Snort mailing list archives
Guidance on Creating Sequential SNORT Rules for Replay Attack Detection
From: Geriot Polenz via Snort-sigs <snort-sigs () lists snort org>
Date: Wed, 20 Sep 2023 15:27:19 +0200
Dear SNORT Community, I'm currently working on enhancing our SNORT rules to better detect *replay attacks and man-in-the-middle attacks*. To achieve this, I'm interested in creating SNORT rules that can be triggered sequentially, where the second rule is only activated after a certain first rule has been triggered. Additionally, I'd like the second rule to sniff for content that is either completely or partially equal to the content of the first triggered rule but sent now from a different host. Here's a conceptual *example *of what the *goal *I have in mind: # First Rule to Trigger *trigger udp $EXTERNAL_NET any -> $HOME_NET 1234 (Activate rule 2 Trigger; byte_extract into var; sid:1; rev:1)* # Second Rule to Detect Replay Attack *alert udp $!IP_FROM_FIRST_RULE any -> $HOME_NET 1234 (byte_extract and compare to $var from FIRST RULE -> Throw alert when equal; sid:2; rev:1)* I've already explored the use of "*flowbits*", but unfortunately, I couldn't find a way to pass the source IP address or other extracted information from the first rule to the second rule. Currently, my *workaround *idea would involve writing two dynamic rules (SO rules) that translate source IP addresses and other extracted bytes into binary and store them in flowbits (36 for IP). These flowbits are then compared for identity, and if they match, the flowbits are reset; otherwise, an alert is generated. "flowbits" have the requirement of using the *"Session" preprocessor*. *What exactly is understood as a session*, when using "flowbits" in the udp context? As I understand, flowbits are unique ("private") variables for every session, but an explanation of a session in the udp context is missing in the SNORT manual. In my understanding, a session is always mapped to the combinations of source and destination IPs. Assume 2 rules with activated Session preprocessor for udp: 1. *alert udp any any -> any any (...; flowbits: toggle, var1; flowbits: noalert; ... sid: 1) * 2. *alert udp 1.1.1.1 any -> any any (...; flowbits: isset, var1; ... sid: 2) * With the following packets, will rule 2 be triggered: 1. *2.2.2.2 -> 3.3.3.3 * 2. *4.4.4.4 -> 3.3.3.3* 3. *1.1.1.1 -> 3.3.3.3 * Again in my understanding all 3 packets are from different sessions and the 3rd packet should not trigger the alert, even when the 2. packet is not sent (assuming var1 starts with 0). This would mean that my goal of detecting a replay attack is not possible with "flowbits", as it is not possible to transfer information between different source/destination IP combinations. I hope I understood this wrongly, and someone can explain how to use the "flowbits" + "session" functionality to make information transfer between rules possible (tracking sessions to destination IP for example). My questions *summarized*: - In a rule with more than 1 IP address as source or destination, is it possible to extract the current IP addresses of the host which triggered the rule? I tried to access it via "content:"|11|", offset -20, depth 1;" on a udp rule, but was not able to match any IP address bytes. - Are there alternative approaches within SNORT to effectively detect replay attacks or transfer extracted information (byte_extract) from one rule to another rule (stateful inspection)? - How can I use the "flowbits" and what is meant by sessions in the required preprocessor? (How) can the preprocessor and flowbits help with stateful inspection? I'm very open to any suggestions, insights, or alternative approaches that the SNORT community might have to offer. Your expertise and guidance would be greatly appreciated. Thank you in advance for your time and assistance. Best regards, Geriot
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Guidance on Creating Sequential SNORT Rules for Replay Attack Detection Geriot Polenz via Snort-sigs (Sep 21)