[Snort-users] help writing snort rule

Joel Esler joel.esler at ...1935...
Fri Jan 26 10:45:29 EST 2007


Bill,

Thanks for writing!

It looks like you have a couple issues.  
#1 -- You need to have your rule all on one line, or you need to use the "\" character at the end of your line in order to continue to the next line.  Like:

    alert ip any any -> $EXTERNAL_NET any \
    (pcre:"/\d{3}(\s|-)?\d{2}(\s|-)?\d{4}/"; msg:"SSN Detected in Clear \
    Text"; sid: 1000004 )

You also don't have a ";" at the end of your sid.

    alert ip any any -> $EXTERNAL_NET any \
    (pcre:"/\d{3}(\s|-)?\d{2}(\s|-)?\d{4}/"; msg:"SSN Detected in Clear \
    Text"; sid: 1000004; )

You need to also consider making your "ip" rule a tcp, or udp rule.  If you are interested in both pieces of traffic, then it would be faster and more efficient to write two rules, one for tcp and one for udp.

    alert tcp any any -> $EXTERNAL_NET any \
    (pcre:"/\d{3}(\s|-)?\d{2}(\s|-)?\d{4}/"; msg:"SSN Detected in Clear \
    Text"; sid: 1000004; )

    alert udp any any -> $EXTERNAL_NET any \
    (pcre:"/\d{3}(\s|-)?\d{2}(\s|-)?\d{4}/"; msg:"SSN Detected in Clear \
    Text"; sid: 1000005; )

In your TCP rule, it would be faster to add a flow statement.

    alert tcp any any -> $EXTERNAL_NET any \
    (flow:established,from_client; pcre:"/\d{3}(\s|-)?\d{2}(\s|-)?\d{4}/"; msg:"SSN Detected in Clear \
    Text"; sid: 1000004; )

That rule will look for SSN's from a client (you INITIATING the conversation.) in an established TCP session.

It's also not good to have a pure pcre rule.  Rules are 100x's more efficient with a preceeding content statement.  Now, I don't know what kind of content statement you could expect to be in your traffic.  Maybe the abbreviation "SSN"?

    alert tcp any any -> $EXTERNAL_NET any \
    (msg:"SSN Detected in Clear Text": flow:establised, from_client; content:"SSN"; pcre:"/\d{3}(\s|-)?\d{2}(\s|-)?\d{4}/";  \
    sid: 1000004; )

You could even get fancier and use a backreference in your your pcre to tell the second delimiter to be what the first delimiter was.  But I'll leave that for you to do :) 
You may also want to get rid of your "any any" statement.  

Does this help any?

Joel


On Thu, Jan 25, 2007 at 10:56:24PM -0800, it looks like Bill Lopez sent me:
> 
>    Trying to write a simple rule to parse for SSN in plain text - what am
>    I doing wrong??
> 
> 
> 
> 
>    alert ip any any -> $EXTERNAL_NET any
>    (pcre:"/\d{3}(\s|-)?\d{2}(\s|-)?\d{4}/"; msg:"SSN Detected in Clear
>    Text"; sid: 1000004 )
> 
> 
> 
>    rule returns this error
> 
> 
>    ERROR: Unterminated rule in file /etc/snort/rules/TEST.rules, line 5
> 
>       (Snort rules must be contained on a single line or
> 
>        on multiple lines with a '\' continuation character
> 
>        at the end of the line,  make sure there are no
> 
>        carriage returns before the end of this line)
> 
>    Fatal Error, Quitting..
> 
> 
>    Have tried multiple versions of pcre string but always return the same
>    error..
> 
> 
>    Bill Lopez
> 
>    Operating Engineers Trust Funds
> 
>    (626) 356-3524
> 
>    (626) 255-1066
> shell-init: could not get current directory: getcwd: cannot access parent directories: No such file or directory

> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys - and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




+---------------------------------------------------------------------+
joel esler          senior security consultant         1-706-627-2101
         gpg key: http://demo.sourcefire.com/jesler.pgp.key
+---------------------------------------------------------------------+




More information about the Snort-users mailing list