Re: [Snort-users] help writing snort rule
This is a discussion on Re: [Snort-users] help writing snort rule within the Snort forums, part of the System Security and Security Related category; --===============1422277401== Content-Type: multipart/alternative; boundary=Apple-Mail-1-406623087 --Apple-Mail-1-406623087 Content-Transfer-Encoding: quoted-printable Content-...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
01-26-2007
|
|||
|
|||
Re: [Snort-users] help writing snort rule
--===============1422277401== Content-Type: multipart/alternative; boundary=Apple-Mail-1-406623087 --Apple-Mail-1-406623087 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=WINDOWS-1252; delsp=yes; format=flowed Bill, This is exactly the correct place to ask Snort Rules questions. I suggest you eliminate the "ip" in the rule. Try replacing it with =20 TCP or even using the tcp rule that I jotted down. Grabbing it out of an email should be easy, however an attachement is =20= not so easy depending upon the type of attachment, for example, if =20 it's a plaintext document or something, yes, it might grab it, but if =20= it's written in Word, or maybe a pdf, since those are formatted =20 differently, it's a bit harder. So, step one, lets move from ip to tcp, and see how that works. =20 Also, try and eliminate your any any, perhaps change it to any any to =20= HOME_NET any J On Jan 26, 2007, at 1:58 PM, Bill Lopez wrote: > Thank you for the quick response to my question. > > > > I don=92t want to keep asking elementary questions in this forum if =20= > its not appropriate, please let me know if this isn=92t the proper =20 > place and direct me to where I can ask basic questions. > > > > I wasn=92t able to get an alert on the bleeding rule > > > > alert tcp any any -> any any (msg: "BLEEDING-EDGE SSN Detected in =20 > Clear Text"; flow: established; pcre:"/ ([0-6]\d\d|7[0-256]\d|73=20 > [0-3]|77[0-2])-\d{2}-\d{4} /"; classtype: policy-violation; sid: =20 > 2001328; rev:8; ) > > > thus the reason for trying to write my own with a small variance in =20= > the character string =96 > > > > alert ip any any -> $EXTERNAL_NET any (pcre:"/\d{3}(\s|-)?\d{2}=20 > (\s|-)?\d{4}/"; msg:"SSN Detected in Clear Text"; sid: 1000004;) > > > > which doesn=92t produce an alert either =96 eventually I want to apply = =20 > this filter to just traffic from/to mail , telnet, ftp (etc) =20 > servers =96 I can send any variance of xxx-xx-xxxx, xxxxxxxx or xxx =20= > xx xxxx via an e-mail, text file attachment or file upload and =20 > still never see an alert to the console. I have a simple rule to =20 > check for content using a keyword and get alerted when sending that =20= > keyword with e-mail, attachment and file upload (this was my test =20 > to see if snort was actually alerting correctly) I am only running =20= > my test rules with an out of the box snort.conf file. > > > > Why wouldn=92t either of the above rules alert with (for example) an =20= > e-mail sent with 555-55-5555 in the body? > > > > > > Bill Lopez > > Operating Engineers Trust Funds > > (626) 356-3524 > > (626) 255-1066 > > > > ----------------------------------------------------------------------=20= > --- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to =20 > share your > opinions on IT & business topics through brief surveys - and earn cash > http://www.techsay.com/default.php?=20 > page=3Djoin.php&p=3Dsourceforge&CID=3DDEVDEV______ ______________________= ____=20 > _______________ > Snort-users mailing list > Snort-users@lists.sourceforge.net > Go to this URL to change user options or unsubscribe: > https://lists.sourceforge.net/lists/...fo/snort-users > Snort-users list archive: > http://www.geocrawler.com/redir-sf.p...