Home page logo
/

snort logo Snort mailing list archives

Re: Create a rule that takes its content from a file.
From: Tony Robinson <deusexmachina667 () gmail com>
Date: Tue, 14 May 2013 20:38:08 -0400

(CC'ing the mailing list; I got this direct response)


In regards to blacklisted strings and terms, that almost sounds like DLP or
DLP-like function you're looking for to detect if sensitive files or
information leaves the network. You may want to have a look at the
sensitive data preprocessor, in that case.


In regards to the other stuff you want done, There are rules and rule
categories that can do what it is you want snort to do:

file-identify for file extensions you don't want to see flying over the
network
indicator-shellcode for shellcode over the network
malware-[backdor|cnc|other] for CNC/malware, blacklist.rules for
blacklisted user-agents and/or domains...
and indicator-compromise.rules for suspicious activity.

At this point it's less "how do I write a rule to do this" and more "What
rules exist that will do what I want?"


On Tue, May 14, 2013 at 11:20 AM, arneu sneu <arneu99 () hotmail com> wrote:

Hi,

Thank you for your reply. It is however not exactly what I was looking
for. Maybe I have been unclear in my question.
I am trying to find a way to create a rule that matches a list of strings.
These strings can be located in a file, as it was the case for the
content-list keyword. Please look at its definition here
http://paginas.fe.up.pt/~mgi98020/pgr/writing_snort_rules.htm#content-list.
The thing with the extension was just an example, but the principle I am
trying understand can be anything else, like list of blacklisted shell
commands or a list of blacklisted domain names, etc...
Many thanks,

Arneu


------------------------------
Date: Tue, 14 May 2013 10:29:10 -0400
Subject: Re: [Snort-sigs] Create a rule that takes its content from a file.
From: deusexmachina667 () gmail com
To: arneu99 () hotmail com


Hm...

You may want to look at the file-identify.rules category. This seems to be
right up your alley.

http://vrt-blog.snort.org/2011/11/say-hello-to-file-identify-category.html


On Tue, May 14, 2013 at 10:07 AM, arneu sneu <arneu99 () hotmail com> wrote:

Hi,

I just installed Snort a few days ago and started to play with it by
writing my own rules.
I would like my rule to take its content from a file, but I haven't find
any information on this topic, neither in the manual, nor on the Internet.
I found that the content-list keyword once existed in Snort, but it has
apparently been removed about 6 years ago. Too bad, because it was exactly
what I was looking for.
Would anybody have an idea on how to do such a thing with current snort
features? I could write a rule for each of the lines of my file or use pcre
with the list of possible values, but I was wondering if there was a way to
do it with a rule taking its content from a file. If not, what is the
correct approach to do this?

As an example, if I have a file containing a whitelist of file extensions,
I would like to raise an alert when an email attachment having an extension
that is not in the list is seen in the network traffic.

Many thanks for your help.

Cheers

Arneu



------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!




--
when does reality end? when does fantasy begin?




-- 
when does reality end? when does fantasy begin?
------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault