Snort Rules (How to keep your insanity?)

Snort RulesSnort Rules(How to keep your (How to keep your

insanity?)insanity?)

Anatomy of a RuleAnatomy of a Rule• Composed of two parts;Composed of two parts;

• HeaderHeader• Rule OptionsRule Options

• This is what we will be using to dissect;This is what we will be using to dissect;Alert tcp $EXTERNAL_NET any ->$ Alert tcp $EXTERNAL_NET any ->$

HTTP_SERVERS $HTTP_PORTSHTTP_SERVERS $HTTP_PORTS (msg:”WEB_ISS (msg:”WEB_ISS CodeRed v2 root.exe access”; flow:to_server, CodeRed v2 root.exe access”; flow:to_server, established; established; uricontent:”/root.exe”nocase;reference:url,www.ceruricontent:”/root.exe”nocase;reference:url,www.cert.org/advisories/CA-2001-19.thml;classtype:web-t.org/advisories/CA-2001-19.thml;classtype:web-application-attack;sid:1256; rev:8;) application-attack;sid:1256; rev:8;)

May I go home now? Do you think it is easy to type May I go home now? Do you think it is easy to type this?this?

HeaderHeader

Alert tcp $EXTERNAL_NET any ->$ Alert tcp $EXTERNAL_NET any ->$ HTTP_SERVERS $HTTP_PORTSHTTP_SERVERS $HTTP_PORTS (msg:”WEB_ISS CodeRed v2 root.exe (msg:”WEB_ISS CodeRed v2 root.exe access”; flow:to_server, established; access”; flow:to_server, established; uricontent:” uricontent:” /root.exe”nocase;reference:url,www.cert/root.exe”nocase;reference:url,www.cert.org/.org/

advisories/CA-2001-19.thml;classtype: advisories/CA-2001-19.thml;classtype: web-application-attack; sid:1256; rev:8;) web-application-attack; sid:1256; rev:8;)

Dissect HeaderDissect Header Alert tcp $EXTERNAL_NET Alert tcp $EXTERNAL_NET

any ->$ HTTP_SERVERS any ->$ HTTP_SERVERS $HTTP_PORTS $HTTP_PORTS

• Actions:Actions: The first element is the The first element is the action, our example shows that our action, our example shows that our action is action is “Alert”“Alert”

• There are 8 possible actionsThere are 8 possible actions• Most common actions are alert, Most common actions are alert,

pass, drop, reject and sdroppass, drop, reject and sdrop

Dissect HeaderDissect Header Alert tcp $EXTERNAL_NET Alert tcp $EXTERNAL_NET any ->any ->$HTTP_SERVERS $HTTP_SERVERS $HTTP_PORTS$HTTP_PORTS

• Protocols: Single word describing protocolProtocols: Single word describing protocol• TCP, UDP, ICMP, or IP or GRE, ESP, AHTCP, UDP, ICMP, or IP or GRE, ESP, AH• Next, we have basic IP and port matching, we Next, we have basic IP and port matching, we

can use individual IP or range of IPs classified can use individual IP or range of IPs classified by only CIDR notation, in other wordsby only CIDR notation, in other words

• You cannot specify range by 10.1-3.0.0 or You cannot specify range by 10.1-3.0.0 or 192.168.*.3192.168.*.3

• Snort will exit on loadSnort will exit on load• This is the first place that we can use variableThis is the first place that we can use variable


any ->any ->$HTTP_SERVERS $HTTP_SERVERS

$HTTP_PORTS$HTTP_PORTS• Var <variable name> <value> Var <variable name> <value> • Separated by spaceSeparated by space• Most useful instances are to specify Most useful instances are to specify

your local network IP range or the your local network IP range or the ports which you allow HTTP traffic ports which you allow HTTP traffic where your proxy on ports other than where your proxy on ports other than 8080

• Var HOME_NET 192.168.1.0/24Var HOME_NET 192.168.1.0/24• These variables allow you to These variables allow you to

customize every rulecustomize every rule


any ->any ->$HTTP_SERVERS $HTTP_SERVERS

$HTTP_PORTS$HTTP_PORTS• Ports: Next we specify the portPorts: Next we specify the port• You can match on both source and destination You can match on both source and destination

portsports• You can define single or range of portsYou can define single or range of ports• No broken range or list of portsNo broken range or list of ports• Example; define any port from 20 through 53 Example; define any port from 20 through 53

inclusive, 20:53. inclusive, 20:53. • If you want to match on any port except 443, If you want to match on any port except 443,

you would specify !443you would specify !443• Alert tcp $Home_NET any -> Alert tcp $Home_NET any ->

