Snort mailing list archives
Re: help writing snort rule
From: Joel Esler <joel.esler () sourcefire com>
Date: Fri, 26 Jan 2007 10:45:29 -0500
Bill, Thanks for writing! It looks like you have a couple issues. #1 -- You need to have your rule all on one line, or you need to use the "\" character at the end of your line in order to continue to the next line. Like: alert ip any any -> $EXTERNAL_NET any \ (pcre:"/\d{3}(\s|-)?\d{2}(\s|-)?\d{4}/"; msg:"SSN Detected in Clear \ Text"; sid: 1000004 ) You also don't have a ";" at the end of your sid. alert ip any any -> $EXTERNAL_NET any \ (pcre:"/\d{3}(\s|-)?\d{2}(\s|-)?\d{4}/"; msg:"SSN Detected in Clear \ Text"; sid: 1000004; ) You need to also consider making your "ip" rule a tcp, or udp rule. If you are interested in both pieces of traffic, then it would be faster and more efficient to write two rules, one for tcp and one for udp. alert tcp any any -> $EXTERNAL_NET any \ (pcre:"/\d{3}(\s|-)?\d{2}(\s|-)?\d{4}/"; msg:"SSN Detected in Clear \ Text"; sid: 1000004; ) alert udp any any -> $EXTERNAL_NET any \ (pcre:"/\d{3}(\s|-)?\d{2}(\s|-)?\d{4}/"; msg:"SSN Detected in Clear \ Text"; sid: 1000005; ) In your TCP rule, it would be faster to add a flow statement. alert tcp any any -> $EXTERNAL_NET any \ (flow:established,from_client; pcre:"/\d{3}(\s|-)?\d{2}(\s|-)?\d{4}/"; msg:"SSN Detected in Clear \ Text"; sid: 1000004; ) That rule will look for SSN's from a client (you INITIATING the conversation.) in an established TCP session. It's also not good to have a pure pcre rule. Rules are 100x's more efficient with a preceeding content statement. Now, I don't know what kind of content statement you could expect to be in your traffic. Maybe the abbreviation "SSN"? alert tcp any any -> $EXTERNAL_NET any \ (msg:"SSN Detected in Clear Text": flow:establised, from_client; content:"SSN"; pcre:"/\d{3}(\s|-)?\d{2}(\s|-)?\d{4}/"; \ sid: 1000004; ) You could even get fancier and use a backreference in your your pcre to tell the second delimiter to be what the first delimiter was. But I'll leave that for you to do :) You may also want to get rid of your "any any" statement. Does this help any? Joel On Thu, Jan 25, 2007 at 10:56:24PM -0800, it looks like Bill Lopez sent me:
Trying to write a simple rule to parse for SSN in plain text - what am I doing wrong?? alert ip any any -> $EXTERNAL_NET any (pcre:"/\d{3}(\s|-)?\d{2}(\s|-)?\d{4}/"; msg:"SSN Detected in Clear Text"; sid: 1000004 ) rule returns this error ERROR: Unterminated rule in file /etc/snort/rules/TEST.rules, line 5 (Snort rules must be contained on a single line or on multiple lines with a '\' continuation character at the end of the line, make sure there are no carriage returns before the end of this line) Fatal Error, Quitting.. Have tried multiple versions of pcre string but always return the same error.. Bill Lopez Operating Engineers Trust Funds (626) 356-3524 (626) 255-1066 shell-init: could not get current directory: getcwd: cannot access parent directories: No such file or directory
------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
+---------------------------------------------------------------------+ joel esler senior security consultant 1-706-627-2101 gpg key: http://demo.sourcefire.com/jesler.pgp.key +---------------------------------------------------------------------+ ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- help writing snort rule Bill Lopez (Jan 25)
- Re: help writing snort rule Nerijus Krukauskas (Jan 25)
- Re: help writing snort rule Matt Jonkman (Jan 26)
- Re: help writing snort rule Joel Esler (Jan 26)
- <Possible follow-ups>
- Re: help writing snort rule Bill Lopez (Jan 26)
- Re: help writing snort rule Joel Esler (Jan 26)
- Re: help writing snort rule Blake Hartstein (Jan 26)
- Re: help writing snort rule Bill Lopez (Jan 26)