Snort mailing list archives
One of the 2483 unnamed Interocitor parts...
From: Will Metcalf <william.metcalf () gmail com>
Date: Thu, 14 Oct 2010 22:08:10 -0500
A stupid script I cooked up today while optimizing some ET rules. This script will parse a user provided file containing snort output and compare it to a file containing patterns you never want to have end up in fast_pattern as the final match. It then prints the relative block of fast_pattern debug and optionally the rule if the user provides a rule glob. You can also do case insensitive matches via -i. Maybe I can add some sort of regex matching in the black list matching if anybody cares, but for my needs, it works ok for now ;-). Regards, Will python script: http://rules.emergingthreats.net/projects/blackpattern/blackpattern.py sample pattern blacklist: http://rules.emergingthreats.net/projects/blackpattern/fpblacklist.txt ./blackpattern.py 1. Enable fast patterh debug in your snort.conf on the config detection line "config detection: search-method ac-split search-optimize max-pattern-len 20 debug-print-fast-pattern" 2. Run snort redirecting output to a file snort -c snort-vrt.conf -l ./ -r empty.pcap >output.txt 2>&1 3. Run the script usage: %prog -s <snort output file> -b <file containing blacklist patterns one per line> -r <optional rules glob> -i <optional case insensitive blacklist matches> Sample Output: fpblacklist.txt contains a couple variations of User-Agent matches.. snort -c snort-vrt.conf -l ./ -r empty.pcap >output.txt 2>&1 ./blackpattern.py -s output.txt -b fpblacklist.txt -i -r a-couple-of-old.rules Match of case insensitive Blacklist Entry:USER-AGENT: 1:2003347 Fast pattern matcher: Normal Content Fast pattern set: no Fast pattern only: no Negated: no Pattern offset,length: none Pattern truncated: no Original pattern "USER-AGENT:" Final pattern "USER-AGENT:" rules matching sid 2003347 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Gamehouse.com User Agent (GAMEHOUSE.NET.URL)"; flow:to_server,established; content:"User-Agent|3a|"; nocase; content:"GAMEHOUSE"; within:150; pcre:"/User-Agent\:[^\n]+GAMEHOUSE/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003347; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Gamehouse; sid:2003347; rev:7;) Match of case insensitive Blacklist Entry:|0D 0A|USER-AGENT: 1:2010089 Fast pattern matcher: Normal Content Fast pattern set: no Fast pattern only: no Negated: no Pattern offset,length: none Pattern truncated: no Original pattern "|0D 0A|User-Agent:" Final pattern "|0D 0A|User-Agent:" rules matching sid 2010089 alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Suspicious User-Agent Containing Security Scan/ner, Likely Scan"; flow:established,to_server; content:"|0d 0a|User|2D|Agent|3A|"; content:"security"; nocase; within:200; content:"scan"; nocase; distance:0; pcre:"/User-Agent\x3A[^\n]+security[^\n]+scan/i"; classtype:attempted-recon; reference:url,doc.emergingthreats.net/2010089; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_UA; sid:2010089; rev:2;) ------------------------------------------------------------------------------ Download new Adobe(R) Flash(R) Builder(TM) 4 The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly Flex(R) Builder(TM)) enable the development of rich applications that run across multiple browsers and platforms. Download your free trials today! http://p.sf.net/sfu/adobe-dev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- One of the 2483 unnamed Interocitor parts... Will Metcalf (Oct 14)