Snort Rules

manager Thu, 04/25/2019 - 13:06

Snort Rules (from Snort Manual)

Headers

alert tcp any any -> 192.168.1.0/24 111 \

(content:"|00 01 86 a5|"; msg:"mountd access";)

Rule Actions

The header defines the who, where, and what of a packet, as well as what to do in the event that a packet with all the attributes indicated in the rule should show up. The rule action tells Snort what to do when it finds a packet that matches the rule criteria.

Actions

1. alert - generate an alert using the selected alert method, and then log the packet

2. log - log the packet

3. pass - ignore the packet

If you are running Snort in inline mode, you have additional options which include drop, reject, and sdrop.

4. drop - block and log the packet

5. reject - block packet, log it, and then send a TCP reset if the protocol is TCP or on UDP send ICMP port unreachable.

6. sdrop - block the packet but do not log it.

Protocols

There are four protocols that Snort currently analyzes for suspicious behavior

TCP, UDP, ICMP, and IP

IP Addresses

The addresses are formed by a straight numeric IP address and a address/CIDR combination 192.168.1.0/24 would signify the block of addresses from 192.168.1.1 to 192.168.1.255.

!”. operator tells Snort to match any IP address except the one indicated by the listed IP address.

any = any IP

$HOME_NET = default is any, can be set to home networks 

HOME_NET [10.10.10.20,192.168.1.23,172.16.30.25]

$EXTERNAL_NET = defaults to any, should be set to !$HOME_NET

Port Numbers

Port numbers may be specified: any, static port 22, ranges 1:1000, and by negation !80.

:. The range operator may be apDirection or Flow operator

-> = source to destination

<> = bidirectional operator

Rule Options

GENERAL RULE OPTIONS

Message A meaningful message typically includes what the rule is detecting.

msg:"<message text>";

Flow For the rule to fire, specifies which direction the network traffic is going. The flow keyword is used in conjunction with TCP stream reassembly. It allows rules to only apply to certain directions of the traffic flow.

Reference The reference keyword allows rules to include links to external sources of information.

reference:<id system>, <id>; [reference:<id system>, <id>;]

example reference:bugtraq,1387;

Classtype The classtype keyword is how Snort shares what the effect of a successful attack would be.

classtype:attempted-recon; See table below of Class types

gid: The gid keyword (generator id) is used to identify what part of Snort generates the event when a particular rule fires. For example gid:1 is associated with the rules subsystem and is the default. Start with 1,000,000

sid/rev used to uniquely identify Snort rules. This information allows output plugins to identify rules easily and should be used with the rev (revision) keyword. >=3,000,000 Used for local rules

(content:"BOB"; sid:1000983; rev:1;)

Binary content starts with | and ends with | and has hex values in between for example | 14 B3 4D |

priority: The priority keyword assigns a severity level to rules. priority:10;

metadata: The metadata keyword allows a rule writer to embed additional information about the rule, typically in a key-value format. metadata:key1 value1, key2 value2;

 

DETECTION OPTIONS

Content This important feature allows the user to set rules that search for specific content in the packet payload

The binary data is generally enclosed within the pipe (|) character and represented as bytecode. Bytecode represents binary data as hexadecimal. The example below shows use of mixed text and binary data in a Snort rule.

Characters that must be escaped inside content rules: ; \ “

Examples

alert tcp any any -> any 139 (content:"|5c 00|P|00|I|00|P|00|E|00 5c|";)

alert tcp any any -> any 80 (content:!"GET";)

and trigger response based on that data. The option data can contain mixed text and binary data.

distance/offset These keywords allow the rule writer to specify where to start searching relative to the beginning of the payload or the beginning of a content match.

within/depth These keywords allow the rule write to specify how far forward to search relative to the end of a previous content match and, once that content match is found, how far to search for it.

PCRE The pcre keyword allows rules to be written using perl compatible regular expressions which allows for more complex matches than simple content matches.


Byte test The byte_test options allows a rule to test a number of bytes against a specific value in binary.