Snort mailing list archives

Re: Rule assist

From: Nathan Benson <nathan () sourcefire com>
Date: Tue, 12 Mar 2013 15:40:27 -0500

Hi James,

Just eyeballing this quickly, your last content match is the 02, so your
cursor would be directly *after* the 02 not before it.  So the next byte
would be 0x32, not 0x02:

=================-v  Using /R would put you here:
01 00 00 00 00 00 00 02 32
==============--^   But not here.

Also, is there a reason you didn't append the |02| in the content match to
the end of your first content match (|01 00 00 01 00 00 00 00 00 00|)?  If
you were looking to include 02 in your pcre, remove the content match for
02 altogether, then your pcre as it stands should fire if you added the /R.

I took your payload above and cooked up a quick pcap and put together a few
examples of different ways to write what I think you are trying to do.  If
you are looking to examine a DNS request/response there are flags/bits you
can test for using byte_test to ensure it's the type of request you want.
 I didn't do that in the examples below, and I removed your negative
content match and added flow.

Play around with these and see what kind of detection or performance you
get.  You may be surprised.  There are folded versions of the rules at the
bottom.

alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( \
   msg:"EXPLOIT-KIT Possible BEK host lookup"; \
   flow:to_server; \
   content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; \
   content:"|02|"; within:1; \
   pcre:"/\x02[0-9]{2}/m"; \
   reference:url,urlquery.net/report.php?id=1313067; \
   classtype:bad-unknown; \
   sid:20000044; rev:1; \
)
# Your rule without the |02| content match
alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( \
   msg:"EXPLOIT-KIT Possible BEK host lookup"; \
   flow:to_server; \
   content:"|01 00 00 01 00 00 00 00 00 00|"; offset:2; depth:10; \
   pcre:"/^\x02[0-9]{2}/R"; \
   reference:url,urlquery.net/report.php?id=1313067; \
   classtype:bad-unknown; \
   sid:20000045; rev:1; \
)
# Your rule with the |02| added to the first content match
alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( \
   msg:"EXPLOIT-KIT Possible BEK host lookup"; \
   flow:to_server; \
   content:"|01 00 00 01 00 00 00 00 00 00 02|"; offset:2; depth:11; \
   pcre:"/^[0-9]{2}/R"; \
   reference:url,urlquery.net/report.php?id=1313067; \
   classtype:bad-unknown; \
   sid:20000046; rev:1; \
)
# Include your 02 as part of the first content match, and then anchor at
the beginning.
# ^.{2} == offset:2;
alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( \
   msg:"EXPLOIT-KIT Possible BEK host lookup"; \
   flow:to_server; \
   content:"|01 00 00 01 00 00 00 00 00 00 02|"; offset:2; depth:11; \
   pcre:"/^.{2}\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00\x02[0-9]{2}/"; \
   reference:url,urlquery.net/report.php?id=1313067; \
   classtype:bad-unknown; \
   sid:20000047; rev:1; \
)
# Same thing, just no pcre. The byte_tests are reading the hex value of the
two bytes
# and evaluating them.  Note the different ways you can do this.
alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( \
   msg:"EXPLOIT-KIT Possible BEK host lookup"; \
   flow:to_server; \
   content:"|01 00 00 01 00 00 00 00 00 00 02|"; offset:2; depth:11; \
   #
   # ASCII/decimal representation of [0-9]{2} (0x30-0x39)
   #byte_test:1,>=,0,0,relative,string; \
   #byte_test:1,<=,9,0,relative,string; \
   #byte_test:1,>=,0,1,relative,string; \
   #byte_test:1,<=,9,1,relative,string; \
   #
   # Hex representation of the ASCII [0-9]{2}
   byte_test:1,>=,0x30,0,relative; \
   byte_test:1,<=,0x39,0,relative; \
   byte_test:1,>=,0x30,1,relative; \
   byte_test:1,<=,0x39,1,relative; \
   reference:url,urlquery.net/report.php?id=1313067; \
   classtype:bad-unknown; \
   sid:20000048; rev:1; \
)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"EXPLOIT-KIT Possible BEK
host lookup"; flow:to_server; content:"|01 00 00 01 00 00 00 00 00 00|";
depth:10; offset:2; content:"|02|"; within:1; pcre:"/\x02[0-9]{2}/m";
reference:url,urlquery.net/report.php?id=1313067; classtype:bad-unknown;
sid:20000044; rev:1;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"EXPLOIT-KIT Possible BEK
host lookup"; flow:to_server; content:"|01 00 00 01 00 00 00 00 00 00|";
offset:2; depth:10; pcre:"/^\x02[0-9]{2}/R"; reference:url,
urlquery.net/report.php?id=1313067; classtype:bad-unknown; sid:20000045;
rev:1;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"EXPLOIT-KIT Possible BEK
host lookup"; flow:to_server; content:"|01 00 00 01 00 00 00 00 00 00 02|";
offset:2; depth:11; pcre:"/^[0-9]{2}/R"; reference:url,
urlquery.net/report.php?id=1313067; classtype:bad-unknown; sid:20000046;
rev:1;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"EXPLOIT-KIT Possible BEK
host lookup"; flow:to_server; content:"|01 00 00 01 00 00 00 00 00 00 02|";
offset:2; depth:11;
pcre:"/^.{2}\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00\x02[0-9]{2}/";
reference:url,urlquery.net/report.php?id=1313067; classtype:bad-unknown;
sid:20000047; rev:1;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"EXPLOIT-KIT Possible BEK
host lookup"; flow:to_server; content:"|01 00 00 01 00 00 00 00 00 00 02|";
offset:2; depth:11; byte_test:1,>=,0x30,0,relative;
byte_test:1,<=,0x39,0,relative; byte_test:1,>=,0x30,1,relative;
byte_test:1,<=,0x39,1,relative; reference:url,
urlquery.net/report.php?id=1313067; classtype:bad-unknown; sid:20000048;
rev:1;)


