Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2090
Views
0
Helpful
5
Replies

Snort Signature Help Required.

Go to solution
Ankush Kumar
Level 1
Level 1

‎01-22-2018 08:43 PM - edited ‎02-21-2020 07:11 AM

Hi Guys,

 

I need one help where there as per requirement we made a custom signature on snort inbuilt in Firepower series. But the issue is its not triggering anything.

 

I am copying the signature which is made and its based on content. The requirement is to look into the content and in case if its matching then it should trigger an event.

 

alert tcp any any -> 10.X.X.X/24 any (content: "GET";content-list:"cmd"|"target"|"CONNECT";msg: "Malicious code detection";)

 

Regards,

Ankush Kumar

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Joel Esler
Cisco Employee
Cisco Employee
In response to Ankush Kumar

‎01-24-2018 05:50 AM

You'd have to have a common triggering condition for all three commands..  For instance:

 

alert tcp any any -> 10.X.X.X/24 any (msg:"Malicious code detection";flow:to_server,established; content:"GET /"; depth:5; content:"GET"; http_method; content:"/"; http_uri; depth:1; pcre:"/(cmd|connect|target)/Ui; metadata:service http;)

But I would never run this rule in a production environment, because of false positives, and the fact that this rule will "enter" (or be evaluated) on literally every GET packet on the network.

 

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Joel Esler
Cisco Employee
Cisco Employee

‎01-23-2018 03:39 PM

You need to write three different rules to do what you are trying to do here. One for each command.  

0 Helpful

Go to solution
Ankush Kumar
Level 1
Level 1
In response to Joel Esler

‎01-23-2018 05:17 PM

Hi Joel,

Thanks for your reply.

Actually the requirement is to trigger an event whenever its matching either cmd, connect or target keywords in any content of URI.

Do you want me to write this rule in 3 times after containing different content keywords or the below one is sufficient.

alert tcp any any -> 10.X.X.X/24 any (msg:"Malicious code detection";flow:to_server,established;content:"cmd"; nocase; http_uri; content:"connect";nocase; http_uri; content:"target"; nocase; http_uri;)


Regards,
Ankush Kumar




0 Helpful

Go to solution
Joel Esler
Cisco Employee
Cisco Employee
In response to Ankush Kumar

‎01-23-2018 06:50 PM

This rule, as written will require that all three need to be in the same uri, in any order.
0 Helpful

Go to solution
Ankush Kumar
Level 1
Level 1
In response to Joel Esler

‎01-23-2018 06:53 PM

Hi Joel,

Thanks again for your quick response.

What in case I want either of condition then, can it be accomplished without writing three different rules mentioning different keywords or withing single rule we can accomplish?

Regards,
Ankush Kumar
0 Helpful

Go to solution
Joel Esler
Cisco Employee
Cisco Employee
In response to Ankush Kumar

‎01-24-2018 05:50 AM

You'd have to have a common triggering condition for all three commands..  For instance:

 

alert tcp any any -> 10.X.X.X/24 any (msg:"Malicious code detection";flow:to_server,established; content:"GET /"; depth:5; content:"GET"; http_method; content:"/"; http_uri; depth:1; pcre:"/(cmd|connect|target)/Ui; metadata:service http;)

But I would never run this rule in a production environment, because of false positives, and the fact that this rule will "enter" (or be evaluated) on literally every GET packet on the network.

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card