=3Dsnort-users --Joel joel.esler@sourcefire.com http://demo.sourcefire.com/jesler.pgp.key --Apple-Mail-1-406623087 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=WINDOWS-1252 <HTML><BODY style=3D"word-wrap: break-word; -khtml-nbsp-mode: space; = -khtml-line-break: after-white-space; ">Bill,<DIV><BR = class=3D"khtml-block-placeholder"></DIV><DIV>This is exactly the correct = place to ask Snort Rules questions.</DIV><DIV><BR = class=3D"khtml-block-placeholder"></DIV><DIV>I suggest you eliminate the = "ip" in the rule.=A0 Try replacing it with TCP or even using the tcp = rule that I jotted down.=A0=A0</DIV><DIV><BR = class=3D"khtml-block-placeholder"></DIV><DIV>Grabbing it out of an email = should be easy, however an attachement is not so easy depending upon the = type of attachment, for example, if it's a plaintext document or = something, yes, it might grab it, but if it's written in Word, or maybe = a pdf, since those are formatted differently, it's a bit = harder.</DIV><DIV><BR class=3D"khtml-block-placeholder"></DIV><DIV>So, = step one, lets move from ip to tcp, and see how that works.=A0 Also, try = and eliminate your any any, perhaps change it to any any to HOME_NET = any</DIV><DIV><BR = class=3D"khtml-block-placeholder"></DIV><DIV>J</DIV><DIV><BR><DIV><DIV>On = Jan 26, 2007, at 1:58 PM, Bill Lopez wrote:</DIV><BR = class=3D"Apple-interchange-newline"><BLOCKQUOTE type=3D"cite"> <DIV = class=3D"Section1"><P class=3D"MsoNormal"><FONT size=3D"2" = face=3D"Arial"><SPAN style=3D"font-size:10.0pt; font-family:Arial">Thank = you for the quick response to my question.=A0 = <O:P></O:P></SPAN></FONT></P><P class=3D"MsoNormal"><FONT size=3D"2" = face=3D"Arial"><SPAN style=3D"font-size:10.0pt; = font-family:Arial"><O:P>=A0</O:P></SPAN></FONT></P><P = class=3D"MsoNormal"><FONT size=3D"2" face=3D"Arial"><SPAN = style=3D"font-size:10.0pt; font-family:Arial">I don=92t want to keep = asking elementary questions in this forum if its not appropriate, please = let me know if this isn=92t the proper place and direct me to where I = can ask basic questions.<O:P></O:P></SPAN></FONT></P><P = class=3D"MsoNormal"><FONT size=3D"2" face=3D"Arial"><SPAN = style=3D"font-size:10.0pt; = font-family:Arial"><O:P>=A0</O:P></SPAN></FONT></P><P = class=3D"MsoNormal"><FONT size=3D"2" face=3D"Arial"><SPAN = style=3D"font-size:10.0pt; font-family:Arial">I wasn=92t able to get an = alert on the bleeding rule<O:P></O:P></SPAN></FONT></P><P = class=3D"MsoNormal"><FONT size=3D"2" face=3D"Arial"><SPAN = style=3D"font-size:10.0pt; = font-family:Arial"><O:P>=A0</O:P></SPAN></FONT></P> <PRE><FONT size=3D"2" = face=3D"Courier New"><SPAN style=3D"font-size:10.0pt">alert tcp any any = -> any any (msg: "BLEEDING-EDGE SSN Detected in Clear Text"; flow: = established; pcre:"/ ([0-6]\d\d|7[0-256]\d|73[0-3]|77[0-2])-\d{2}-\d{4} = /"; classtype: policy-violation; sid: 2001328; rev:8; = )<O:P></O:P></SPAN></FONT></PRE><P class=3D"MsoNormal"><FONT size=3D"2" = face=3D"Arial"><SPAN style=3D"font-size:10.0pt; = font-family:Arial"><O:P>=A0</O:P></SPAN></FONT></P><P = class=3D"MsoNormal"><FONT size=3D"2" face=3D"Arial"><SPAN = style=3D"font-size:10.0pt; font-family:Arial">thus the reason for trying = to write my own with a small variance in the character string =96 = =A0<O:P></O:P></SPAN></FONT></P><P class=3D"MsoNormal"><FONT size=3D"2" = face=3D"Arial"><SPAN style=3D"font-size:10.0pt; = font-family:Arial"><O:P>=A0</O:P></SPAN></FONT></P><P class=3D"MsoNormal" = style=3D"text-autospace:none"><FONT size=3D"2" face=3D"Courier = New"><SPAN style=3D"font-size:10.0pt;font-family:" courier=3D"" = new""=3D"">alert ip any any -> $EXTERNAL_NET any = (pcre:"/\d{3}(\s|-)?