$EXTERNAL_NET 80$EXTERNAL_NET 80

Options PartOptions Part

(msg:”WEB_ISS CodeRed v2 root.exe (msg:”WEB_ISS CodeRed v2 root.exe access”; flow:to_server, established; access”; flow:to_server, established; uricontent:” /root.exe”nocase; uricontent:” /root.exe”nocase; reference: url, reference: url, www.cert.org/advisories/CA-2001- 19.html; classtype: web-application-; classtype: web-application-attack;sid:1256; rev:8;) attack;sid:1256; rev:8;)

• Anything inside the parenthesis part Anything inside the parenthesis part is the options partis the options part

Rule TitleRule Title

(msg: ”WEB_IIS CodeRed v2 root.exe access”; (msg: ”WEB_IIS CodeRed v2 root.exe access”; flow:to_server, established; uricontent:” flow:to_server, established; uricontent:” /root.exe”nocase; reference: url, /root.exe”nocase; reference: url, www.cert.org/advisories/CA-2001- 19.html; ; classtype: web-application-attack;sid:1256; classtype: web-application-attack;sid:1256; rev:8;)rev:8;)

• First option, in our example it is msg, First option, in our example it is msg, messagemessage

• All rules have unique Security Identifier (SID) All rules have unique Security Identifier (SID) or rule IDor rule ID

• No duplicate message rulesNo duplicate message rules• Snort does not complaint but the order is Snort does not complaint but the order is

good for accuracygood for accuracy

FlowFlow(msg: ”WEB_IIS CodeRed v2 root.exe access”; (msg: ”WEB_IIS CodeRed v2 root.exe access”;

flow: to_server, established; uricontent:” flow: to_server, established; uricontent:” /root.exe”nocase; reference: url, /root.exe”nocase; reference: url, www.cert.org/advisories/CA-2001- 19.html; ; classtype: web-application-attack;sid:1256; classtype: web-application-attack;sid:1256; rev:8;)rev:8;)

• Flow has several optionsFlow has several options• To_server, from_server, to_client, from_client, To_server, from_server, to_client, from_client,

established, statelessestablished, stateless• Established tells the detection engine to look Established tells the detection engine to look

only in streams that started a full three-way only in streams that started a full three-way TCP handshake and data flowingTCP handshake and data flowing

• Stateless, says this packet could be out there Stateless, says this packet could be out there all alone, out of normal order, so do not use all alone, out of normal order, so do not use the reassembled output from the stream the reassembled output from the stream preprocessorpreprocessor

• Not applicable to UDP (stateless)Not applicable to UDP (stateless)

(msg: ”WEB_IIS CodeRed v2 root.exe access”; flow:to_server, established; uricontent: ”/root.exe”nocase; reference: url, www.cert.org/advisories/CA-2001- 19.html; classtype: web-application-attack;sid:1256; rev:8;)

• Content: Content and uricontent are Content: Content and uricontent are similarsimilar

• Content is simple matchContent is simple match• Uricontent looks in the normalized output Uricontent looks in the normalized output

of the HTTP preprocessorof the HTTP preprocessor• Uricontent: “/root.exe” means to match if Uricontent: “/root.exe” means to match if

there is a URL out of the HTTP there is a URL out of the HTTP preprocessor that contains the string preprocessor that contains the string /root.exe. Telltale request made by a /root.exe. Telltale request made by a Code Red-infected host as it tries to Code Red-infected host as it tries to spread its badnessspread its badness

Modifiers of ContentModifiers of Content

• Depth: says we care only whether you Depth: says we care only whether you see this content in the first X bytes of see this content in the first X bytes of the packetthe packet

Content:: “GET”; depth:10;Content:: “GET”; depth:10;

• Offset: does the opposite and says to Offset: does the opposite and says to ignore the first X bytes of the packet ignore the first X bytes of the packet and look until the end of the packetand look until the end of the packet

• Content: “attack code”; offset:50; look for the Content: “attack code”; offset:50; look for the content match, but to skip the first 50 bytes content match, but to skip the first 50 bytes of the payloadof the payload


• Within: If we have two content matches, but Within: If we have two content matches, but we want to make sure they are a certain we want to make sure they are a certain distance from each other. We use distance from each other. We use withinwithin modifiermodifier

• Works like depth but it works from the end of Works like depth but it works from the end of the previous matchthe previous match

• Content: “George”; content: “is a Ruck” Content: “George”; content: “is a Ruck” within:20: This to tell me if you find the string within:20: This to tell me if you find the string George, and then is a Ruck starts within 20 George, and then is a Ruck starts within 20 bytes of the end of George. Even if the bytes of the end of George. Even if the distance is one byte, the match will be good.distance is one byte, the match will be good.


