Snort mailing list archives

Re: help writing snort rule

From: Joel Esler <joel.esler () sourcefire com>
Date: Fri, 26 Jan 2007 10:45:29 -0500

Bill,

Thanks for writing!

It looks like you have a couple issues.  
#1 -- You need to have your rule all on one line, or you need to use the "\" character at the end of your line in order 
to continue to the next line.  Like:

    alert ip any any -> $EXTERNAL_NET any \
    (pcre:"/\d{3}(\s|-)?\d{2}(\s|-)?\d{4}/"; msg:"SSN Detected in Clear \
    Text"; sid: 1000004 )

You also don't have a ";" at the end of your sid.

    alert ip any any -> $EXTERNAL_NET any \
    (pcre:"/\d{3}(\s|-)?\d{2}(\s|-)?\d{4}/"; msg:"SSN Detected in Clear \
    Text"; sid: 1000004; )

You need to also consider making your "ip" rule a tcp, or udp rule.  If you are interested in both pieces of traffic, 
then it would be faster and more efficient to write two rules, one for tcp and one for udp.

    alert tcp any any -> $EXTERNAL_NET any \
    (pcre:"/\d{3}(\s|-)?\d{2}(\s|-)?\d{4}/"; msg:"SSN Detected in Clear \
    Text"; sid: 1000004; )

    alert udp any any -> $EXTERNAL_NET any \
    (pcre:"/\d{3}(\s|-)?\d{2}(\s|-)?\d{4}/"; msg:"SSN Detected in Clear \
    Text"; sid: 1000005; )

In your TCP rule, it would be faster to add a flow statement.

    alert tcp any any -> $EXTERNAL_NET any \
    (flow:established,from_client; pcre:"/\d{3}(\s|-)?\d{2}(\s|-)?\d{4}/"; msg:"SSN Detected in Clear \
    Text"; sid: 1000004; )

That rule will look for SSN's from a client (you INITIATING the conversation.) in an established TCP session.

It's also not good to have a pure pcre rule.  Rules are 100x's more efficient with a preceeding content statement.  
Now, I don't know what kind of content statement you could expect to be in your traffic.  Maybe the abbreviation "SSN"?

    alert tcp any any -> $EXTERNAL_NET any \
    (msg:"SSN Detected in Clear Text": flow:establised, from_client; content:"SSN"; 
pcre:"/\d{3}(\s|-)?\d{2}(\s|-)?\d{4}/";  \
    sid: 1000004; )

You could even get fancier and use a backreference in your your pcre to tell the second delimiter to be what the first 
delimiter was.  But I'll leave that for you to do :) 
You may also want to get rid of your "any any" statement.  

Does this help any?

Joel


On Thu, Jan 25, 2007 at 10:56:24PM -0800, it looks like Bill Lopez sent me:


   Trying to write a simple rule to parse for SSN in plain text - what am
   I doing wrong??




   alert ip any any -> $EXTERNAL_NET any
   (pcre:"/\d{3}(\s|-)?\d{2}(\s|-)?\d{4}/"; msg:"SSN Detected in Clear
   Text"; sid: 1000004 )



   rule returns this error


   ERROR: Unterminated rule in file /etc/snort/rules/TEST.rules, line 5

      (Snort rules must be contained on a single line or

       on multiple lines with a '\' continuation character

       at the end of the line,  make sure there are no

       carriage returns before the end of this line)

   Fatal Error, Quitting..


   Have tried multiple versions of pcre string but always return the same
   error..


   Bill Lopez

   Operating Engineers Trust Funds

   (626) 356-3524

   (626) 255-1066
shell-init: could not get current directory: getcwd: cannot access parent directories: No such file or directory

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





+---------------------------------------------------------------------+
joel esler          senior security consultant         1-706-627-2101
         gpg key: http://demo.sourcefire.com/jesler.pgp.key
+---------------------------------------------------------------------+

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

help writing snort rule Bill Lopez (Jan 25)
- Re: help writing snort rule Nerijus Krukauskas (Jan 25)
- Re: help writing snort rule Matt Jonkman (Jan 26)
- Re: help writing snort rule Joel Esler (Jan 26)
- <Possible follow-ups>
- Re: help writing snort rule Bill Lopez (Jan 26)
  - Re: help writing snort rule Joel Esler (Jan 26)
  - Re: help writing snort rule Blake Hartstein (Jan 26)
- Re: help writing snort rule Bill Lopez (Jan 26)