Find snort 3 equivalent rule to ET

Wonxie · ‎12-04-2023

Hi,

I have deployed Security Onion using snort2 system. I am getting alerts for some ET rules how to find the equivalent rule to block it on FMC/FTD.

suppose I have below . how to find snort3 equivalant and block it as its passed by fmc/ftd and our ids is detecting it.

ET CURRENT_EVENTS TA569 Keitaro TDS Domain in DNS Lookup (frightysever .org)- 2048997

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS TA569 Keitaro TDS Domain in DNS Lookup (frightysever .org)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0c|frightysever|03|org|00|"; fast_pattern; nocase; distance:1; within:18; classtype:trojan-activity; sid:2048997; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2023_10_30, deployment Perimeter, performance_impact Low, confidence High, signature_severity Minor, tag Exploit_Kit, tag ta569, tag TDS, updated_at 2023_10_30, reviewed_at 2023_10_30;)

MHM Cisco World · ‎12-04-2023

Can you more elaborate

MHM

Wonxie · ‎12-04-2023

Hi MHM,

I have CISCO FMC/FTD with snort 3. In parallel to it we also have security onion 16 installed and some times i see alerts on security onion which are not present on the FMC. So if i see them to be of concern i go and block in our fmc snort 3 rules. For that i need to find the snort3 equivalent of the alerts being generated by snort2 on security onion.