] [1:10000:1] PoC C&C [**] [Priority: 0] {TCP} 192.168.58.5:39598 -> 192.168.58.4:23
11/17-09:57:56.118000 08:00:27:CB:B6:C0 -> 08:00:27:21:AF:47 type:0x800 len:0x46
192.168.58.5:39598 -> 192.168.58.4:23 TCP TTL:64 TOS:0x0 ID:43413 IpLen:20 DgmLen:56 DF
***AP*** Seq: 0x470C2095  Ack: 0x47993993  Win: 0xE5  TcpLen: 32
TCP Options (3) => NOP NOP TS: 231687 232203
00 00 00 01                                      ....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


[root at ...42... snort-2.9.8.3]# cat etc/cermak.conf

dynamicengine lib/snort_dynamicengine/libsf_engine.so
dynamicpreprocessor directory lib/snort_dynamicpreprocessor


preprocessor stream5_global: \
    max_tcp 8192, \
    track_tcp yes, \
    track_udp no

preprocessor stream5_tcp: \
    policy windows, \
    detect_anomalies, \
    require_3whs 180, \
    use_static_footprint_sizes, \
    ports server 80 2251, \
    ports both 80 2251

alert tcp any any -> any any (msg:"PoC C&C"; content:"|00 00 00 01|"; sid:10000; rev:1; )



[root at ...42... snort-2.9.8.3]# ./bin/snort -V

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.8.3 GRE (Build 383)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
           Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.5.3
           Using PCRE version: 8.32 2012-11-30
           Using ZLIB version: 1.2.7



Hope this helps...

Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi at ...3865...<mailto:allewi at ...3865...>

From: Alex Cermak <alex.cermak at ...4198...<mailto:alex.cermak at ...4198...>>
Reply-To: Alex Cermak <alex.cermak at ...4198...<mailto:alex.cermak at ...4198...>>
Date: Tuesday, November 15, 2016 at 8:57 PM
To: "snort-sigs at lists.sourceforge.net<mailto:snort-sigs at lists.sourceforge.net>" <snort-sigs at lists.sourceforge.net<mailto:snort-sigs at lists.sourceforge.net>>
Subject: [Snort-sigs] Sig writing help

Hi,

I'm rather suck writing a rule which will match the last 4 bytes of the given packet, does anyone know why the rule below would not match the packet below?

I realise this rule is far from accurate at this stage, I'm just attempting to get it to fire.

Rule:
alert tcp any any -> any any (msg:"PoC C&C"; content:"|00 00 00 01|"; sid:10000; rev:1; )

Packet:
11/10-11:36:18.510776 192.168.58.5:39598 -> 192.168.58.4:23
TCP TTL:64 TOS:0x0 ID:43413 IpLen:20 DgmLen:56 DF
***AP*** Seq: 0x470C2095  Ack: 0x47993993  Win: 0xE5  TcpLen: 32
TCP Options (3) => NOP NOP TS: 231687 232203
0x0000: 08 00 27 21 AF 47 08 00 27 CB B6 C0 08 00 45 00  ..'!.G..'.....E.
0x0010: 00 38 A9 95 40 00 40 06 9B D0 C0 A8 3A 05 C0 A8  .8.. at ...180...@.....:...
0x0020: 3A 04 9A AE 00 17 47 0C 20 95 47 99 39 93 80 18  :.....G. .G.9...
0x0030: 00 E5 F5 84 00 00 01 01 08 0A 00 03 89 07 00 03  ................
0x0040: 8B 0B 00 00 00 01                                ......


$ snort --version

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.7.0 GRE (Build 149)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
           Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.7.4
           Using PCRE version: 8.38 2015-11-23
           Using ZLIB version: 1.2.8

Thanks,

Alex
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20161117/0054ef3c/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cermak.conf
Type: application/octet-stream
Size: 480 bytes
Desc: cermak.conf
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20161117/0054ef3c/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cermak.pcap
Type: application/octet-stream
Size: 110 bytes
Desc: cermak.pcap
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20161117/0054ef3c/attachment-0001.obj>


More information about the Snort-sigs mailing list