Re: Assistance w rule that detects traffic to *IP only* URL

["Joel Esler \(jesler\) via Snort-sigs" <snort-sigs () lists snort org>]

Dave,

I think what you're trying to do is something like this:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"LOCAL detection of dotted quad IPv4 address in Host field of 
http_header"; flow:to_server,established; content:"|0d 0a|Host:"; nocase; http_header; content:"|0d 0a|"; within:25; 
http_header; 
pcre:"/Host\x3a\x20+(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\x0d\x0a/H";
 metadata:service http; classtype:misc-activity; sid:1;)

I don't know if that will actually work btw...





> On Jun 5, 2019, at 7:27 AM, Joel Esler (jesler) via Snort-sigs <snort-sigs () lists snort org> wrote:
>
> Also, your rule won’t work.  But I need to get to a real keyboard.  
>
> Sent from my  iPhone
>
> On Jun 5, 2019, at 00:27, Dave Killion via Snort-sigs <snort-sigs () lists snort org <mailto:snort-sigs () lists 
> snort org>> wrote:
>
> > Now, the shortcomings of my signature:
> > No IPv6 support
> > No Port Number support
> > Really quick-and-dirty IP detection - could be much better, at a cost of increased performance impact
> > Probably other issues I can't think of at the moment
> > it's not perfect, but it gets the job done, mostly, and it should be a suitable starting point to tweak from should 
> > these features/scenarios be needed.
> >
> > -Dave
> >
> > On Tue, Jun 4, 2019 at 9:18 PM Dave Killion <dave.killion () gmail com <mailto:dave.killion () gmail com>> wrote:
> > Al,
> >
> > He's not trying to match based upon the source/destination IP address, he's wanting to know when an HTTP request 
> > contains ANY IP address in the URL itself.
> >
> > e.g. a user/process accesses http://1.2.3.4/foo/bar/index.html vs http://www.somewebsite.com 
> > <http://www.somewebsite.com/>/foo/bar/index.html
> >
> > The HOST portion of those URL's get broken out into an HTTP Header (called "Host:") as part of the request.  That is:
> >
> > GET /foo/bar/index.html HTTP/1.1
> > Host: 1.2.3.4
> >
> > vs
> >
> > GET /foo/bar/index.html HTTP/1.1
> > Host: www.somewebsite.com <http://www.somewebsite.com/>
> >
> > My signature suggestion attempts to target the Host: HTTP header and write a pattern that detects when it's all 
> > numbers (an IP address) vs. a fully-qualified domain name.
> >
> > It's pretty much the only way to do it.
> >
> > -Dave
> >
> >
> > On Tue, Jun 4, 2019 at 6:39 PM Al Lewis (allewi) <allewi () cisco com <mailto:allewi () cisco com>> wrote:
> > If you are looking for the ip address in the payload then you can use the content keyword (which I don’t think you 
> > are trying to do).
> >
> >  
> >
> > You will need to match using the rule header. The content keyword wont work on the rule header fields.
> >
> >  
> >
> > http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node29.html 
> > <http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node29.html>
> >  
> >
> >  
> >
> > Albert Lewis
> >
> > ENGINEER.SOFTWARE ENGINEERING
> >
> > Cisco Systems Inc.
> >
> > Email: allewi () cisco com <mailto:allewi () cisco com>
> >  
> >
> >  
> >
> >  
> >
> > From: Snort-sigs <snort-sigs-bounces () lists snort org <mailto:snort-sigs-bounces () lists snort org>> on behalf of 
> > Dave Killion via Snort-sigs <snort-sigs () lists snort org <mailto:snort-sigs () lists snort org>>
> > Reply-To: Dave Killion <dave.killion () gmail com <mailto:dave.killion () gmail com>>
> > Date: Tuesday, June 4, 2019 at 9:35 PM
> > To: John Davis <sleepy.eyed.profit () gmail com <mailto:sleepy.eyed.profit () gmail com>>
> > Cc: "snort-sigs () lists snort org <mailto:snort-sigs () lists snort org>" <snort-sigs () lists snort org 
> > <mailto:snort-sigs () lists snort org>>
> > Subject: Re: [Snort-sigs] Assistance w rule that detects traffic to *IP only* URL
> >
> >  
> >
> > A minor adjustment:
> >
> >  
> >
> > alert tcp any any -> any 80 (content:"| 0d 0a|Host:"; nocase; pcre:"[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}| 
> > 0d 0a|"; within:20; http_header;)  
> >
> >  
> >
> > The signature as-written could FP on "1.2.3.4.com <http://1.2.3.4.com/>" or whatever.  I added looking for the 
> > header line ending \r\n.  
> >
> >  
> >
> > I also added the http_header option which I believe should further limit the inspection depth to just the header.
> >
> >  
> >
> > Play around with that to see if it still works.  
> >
> >  
> >
> > -Dave
> >
> >  
> >
> > On Tue, Jun 4, 2019 at 6:26 PM Dave Killion <dave.killion () gmail com <mailto:dave.killion () gmail com>> wrote:
> >
> > Hey John,
> >
> >  
> >