\d{2}(\s|-)?\d{4}/"; msg:"SSN Detected in Clear = Text"; sid: 1000004;)<O:P></O:P></SPAN></FONT></P><P = class=3D"MsoNormal"><FONT size=3D"2" face=3D"Arial"><SPAN = style=3D"font-size:10.0pt; = font-family:Arial"><O:P>=A0</O:P></SPAN></FONT></P><P = class=3D"MsoNormal"><FONT size=3D"2" face=3D"Arial"><SPAN = style=3D"font-size:10.0pt; font-family:Arial">which doesn=92t produce an = alert either =96 eventually I want to apply this filter to just traffic = from/to mail , telnet, ftp (etc) servers =96 I can send any variance of = xxx-xx-xxxx, xxxxxxxx =A0or xxx xx xxxx via an e-mail, text file = attachment or file upload and still never see an alert to the console.=A0 = I have a simple rule to check for content using a keyword and get = alerted when sending that keyword with e-mail, attachment and file = upload (this was my test to see if snort was actually alerting = correctly)=A0 I am only running my test rules with an out of the box = snort.conf file.<O:P></O:P></SPAN></FONT></P><P class=3D"MsoNormal"><FONT = size=3D"2" face=3D"Arial"><SPAN style=3D"font-size:10.0pt; = font-family:Arial"><O:P>=A0</O:P></SPAN></FONT></P><P = class=3D"MsoNormal"><FONT size=3D"2" face=3D"Arial"><SPAN = style=3D"font-size:10.0pt; font-family:Arial">Why wouldn=92t either of = the above rules alert with (for example) an e-mail sent with 555-55-5555 = in the body?<O:P></O:P></SPAN></FONT></P><P class=3D"MsoNormal"><FONT = size=3D"2" face=3D"Arial"><SPAN style=3D"font-size:10.0pt; = font-family:Arial"><O:P>=A0</O:P></SPAN></FONT></P><P = class=3D"MsoNormal"><FONT size=3D"2" face=3D"Arial"><SPAN = style=3D"font-size:10.0pt; = font-family:Arial"><O:P>=A0</O:P></SPAN></FONT></P><P = class=3D"MsoNormal"><FONT size=3D"2" color=3D"navy" face=3D"Arial"><SPAN = style=3D"font-size: 10.0pt;font-family:Arial;color:navy">Bill = Lopez<O:P></O:P></SPAN></FONT></P><P class=3D"MsoNormal"><FONT size=3D"2" = color=3D"navy" face=3D"Arial"><SPAN style=3D"font-size: = 10.0pt;font-family:Arial;color:navy">Operating Engineers Trust = Funds<O:P></O:P></SPAN></FONT></P><P class=3D"MsoNormal"><FONT size=3D"2" = color=3D"navy" face=3D"Arial"><SPAN style=3D"font-size: = 10.0pt;font-family:Arial;color:navy">(626) = 356-3524<O:P></O:P></SPAN></FONT></P><P class=3D"MsoNormal"><FONT = size=3D"2" color=3D"navy" face=3D"Arial"><SPAN style=3D"font-size: = 10.0pt;font-family:Arial;color:navy">(626) 255-1066</SPAN></FONT><FONT = size=3D"2" color=3D"navy" face=3D"Arial"><SPAN = style=3D"font-size:10.0pt;font-family:Arial; = color:navy"><O:P></O:P></SPAN></FONT></P><P class=3D"MsoNormal"><FONT = size=3D"3" face=3D"Times New Roman"><SPAN style=3D"font-size: = 12.0pt"><O:P>=A0</O:P></SPAN></FONT></P> </DIV><DIV style=3D"margin-top: = 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; = ">------------------------------------------------------------------------= -</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: = 0px; margin-left: 0px; ">Take Surveys. Earn Cash. Influence the Future = of IT</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; = margin-bottom: 0px; margin-left: 0px; ">Join SourceForge.net's Techsay = panel and you'll get the chance to share your</DIV><DIV = style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; = margin-left: 0px; ">opinions on IT & business topics through brief = surveys - and earn cash</DIV><DIV style=3D"margin-top: 0px; = margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><A = href=3D"http://www.techsay.com/default.php?page=3Djoin.php&p=3Dsourceforge= &CID=3DDEVDEV_____________________________________ __________">http://www.t= echsay.com/default.php?page=3Djoin.php&p=3Dsourceforge&am p;CID=3DDEVDE= V_______________________________________________</A></DIV><DIV = style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; = margin-left: 0px; ">Snort-users mailing list</DIV><DIV = style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; = margin-left: 0px; "><A = href=3D"mailto:Snort-users@lists.sourceforge.net">Snort-users@lists.source= forge.net</A></DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; = margin-bottom: 0px; margin-left: 0px; ">Go to this URL to change user = options or unsubscribe:</DIV><DIV style=3D"margin-top: 0px; = margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><A = href=3D"https://lists.sourceforge.net/lists/listinfo/snort-users">https://= lists.sourceforge.net/lists/listinfo/snort-users</A></DIV><DIV = style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; = margin-left: 0px; ">Snort-users list archive:</DIV><DIV = style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; = margin-left: 0px; "><A = href=3D"http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users">http:/= /www.geocrawler.com/redir-sf.php3?list=3Dsnort-users</A></DIV> = </BLOCKQUOTE></DIV><BR><DIV> <SPAN class=3D"Apple-style-span" = style=3D"border-collapse: separate; border-spacing: 0px 0px; color: = rgb(0, 0, 0); font-family: Times; font-size: 13px; font-style: normal; = font-variant: normal; font-weight: normal; letter-spacing: normal; = line-height: normal; text-align: auto; = -khtml-text-decorations-in-effect: none; text-indent: 0px; = -apple-text-size-adjust: auto; text-transform: none; orphans: 2; = white-space: normal; widows: 2; word-spacing: 0px; "><DIV style=3D""><FONT= class=3D"Apple-style-span" face=3D"Lucida Grande" size=3D"3"><SPAN = class=3D"Apple-style-span" style=3D"font-size: 12px;; font-family: = Lucida Grande; "><SPAN class=3D"Apple-style-span" style=3D"font-family: = Lucida Grande; font-size: 12px; ">--Joel</SPAN></SPAN></FONT></DIV><DIV = style=3D""><FONT class=3D"Apple-style-span" face=3D"Lucida Grande" = size=3D"3"><SPAN class=3D"Apple-style-span" style=3D"font-size: 12px;; = font-family: Lucida Grande; "><SPAN class=3D"Apple-style-span" = style=3D"font-family: Lucida Grande; font-size: 12px; "><A = href=3D"mailto:joel.esler@sourcefire.com">joel.esl er@sourcefire.com</A></S= PAN></SPAN></FONT></DIV><DIV style=3D""><FONT class=3D"Apple-style-span" = size=3D"3"><SPAN class=3D"Apple-style-span" style=3D"font-size: = 12px;"><FONT class=3D"Apple-style-span" color=3D"#0000DD" = face=3D"Courier"><SPAN class=3D"Apple-style-span" style=3D"color: rgb(0, = 0, 221); font-family: Courier; font-size: 12px; "><A = href=3D"http://demo.sourcefire.com/jesler.pgp.key">http://demo.sourcefire.= com/jesler.pgp.key</A></SPAN></FONT></SPAN></FONT></DIV><DIV = style=3D"font-family: Lucida Grande; font-size: 12px; "><FONT = class=3D"Apple-style-span" color=3D"#0000DD" face=3D"Courier" = size=3D"3"><SPAN class=3D"Apple-style-span" style=3D"font-size: 12px;; = color: rgb(0, 0, 221); font-family: Courier; "><BR = class=3D"khtml-block-placeholder"></SPAN></FONT></DIV><DIV><BR = class=3D"khtml-block-placeholder"></DIV><DIV><BR = class=3D"khtml-block-placeholder"></DIV><BR = class=3D"Apple-interchange-newline"></SPAN> = </DIV><BR></DIV></BODY></HTML>= --Apple-Mail-1-406623087-- --===============1422277401== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?p...rge&CID=DEVDEV --===============1422277401== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users --===============1422277401==-- 
|
Linear Mode
