Home page logo
/

snort logo Snort mailing list archives

Re: Snort-sigs Digest, Vol 84, Issue 16
From: Tony Robinson <deusexmachina667 () gmail com>
Date: Wed, 15 May 2013 10:00:46 -0400

Not entirely sure on that, actually.

If I'm not mistaken, the HTTP preproccessor can be configured to decompress
regular zipped data, but .rar files and/or .7z, etc. I don't think there's
much snort would be able to do there, specially if the archives were
password protected. and if the attacker is using a non http port, well... I
think you may be right on the mark.

In that case, you'd probably want a rule to detect .zip, .rar and/or .7z
files traveling outbound from your target network.


On Wed, May 15, 2013 at 8:08 AM, John Cal <cal220101 () gmail com> wrote:

If you use compression and encryption, doesn't that usually bypass DLP?
Simply raring a few files and sending back to the C2. I mean, even if you
have a sig to hit on .rar leaving outbound, your sensitive data is already
gone.
On May 15, 2013 3:06 AM, <snort-sigs-request () lists sourceforge net> wrote:

Send Snort-sigs mailing list submissions to
        snort-sigs () lists sourceforge net

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.sourceforge.net/lists/listinfo/snort-sigs
or, via email, send a message with subject or body 'help' to
        snort-sigs-request () lists sourceforge net

You can reach the person managing the list at
        snort-sigs-owner () lists sourceforge net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-sigs digest..."


Today's Topics:

   1. Re: Create a rule that takes its content from a file.
      (Tony Robinson)
   2. Re: Create a rule that takes its content from a file. (arneu sneu)


----------------------------------------------------------------------

Message: 1
Date: Tue, 14 May 2013 20:38:08 -0400
From: Tony Robinson <deusexmachina667 () gmail com>
Subject: Re: [Snort-sigs] Create a rule that takes its content from a
        file.
To: arneu sneu <arneu99 () hotmail com>,
        "snort-sigs () lists sourceforge net" <
snort-sigs () lists sourceforge net>,
        Joel Esler <jesler () sourcefire com>
Message-ID:
        <CAOGUb=
hvtHMhuwvxtMZdiNWtUnDsOhO7dW7umgPSaJTFvgyBdQ () mail gmail com>
Content-Type: text/plain; charset="iso-8859-1"

(CC'ing the mailing list; I got this direct response)


In regards to blacklisted strings and terms, that almost sounds like DLP
or
DLP-like function you're looking for to detect if sensitive files or
information leaves the network. You may want to have a look at the
sensitive data preprocessor, in that case.


In regards to the other stuff you want done, There are rules and rule
categories that can do what it is you want snort to do:

file-identify for file extensions you don't want to see flying over the
network
indicator-shellcode for shellcode over the network
malware-[backdor|cnc|other] for CNC/malware, blacklist.rules for
blacklisted user-agents and/or domains...
and indicator-compromise.rules for suspicious activity.

At this point it's less "how do I write a rule to do this" and more "What
rules exist that will do what I want?"


On Tue, May 14, 2013 at 11:20 AM, arneu sneu <arneu99 () hotmail com> wrote:

Hi,

Thank you for your reply. It is however not exactly what I was looking
for. Maybe I have been unclear in my question.
I am trying to find a way to create a rule that matches a list of
strings.
These strings can be located in a file, as it was the case for the
content-list keyword. Please look at its definition here

http://paginas.fe.up.pt/~mgi98020/pgr/writing_snort_rules.htm#content-list
.
The thing with the extension was just an example, but the principle I am
trying understand can be anything else, like list of blacklisted shell
commands or a list of blacklisted domain names, etc...
Many thanks,

Arneu


------------------------------
Date: Tue, 14 May 2013 10:29:10 -0400
Subject: Re: [Snort-sigs] Create a rule that takes its content from a
file.
From: deusexmachina667 () gmail com
To: arneu99 () hotmail com


Hm...

You may want to look at the file-identify.rules category. This seems to
be
right up your alley.


http://vrt-blog.snort.org/2011/11/say-hello-to-file-identify-category.html


On Tue, May 14, 2013 at 10:07 AM, arneu sneu <arneu99 () hotmail com>
wrote:

Hi,

I just installed Snort a few days ago and started to play with it by
writing my own rules.
I would like my rule to take its content from a file, but I haven't find
any information on this topic, neither in the manual, nor on the
Internet.
I found that the content-list keyword once existed in Snort, but it has
apparently been removed about 6 years ago. Too bad, because it was
exactly
what I was looking for.
Would anybody have an idea on how to do such a thing with current snort
features? I could write a rule for each of the lines of my file or use
pcre
with the list of possible values, but I was wondering if there was a
way to
do it with a rule taking its content from a file. If not, what is the
correct approach to do this?

As an example, if I have a file containing a whitelist of file
extensions,
I would like to raise an alert when an email attachment having an
extension
that is not in the list is seen in the network traffic.

Many thanks for your help.

