Snort mailing list archives

Previous By Date Next
Previous By Thread Next

One of the 2483 unnamed Interocitor parts...

From: Will Metcalf <william.metcalf () gmail com>
Date: Thu, 14 Oct 2010 22:08:10 -0500
A stupid script I cooked up today while optimizing some ET rules. This
script will parse a user provided file containing snort output and
compare it to a file containing patterns you never want to have end up
in fast_pattern as the final match. It then prints the relative block
of fast_pattern debug and optionally the rule if the user provides a
rule glob.  You can also do case insensitive matches via -i.  Maybe I
can add some sort of regex matching in the black list matching if
anybody cares, but for my needs, it works ok for now ;-).

Regards,

Will

python script:
http://rules.emergingthreats.net/projects/blackpattern/blackpattern.py

sample pattern blacklist:
http://rules.emergingthreats.net/projects/blackpattern/fpblacklist.txt

./blackpattern.py
    1. Enable fast patterh debug in your snort.conf on the config
detection line "config detection: search-method ac-split
search-optimize max-pattern-len 20 debug-print-fast-pattern"
    2. Run snort redirecting output to a file  snort -c snort-vrt.conf
-l ./ -r empty.pcap >output.txt 2>&1
    3. Run the script
 usage: %prog -s <snort output file> -b <file containing blacklist
patterns one per line> -r <optional rules glob> -i <optional case
insensitive blacklist matches>

Sample Output:
fpblacklist.txt contains a couple variations of User-Agent matches..

 snort -c snort-vrt.conf -l ./ -r empty.pcap >output.txt 2>&1
./blackpattern.py -s output.txt -b fpblacklist.txt -i -r a-couple-of-old.rules

Match of case insensitive Blacklist Entry:USER-AGENT:
1:2003347
  Fast pattern matcher: Normal Content
  Fast pattern set: no
  Fast pattern only: no
  Negated: no
  Pattern offset,length: none
  Pattern truncated: no
  Original pattern
    "USER-AGENT:"
  Final pattern
    "USER-AGENT:"

rules matching sid 2003347

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
USER_AGENTS Gamehouse.com User Agent (GAMEHOUSE.NET.URL)";
flow:to_server,established; content:"User-Agent|3a|"; nocase;
content:"GAMEHOUSE"; within:150;
pcre:"/User-Agent\:[^\n]+GAMEHOUSE/i"; classtype:trojan-activity;
reference:url,doc.emergingthreats.net/2003347;
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Gamehouse;
sid:2003347; rev:7;)

Match of case insensitive Blacklist Entry:|0D 0A|USER-AGENT:
1:2010089
  Fast pattern matcher: Normal Content
  Fast pattern set: no
  Fast pattern only: no
  Negated: no
  Pattern offset,length: none
  Pattern truncated: no
  Original pattern
    "|0D 0A|User-Agent:"
  Final pattern
    "|0D 0A|User-Agent:"

rules matching sid 2010089

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN
Suspicious User-Agent Containing Security Scan/ner, Likely Scan";
flow:established,to_server; content:"|0d 0a|User|2D|Agent|3A|";
content:"security"; nocase; within:200; content:"scan"; nocase;
distance:0; pcre:"/User-Agent\x3A[^\n]+security[^\n]+scan/i";
classtype:attempted-recon;
reference:url,doc.emergingthreats.net/2010089;
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_UA;
sid:2010089; rev:2;)

------------------------------------------------------------------------------
Download new Adobe(R) Flash(R) Builder(TM) 4
The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly 
Flex(R) Builder(TM)) enable the development of rich applications that run
across multiple browsers and platforms. Download your free trials today!
http://p.sf.net/sfu/adobe-dev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
Previous By Date Next
Previous By Thread Next

Current thread: