Snort mailing list archives

Re: help writing snort rule

From: "Bill Lopez" <Bill () oefi org>
Date: Fri, 26 Jan 2007 15:39:14 -0800

/etc/snort/snort.conf
#--------------------------------------------------
#   http://www.snort.org     Snort 2.6.1.2 Ruleset
#     Contact: snort-sigs () lists sourceforge net
#--------------------------------------------------
# $Id$
#
###################################################
# Set up the external network addresses as well.  A good start may be
"any"
var EXTERNAL_NET any
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS
[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/2
4,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.15
3.0/24,205.188.179.0/24,205.188.248.0/24]

var RULE_PATH /etc/snort/rules

preprocessor flow: stats_interval 0 hash 2

preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy first detect_anomalies

preprocessor stream4: disable_evasion_alerts

preprocessor stream4_reassemble

preprocessor http_inspect: global \
    iis_unicode_map unicode.map 1252

preprocessor http_inspect_server: server default \
    profile all ports { 80 8080 8180 } oversize_dir_length 500

preprocessor rpc_decode: 111 32771

preprocessor bo

preprocessor ftp_telnet: global \
   encrypted_traffic yes \
   inspection_type stateful

preprocessor ftp_telnet_protocol: telnet \
   normalize \
   ayt_attack_thresh 200

preprocessor ftp_telnet_protocol: ftp server default \
   def_max_param_len 100 \
   alt_max_param_len 200 { CWD } \
   cmd_validity MODE < char ASBCZ > \
   cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
   chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
   telnet_cmds yes \
   data_chan

preprocessor ftp_telnet_protocol: ftp client default \
   max_resp_len 256 \
   bounce yes \
   telnet_cmds yes

preprocessor smtp: \
  ports { 25 } \
  inspection_type stateful \
  normalize cmds \
  normalize_cmds { EXPN VRFY RCPT } \
  alt_max_command_line_len 260 { MAIL } \
  alt_max_command_line_len 300 { RCPT } \
  alt_max_command_line_len 500 { HELP HELO ETRN } \
  alt_max_command_line_len 255 { EXPN VRFY }

#10.0.0.33 is the local machine
preprocessor sfportscan: proto  { all } \
                         memcap { 10000000 } \
                         sense_level { low } \
                         ignore_scanners { 10.0.0.33 }

preprocessor dcerpc: \
    autodetect \
    max_frag_size 3000 \
    memcap 100000

preprocessor dns: \
    ports { 53 } \
    enable_rdata_overflow

include classification.config
include reference.config
include $RULE_PATH/BILL.rules

_______________________________________________________________
Snort command line to start 

/usr/sbin/snort -A console -l /var/log/snort/ -h 10.0.0.0/24 \ 
-c /etc/snort/snort.conf

_______________________________________________________________
/etc/snort/rules/BILL.rules

alert tcp $HOME_NET any -> any any \
    (pcre:"/ \d{3}(|-)\d{2}(|-)\d{4} /"; msg:"SSN Detected in Clear \
    Text-Bill's Rule"; sid: 1000004; )

alert udp $HOME_NET any -> any any \
    (pcre:"/ \d{3}(|-)\d{2}(|-)\d{4} /"; msg:"SSN Detected in Clear \
    Text-Bill's Rule"; sid: 1000005; )

alert tcp $HOME_NET any -> any any \
    (pcre:"/ \d\d\d-\d\d-\d\d\d\d /"; msg:"SSN Detected in Clear \
    Text-Lou's Rule"; sid: 1000007; )

alert udp $HOME_NET any -> any any \
    (pcre:"/ \d\d\d-\d\d-\d\d\d\d /"; msg:"SSN Detected in Clear \
    Text-Lou's Rule"; sid: 1000008; )

-----------------------------------------------------------------

Still no alert with an e-mail containing 555-55-5555 in the body or
subject??






Bill Lopez

Operating Engineers Trust Funds

(626) 356-3524

(626) 255-1066


-----Original Message-----
From: Blake Hartstein [mailto:bhartstein () demarc com] 
Sent: Friday, January 26, 2007 11:48 AM
To: Bill Lopez
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] help writing snort rule

Bill Lopez wrote:


which doesn't produce an alert either - eventually I want to apply 
this filter to just traffic from/to mail , telnet, ftp (etc) servers -

I can send any variance of xxx-xx-xxxx, xxxxxxxx or xxx xx xxxx via an

e-mail, text file attachment or file upload and still never see an 
alert to the console. I have a simple rule to check for content using 
a keyword and get alerted when sending that keyword with e-mail, 
attachment and file upload (this was my test to see if snort was 
actually alerting correctly) I am only running my test rules with an 
out of the box snort.conf file.

Why wouldn't either of the above rules alert with (for example) an 
e-mail sent with 555-55-5555 in the body?

Bill,
Can you please paste how you are running snort on the command line, and 
if you changed anything in your snort.conf please post that information
too.

This type of traffic should be seen by snort and the rules you created 
should alert.

Perhaps, snort isn't seeing the traffic you are expecting,

try running
# snort -vde -i eth0

to see what snort sees.

or if you are running from a pcap you might need to use
config checksum_mode: none
If you captured the file from the localhost.

Also, which port is this traffic intended for?
You might need to configure your flow_depth on http_inspect if you are 
seeing this deep within the packet, rather than just in the headers.

-Blake

-- 
This email and any files transmitted with it are solely intended for the
use of the addressee(s) and may contain information that is confidential
and privileged.  If you receive this email in error, please advise us by
return email immediately. Please also disregard the contents of the
email, delete it and destroy any copies immediately.  Demarc Security,
Inc. does not accept liability for the views expressed in the email or
for the consequences of any computer viruses that may be transmitted
with this email.

This email is also subject to copyright. No part of it should be
reproduced, adapted or transmitted without the written consent of the
copyright owner.



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

help writing snort rule Bill Lopez (Jan 25)
- Re: help writing snort rule Nerijus Krukauskas (Jan 25)
- Re: help writing snort rule Matt Jonkman (Jan 26)
- Re: help writing snort rule Joel Esler (Jan 26)
- <Possible follow-ups>
- Re: help writing snort rule Bill Lopez (Jan 26)
  - Re: help writing snort rule Joel Esler (Jan 26)
  - Re: help writing snort rule Blake Hartstein (Jan 26)
- Re: help writing snort rule Bill Lopez (Jan 26)