> > So when the HTTP request is actually made by the browser, the "host" portion of the URL is broken out and put in a 
> > separate header from the rest of the URL in the packet - aptly, the "Host: " header.
> >
> >  
> >
> > To write a signature that looks for IP's and not FQDN's when a there's an IP-based URL, you'll need to look for 
> > numbers and periods only after this header.
> >
> >  
> >
> > Something like this:
> >
> >  
> >
> > alert tcp any any -> any 80 (content:"| 0d 0a|Host:"; nocase; pcre:"[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}"; 
> > within:20;)
> >
> >  
> >
> > This is just off the top of my head - I've not tested this - I may have some errors in syntax there.  
> >
> >  
> >
> > It uses a content match to lock on to the Host header, nocase just to make sure there's no tomfoolery with the 
> > header characters, a regex for the IP address-style host value (a bit of brute-force, an IP starting with zero is 
> > wrong, but... whatever), and then limits the depth of the pcre check for performance.  I swagged the within 20 - it 
> > could probably be as short as 15.
> >
> >  
> >
> > Hope this helps,
> >
> >  
> >
> > Dave
> >
> >  
> >
> > On Tue, Jun 4, 2019 at 5:24 PM John Davis via Snort-sigs <snort-sigs () lists snort org <mailto:snort-sigs () lists 
> > snort org>> wrote:
> >
> > Ive had some exposure to creating snort rules from a previous course. Im a bit of a novice, so apologies ahead of 
> > time for any mistakes or errors in assumption. Im interested in a snort rule that can provide an alert when it 
> > detects any outbound traffic to an external URL that is referenced by IP address only. 
> > Example:
> > Internal host x browsing to http://www.cnn.com <http://www.cnn.com/> - no match to rule,  no alert 
> > Internal host x browsing to http://71.29.x.x <http://71.29.x.x/>.  matches rule, alert generated
> >
> > That example is probably most common, http traffic over port 80. However, my assumption is, any internal source that 
> > generates unencrypted requests to reach an external site URL, should most likely require a DNS query and figured 
> > that’s where the rule should perform it’s detection. Ive been searching to see if this type of rule already exists 
> > and so far, haven’t had any luck. Im also not quite sure if this is achievable or the best approach for detection, 
> > but it would appear the rule needs to be capable of making the distinction between an alphanumeric URL w a DNS 
> > record vs a URL that is identified by IP address only. Anyone that may be able to provide some perspective on this 
> > creation or point me in the right direction would be appreciated. Thanks!
> >
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs () lists snort org <mailto:Snort-sigs () lists snort org>
> > https://lists.snort.org/mailman/listinfo/snort-sigs <https://lists.snort.org/mailman/listinfo/snort-sigs>
> >
> > Please visit http://blog.snort.org <http://blog.snort.org/> for the latest news about Snort!
> >
> > Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette 
> > <https://snort.org/faq/what-is-the-mailing-list-etiquette>
> >
> > Visit the Snort.org <http://snort.org/> to subscribe to the official Snort ruleset, make sure to stay up to date to 
> > catch the most <a href=" https://snort.org/downloads/#rule-downloads 
> > <https://snort.org/downloads/#rule-downloads>">emerging threats</a>!
> >
> >
> >
> >  
> >
> > --
> >
> > Dave Killion
> >
> >
> >
> >  
> >
> > --
> >
> > Dave Killion
> >
> >
> >
> > -- 
> > Dave Killion
> >
> >
> > -- 
> > Dave Killion
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs () lists snort org <mailto:Snort-sigs () lists snort org>
> > https://lists.snort.org/mailman/listinfo/snort-sigs <https://lists.snort.org/mailman/listinfo/snort-sigs>
> >
> > Please visit http://blog.snort.org <http://blog.snort.org/> for the latest news about Snort!
> >
> > Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette 
> > <https://snort.org/faq/what-is-the-mailing-list-etiquette>
> >
> > Visit the Snort.org <http://snort.org/> to subscribe to the official Snort ruleset, make sure to stay up to date to 
> > catch the most <a href=" https://snort.org/downloads/#rule-downloads 
> > <https://snort.org/downloads/#rule-downloads>">emerging threats</a>!
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists snort org
> https://lists.snort.org/mailman/listinfo/snort-sigs
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
> href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

Attachment: smime.p7s
Description:

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!