nb

On Tue, Mar 12, 2013 at 11:01 AM, James Lay <jlay () slave-tothe-box net>wrote:

Hey all,

Been trying to get this rule:

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"EXPLOIT-KIT Possible
BEK host lookup"; content:!"in-addr"; content:"|01 00 00 01 00 00 00 00
00 00|"; depth:10; offset:2; content:"|02|"; within:1;
pcre:"/\x02[0-9]{2}/m";
reference:url,https://urlquery.net/report.php?id=1313067;
classtype:bad-unknown; sid:10000044; rev:1;)

To match and it's working, but I would like to tighten it up.  Payload:

00000000  fd 64 01 00 00 01 00 00  00 00 00 00 02 32 30 10 .d......
.....20.
00000010  70 68 63 63 6f 66 63 61  6c 69 66 6f 72 6e 69 61 phccofca
lifornia
00000020  03 63 6f 6d 00 00 01 00  01                      .com.... .

It always amazes me when I work with the pcre: function how little I
understand it ;)  I always want to treat it like a content: and start
applying things like depth: and offset:.  That being said, if I add a R
to my pcre, it doesn't fire, which I don't understand.  I understand R
as a pcre: modifier to match the relative end of the last pattern match,
which in my case would be matching the |02| yes?  What am I missing in
my logic?  Thanks all.

James


------------------------------------------------------------------------------
Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester
Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the
endpoint security space. For insight on selecting the right partner to
tackle endpoint security challenges, access the full report.
http://p.sf.net/sfu/symantec-dev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Rule assist James Lay (Mar 12)
- Re: Rule assist rmkml (Mar 12)
  - Re: Rule assist rmkml (Mar 12)
- Re: Rule assist Nathan Benson (Mar 12)
- Re: Rule assist James Lay (Mar 12)
  - Re: Rule assist Joel Esler (Mar 12)