Cheers

Arneu




------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!




--
when does reality end? when does fantasy begin?




--
when does reality end? when does fantasy begin?
-------------- next part --------------
An HTML attachment was scrubbed...

------------------------------

Message: 2
Date: Wed, 15 May 2013 08:01:36 +0000
From: arneu sneu <arneu99 () hotmail com>
Subject: Re: [Snort-sigs] Create a rule that takes its content from a
        file.
To: Tony Robinson <deusexmachina667 () gmail com>,
        "snort-sigs () lists sourceforge net" <
snort-sigs () lists sourceforge net>,
        Joel    Esler <jesler () sourcefire com>
Message-ID: <DUB116-W125CABDFCC9053ED3E3EAF3A2A20 () phx gbl>
Content-Type: text/plain; charset="iso-8859-1"

Thank you Tony for your answer.
I checked the sensitive data preprocessor, it can be interesting if I
manage to describe the patterns I am looking for with the limited regular
expression syntax available there.
I also check the reputation preprocessor, it's very similar to what I
wanted to achieve but it's only for IP addresses.
I guess you're right, some rules already exist written in a way different
than the one I was thinking of.


Date: Tue, 14 May 2013 20:38:08 -0400
Subject: Re: [Snort-sigs] Create a rule that takes its content from a
file.
From: deusexmachina667 () gmail com
To: arneu99 () hotmail com; snort-sigs () lists sourceforge net;
jesler () sourcefire com

(CC'ing the mailing list; I got this direct response)


In regards to blacklisted strings and terms, that almost sounds
like DLP or DLP-like function you're looking for to detect if sensitive
files or information leaves the network. You may want to have a look at
the sensitive data preprocessor, in that case.


In regards to the other stuff you want done, There are rules and rule
categories that can do what it is you want snort to do:

file-identify for file extensions you don't want to see flying over the
network

indicator-shellcode for shellcode over the network
malware-[backdor|cnc|other] for CNC/malware, blacklist.rules for
blacklisted user-agents and/or domains...
and indicator-compromise.rules for suspicious activity.


At this point it's less "how do I write a rule to do this" and more "What
rules exist that will do what I want?"


On Tue, May 14, 2013 at 11:20 AM, arneu sneu <arneu99 () hotmail com> wrote:




Hi,

Thank you for your reply. It is however not exactly what I was looking
for. Maybe I have been unclear in my question.
I am trying to find a way to create a rule that matches a list of
strings. These strings can be located in a file, as it was the case for the
content-list keyword. Please look at its definition here
http://paginas.fe.up.pt/~mgi98020/pgr/writing_snort_rules.htm#content-list
.

The thing with the extension was just an example, but the principle I am
trying understand can be anything else, like list of blacklisted shell
commands or a list of blacklisted domain names, etc...
Many thanks,


Arneu


Date: Tue, 14 May 2013 10:29:10 -0400
Subject: Re: [Snort-sigs] Create a rule that takes its content from a
file.
From: deusexmachina667 () gmail com

To: arneu99 () hotmail com

Hm...

You may want to look at the file-identify.rules category. This seems to
be right up your alley.


http://vrt-blog.snort.org/2011/11/say-hello-to-file-identify-category.html



On Tue, May 14, 2013 at 10:07 AM, arneu sneu <arneu99 () hotmail com> wrote:




Hi,

I just installed Snort a few days ago and started to play with it by
writing my own rules.
I would like my rule to take its content from a file, but I haven't find
any information on this topic, neither in the manual, nor on the Internet.
I found that the content-list keyword once existed in Snort, but it has
apparently been removed about 6 years ago. Too bad, because it was exactly
what I was looking for.


Would anybody have an idea on how to do such a thing with current snort
features? I could write a rule for each of the lines of my file or use pcre
with the list of possible values, but I was wondering if there was a way to
do it with a rule taking its content from a file. If not, what is the
correct approach to do this?



As an example, if I have a file containing a whitelist of file
extensions, I would like to raise an alert when an email attachment having
an extension that is not in the list is seen in the network traffic.

Many thanks for your help.



Cheers

Arneu




------------------------------------------------------------------------------

AlienVault Unified Security Management (USM) platform delivers complete

security visibility with the essential security capabilities. Easily and

efficiently configure, manage, and operate all of your security controls

from a single console and one unified framework. Download a free trial.

http://p.sf.net/sfu/alienvault_d2d
_______________________________________________

Snort-sigs mailing list

Snort-sigs () lists sourceforge net

https://lists.sourceforge.net/lists/listinfo/snort-sigs

http://www.snort.org





Please visit http://blog.snort.org for the latest news about Snort!


--
when does reality end? when does fantasy begin?



--
when does reality end? when does fantasy begin?

-------------- next part --------------
An HTML attachment was scrubbed...

------------------------------


------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d

------------------------------

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

End of Snort-sigs Digest, Vol 84, Issue 16
******************************************



------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!




-- 
when does reality end? when does fantasy begin?
------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault