topic Re: Snort Signature Help Required. in Network Security

Snort Signature Help Required.

Ankush Kumar — Fri, 21 Feb 2020 15:11:31 GMT

Hi Guys,

I need one help where there as per requirement we made a custom signature on snort inbuilt in Firepower series. But the issue is its not triggering anything.

I am copying the signature which is made and its based on content. The requirement is to look into the content and in case if its matching then it should trigger an event.

alert tcp any any -> 10.X.X.X/24 any (content: "GET";content-list:"cmd"|"target"|"CONNECT";msg: "Malicious code detection";)

Regards,

Ankush Kumar

Re: Snort Signature Help Required.

Joel Esler — Tue, 23 Jan 2018 23:39:42 GMT

You need to write three different rules to do what you are trying to do here. One for each command.

Re: Snort Signature Help Required.

Ankush Kumar — Wed, 24 Jan 2018 01:17:22 GMT

Hi Joel,

Thanks for your reply.

Actually the requirement is to trigger an event whenever its matching either cmd, connect or target keywords in any content of URI.

Do you want me to write this rule in 3 times after containing different content keywords or the below one is sufficient.

alert tcp any any -> 10.X.X.X/24 any (msg:"Malicious code detection";flow:to_server,established;content:"cmd"; nocase; http_uri; content:"connect";nocase; http_uri; content:"target"; nocase; http_uri;)

Regards,
Ankush Kumar

Re: Snort Signature Help Required.

Joel Esler — Wed, 24 Jan 2018 02:50:59 GMT

This rule, as written will require that all three need to be in the same uri, in any order.

Re: Snort Signature Help Required.

Ankush Kumar — Wed, 24 Jan 2018 02:53:47 GMT

Hi Joel,

Thanks again for your quick response.

What in case I want either of condition then, can it be accomplished without writing three different rules mentioning different keywords or withing single rule we can accomplish?

Regards,
Ankush Kumar

Re: Snort Signature Help Required.

Joel Esler — Wed, 24 Jan 2018 13:50:41 GMT

You'd have to have a common triggering condition for all three commands.. For instance:

alert tcp any any -> 10.X.X.X/24 any (msg:"Malicious code detection";flow:to_server,established; content:"GET /"; depth:5; content:"GET"; http_method; content:"/"; http_uri; depth:1; pcre:"/(cmd|connect|target)/Ui; metadata:service http;)

But I would never run this rule in a production environment, because of false positives, and the fact that this rule will "enter" (or be evaluated) on literally every GET packet on the network.