01-22-2018 08:43 PM - edited 02-21-2020 07:11 AM
Hi Guys,
I need one help where there as per requirement we made a custom signature on snort inbuilt in Firepower series. But the issue is its not triggering anything.
I am copying the signature which is made and its based on content. The requirement is to look into the content and in case if its matching then it should trigger an event.
alert tcp any any -> 10.X.X.X/24 any (content: "GET";content-list:"cmd"|"target"|"CONNECT";msg: "Malicious code detection";)
Regards,
Ankush Kumar
Solved! Go to Solution.
01-24-2018 05:50 AM
You'd have to have a common triggering condition for all three commands.. For instance:
alert tcp any any -> 10.X.X.X/24 any (msg:"Malicious code detection";flow:to_server,established; content:"GET /"; depth:5; content:"GET"; http_method; content:"/"; http_uri; depth:1; pcre:"/(cmd|connect|target)/Ui; metadata:service http;)
But I would never run this rule in a production environment, because of false positives, and the fact that this rule will "enter" (or be evaluated) on literally every GET packet on the network.
01-23-2018 03:39 PM
You need to write three different rules to do what you are trying to do here. One for each command.
01-23-2018 05:17 PM
01-23-2018 06:50 PM
01-23-2018 06:53 PM
01-24-2018 05:50 AM
You'd have to have a common triggering condition for all three commands.. For instance:
alert tcp any any -> 10.X.X.X/24 any (msg:"Malicious code detection";flow:to_server,established; content:"GET /"; depth:5; content:"GET"; http_method; content:"/"; http_uri; depth:1; pcre:"/(cmd|connect|target)/Ui; metadata:service http;)
But I would never run this rule in a production environment, because of false positives, and the fact that this rule will "enter" (or be evaluated) on literally every GET packet on the network.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide