[Snort-users] Creating Your Own Snort Rule?

Jeremy Hoel jthoel at ...11827...
Tue Mar 12 13:26:33 EDT 2013


Our EXE rules is CRAZY big.. because EVE gets used by CGI scripts and
other web tools, in addition to downloading patches and the like.. so
we have a lot of !Host:<domain> fields to make the alerts from that
not as numerous..

We also made a few pass rules..

pass tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (sid:1000158;
gid:1; flow:established,to_server; content:"GET"; nocase; http_method;
pcre:"//cgi-bin/\S+.exe/iU"; msg:"PASS - DOWNLOAD - .EXE via PCRE -
cgi-bin"; classtype:suspicious-filename-detect; rev:4; )

This helped reduce the false positive hits..




On Tue, Mar 12, 2013 at 5:14 PM, waldo kitty <wkitty42 at ...14940...> wrote:
> On 3/12/2013 11:28, Jeremy Golden wrote:
>> Does anyone have a good rule they've created on their own? I need to make my own rule, but I want it to be simple, yet effective.
>>
>> For example, maybe a rule that alerts when an .exe file is being downloaded. Nothing too intense, but simple to understand.
>>
>> Any examples would be great.
>
> i just posted some extremely simple ones that catch everything... however, they
> make a decent starting point, too...
>
> for example:
>
> alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"icmp traffic inbound";
> sid:1; rev:1;)
>
>
> we'll change this to catch /any/ mention of ".exe" in /tcp/ traffic...
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:".exe mentioned in tcp traffic
> inbound"; content;".exe"; sid:x; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:".exe mentioned in tcp traffic
> outbound"; content;".exe"; sid:x; rev:1;)
>
>
> there's two... one for inbound and one for outbound...
>
> 1. we changed the protocol from "icmp" to "tcp".
>
> 2. we adjusted the msg text that is used.
>
> 3. we added a content field to look for.
>
> 4. only ".exe" is looked for... ".EXE" or ".Exe" or ".eXe" or such will not trigger.
>
> 5. you have to set the SID number to a unique number for your rules sets... the
> revision should be incremented each time you make a (major?) change in the rule.
>
>
> now, the above does not look for an actual executable file... it only looks for
> the four characters .exe all together... looking for actual binaries is a little
> bit tougher to do but the concept is still the same... you look for content...
> there are various buffers you can look in... you can go case insensitive... you
> can refine for specific examples via pcre...
>
>
> ------------------------------------------------------------------------------
> Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester
> Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the
> endpoint security space. For insight on selecting the right partner to
> tackle endpoint security challenges, access the full report.
> http://p.sf.net/sfu/symantec-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-users mailing list