• Distance: if we wanted to make sure the Distance: if we wanted to make sure the second match was at least 20 bytes from the second match was at least 20 bytes from the first, we would use distancefirst, we would use distance

• This tells Snort to ignore the next X bytes This tells Snort to ignore the next X bytes after the previous match and then start after the previous match and then start lookinglooking

• George is a RuckGeorge is a Ruck• George Bumbler is a RuckGeorge Bumbler is a Ruck• George in White House is a RuckGeorge in White House is a Ruck• George never seems ok and he is a real RuckGeorge never seems ok and he is a real Ruck


• Rawbytes: Rarely usedRawbytes: Rarely used• For example: the Telnet decoder takes all the For example: the Telnet decoder takes all the

little packets with single characters Without the little packets with single characters Without the preprocessor, you would have to match on six preprocessor, you would have to match on six different packets to catch the string “George” If different packets to catch the string “George” If you are trying to detect a Telnet exploit that you are trying to detect a Telnet exploit that relied on inserting special characters in relied on inserting special characters in between those characters, the preprocessor between those characters, the preprocessor would strip out, and HTTP preprocessor would would strip out, and HTTP preprocessor would normalize that into ASCII rawbytes would let normalize that into ASCII rawbytes would let you get to that string before it s normalizedyou get to that string before it s normalized

MetadataMetadata

• The remainder of our example ruleThe remainder of our example rulereference: url, www.cert.org/advisories/CA-2001- 19.html;

classtype: web-application-attack;sid:1256; rev:8;)

• These have no business to detect of data or packets

• Helps to identify the rule• They are usually at the end

MetadataMetadata

• Reference: it is good to include Reference: it is good to include references to remember why you wrote references to remember why you wrote this rule and purpose of itthis rule and purpose of it

• Always add references to your rule you Always add references to your rule you will be glad you did in the months and will be glad you did in the months and years to comeyears to come

• Classtype: is a classification tool, event Classtype: is a classification tool, event manager orientedmanager oriented

• Allows you to prioritize events based on Allows you to prioritize events based on the type after they have been generatedthe type after they have been generated

classtype: web-application-attack; sid:1256; rev:8;)

• Example: rules that catch users in Example: rules that catch users in chat rooms are less important in a chat rooms are less important in a real-time sense than port scanning real-time sense than port scanning and exploits against Web servers that and exploits against Web servers that allow root accessallow root access

• Config classification: web-application-Config classification: web-application-attack, Web Application Attack, 1attack, Web Application Attack, 1

• Config classification: misc-activity, Config classification: misc-activity, Misc Activity, 3Misc Activity, 3

sid:1256; rev:8;)

• Sid: is very important optionSid: is very important option• Snort will run without itSnort will run without it• If you are using database output plug-ins If you are using database output plug-ins

then they will have events without sidthen they will have events without sid• Sid is a unique identifier that all rules Sid is a unique identifier that all rules

must havemust have• Sid ranges from 100-1,000,000Sid ranges from 100-1,000,000• Sid ranges from 1,000,001-1,999,999 are Sid ranges from 1,000,001-1,999,999 are

reserved for local use not for public reserved for local use not for public repositoryrepository

• Sid 2,000,000-2,999,999 are used by the Sid 2,000,000-2,999,999 are used by the Bleeding Edge Threats repositoryBleeding Edge Threats repository

sid:1256; rev:8;)

• Rev option refers to Revision Rev option refers to Revision numbernumber

• It is good for the history of the rulesIt is good for the history of the rules

ConclusionConclusion

• There are much to learn about Snort There are much to learn about Snort rulesrules

• Don’t be discouraged, think about how Don’t be discouraged, think about how much you learned so farmuch you learned so far

• If the Internet and Network Security If the Internet and Network Security would be your field than it is best to would be your field than it is best to learn this tool to protect your systems learn this tool to protect your systems form outside and inside intrudersform outside and inside intruders

FINFIN2121

Documents

Snort Rules (How to keep your insanity?)