[Snort-users] Creating Your Own Snort Rule?

waldo kitty wkitty42 at ...14940...
Tue Mar 12 13:14:28 EDT 2013

On 3/12/2013 11:28, Jeremy Golden wrote:
> Does anyone have a good rule they've created on their own? I need to make my own rule, but I want it to be simple, yet effective.
> For example, maybe a rule that alerts when an .exe file is being downloaded. Nothing too intense, but simple to understand.
> Any examples would be great.

i just posted some extremely simple ones that catch everything... however, they 
make a decent starting point, too...

for example:

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"icmp traffic inbound"; 
sid:1; rev:1;)

we'll change this to catch /any/ mention of ".exe" in /tcp/ traffic...

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:".exe mentioned in tcp traffic 
inbound"; content;".exe"; sid:x; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:".exe mentioned in tcp traffic 
outbound"; content;".exe"; sid:x; rev:1;)

there's two... one for inbound and one for outbound...

1. we changed the protocol from "icmp" to "tcp".

2. we adjusted the msg text that is used.

3. we added a content field to look for.

4. only ".exe" is looked for... ".EXE" or ".Exe" or ".eXe" or such will not trigger.

5. you have to set the SID number to a unique number for your rules sets... the 
revision should be incremented each time you make a (major?) change in the rule.

now, the above does not look for an actual executable file... it only looks for 
the four characters .exe all together... looking for actual binaries is a little 
bit tougher to do but the concept is still the same... you look for content... 
there are various buffers you can look in... you can go case insensitive... you 
can refine for specific examples via pcre...

More information about the Snort-users mailing list