Home page logo
/

snort logo Snort mailing list archives

Re: Snort-sigs Digest, Vol 84, Issue 16
From: Joel Esler <jesler () sourcefire com>
Date: Wed, 15 May 2013 20:59:01 -0400

As a matter of etiquette, please trim digest emails to be relevant to just your response.


On May 15, 2013, at 8:08 AM, John Cal <cal220101 () gmail com> wrote:

If you use compression and encryption, doesn't that usually bypass DLP? Simply raring a few files and sending back to 
the C2. I mean, even if you have a sig to hit on .rar leaving outbound, your sensitive data is already gone.

On May 15, 2013 3:06 AM, <snort-sigs-request () lists sourceforge net> wrote:
Send Snort-sigs mailing list submissions to
        snort-sigs () lists sourceforge net

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.sourceforge.net/lists/listinfo/snort-sigs
or, via email, send a message with subject or body 'help' to
        snort-sigs-request () lists sourceforge net

You can reach the person managing the list at
        snort-sigs-owner () lists sourceforge net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-sigs digest..."


Today's Topics:

   1. Re: Create a rule that takes its content from a file.
      (Tony Robinson)
   2. Re: Create a rule that takes its content from a file. (arneu sneu)


----------------------------------------------------------------------

Message: 1
Date: Tue, 14 May 2013 20:38:08 -0400
From: Tony Robinson <deusexmachina667 () gmail com>
Subject: Re: [Snort-sigs] Create a rule that takes its content from a
        file.
To: arneu sneu <arneu99 () hotmail com>,
        "snort-sigs () lists sourceforge net" <snort-sigs () lists sourceforge net>,
        Joel Esler <jesler () sourcefire com>
Message-ID:
        <CAOGUb=hvtHMhuwvxtMZdiNWtUnDsOhO7dW7umgPSaJTFvgyBdQ () mail gmail com>
Content-Type: text/plain; charset="iso-8859-1"

(CC'ing the mailing list; I got this direct response)


In regards to blacklisted strings and terms, that almost sounds like DLP or
DLP-like function you're looking for to detect if sensitive files or
information leaves the network. You may want to have a look at the
sensitive data preprocessor, in that case.


In regards to the other stuff you want done, There are rules and rule
categories that can do what it is you want snort to do:

file-identify for file extensions you don't want to see flying over the
network
indicator-shellcode for shellcode over the network
malware-[backdor|cnc|other] for CNC/malware, blacklist.rules for
blacklisted user-agents and/or domains...
and indicator-compromise.rules for suspicious activity.

At this point it's less "how do I write a rule to do this" and more "What
rules exist that will do what I want?"


On Tue, May 14, 2013 at 11:20 AM, arneu sneu <arneu99 () hotmail com> wrote:

Hi,

Thank you for your reply. It is however not exactly what I was looking
for. Maybe I have been unclear in my question.
I am trying to find a way to create a rule that matches a list of strings.
These strings can be located in a file, as it was the case for the
content-list keyword. Please look at its definition here
http://paginas.fe.up.pt/~mgi98020/pgr/writing_snort_rules.htm#content-list.
The thing with the extension was just an example, but the principle I am
trying understand can be anything else, like list of blacklisted shell
commands or a list of blacklisted domain names, etc...
Many thanks,

Arneu


------------------------------
Date: Tue, 14 May 2013 10:29:10 -0400
Subject: Re: [Snort-sigs] Create a rule that takes its content from a file.
From: deusexmachina667 () gmail com
To: arneu99 () hotmail com


Hm...

You may want to look at the file-identify.rules category. This seems to be
right up your alley.

http://vrt-blog.snort.org/2011/11/say-hello-to-file-identify-category.html


On Tue, May 14, 2013 at 10:07 AM, arneu sneu <arneu99 () hotmail com> wrote:

Hi,

I just installed Snort a few days ago and started to play with it by
writing my own rules.
I would like my rule to take its content from a file, but I haven't find
any information on this topic, neither in the manual, nor on the Internet.
I found that the content-list keyword once existed in Snort, but it has
apparently been removed about 6 years ago. Too bad, because it was exactly
what I was looking for.
Would anybody have an idea on how to do such a thing with current snort
features? I could write a rule for each of the lines of my file or use pcre
with the list of possible values, but I was wondering if there was a way to
do it with a rule taking its content from a file. If not, what is the
correct approach to do this?

As an example, if I have a file containing a whitelist of file extensions,
I would like to raise an alert when an email attachment having an extension
that is not in the list is seen in the network traffic.

Many thanks for your help.

Cheers

Arneu



------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!




--
when does reality end? when does fantasy begin?




--
when does reality end? when does fantasy begin?
-------------- next part --------------
An HTML attachment was scrubbed...

------------------------------

Message: 2
Date: Wed, 15 May 2013 08:01:36 +0000
From: arneu sneu <arneu99 () hotmail com>
Subject: Re: [Snort-sigs] Create a rule that takes its content from a
        file.
To: Tony Robinson <deusexmachina667 () gmail com>,
        "snort-sigs () lists sourceforge net" <snort-sigs () lists sourceforge net>,
        Joel    Esler <jesler () sourcefire com>
Message-ID: <DUB116-W125CABDFCC9053ED3E3EAF3A2A20 () phx gbl>
Content-Type: text/plain; charset="iso-8859-1"

Thank you Tony for your answer.
I checked the sensitive data preprocessor, it can be interesting if I manage to describe the patterns I am looking 
for with the limited regular expression syntax available there.
I also check the reputation preprocessor, it's very similar to what I wanted to achieve but it's only for IP 
addresses.
I guess you're right, some rules already exist written in a way different than the one I was thinking of.


Date: Tue, 14 May 2013 20:38:08 -0400
Subject: Re: [Snort-sigs] Create a rule that takes its content from a file.
From: deusexmachina667 () gmail com
To: arneu99 () hotmail com; snort-sigs () lists sourceforge net; jesler () sourcefire com

(CC'ing the mailing list; I got this direct response)


In regards to blacklisted strings and terms, that almost sounds
like DLP or DLP-like function you're looking for to detect if sensitive
files or information leaves the network. You may want to have a look at
the sensitive data preprocessor, in that case.


In regards to the other stuff you want done, There are rules and rule categories that can do what it is you want 
snort to do:

file-identify for file extensions you don't want to see flying over the network

indicator-shellcode for shellcode over the network
malware-[backdor|cnc|other] for CNC/malware, blacklist.rules for blacklisted user-agents and/or domains...
and indicator-compromise.rules for suspicious activity.


At this point it's less "how do I write a rule to do this" and more "What rules exist that will do what I want?"


On Tue, May 14, 2013 at 11:20 AM, arneu sneu <arneu99 () hotmail com> wrote:




Hi,

Thank you for your reply. It is however not exactly what I was looking for. Maybe I have been unclear in my question.
I am trying to find a way to create a rule that matches a list of strings. These strings can be located in a file, as 
it was the case for the content-list keyword. Please look at its definition here 
http://paginas.fe.up.pt/~mgi98020/pgr/writing_snort_rules.htm#content-list.

The thing with the extension was just an example, but the principle I am trying understand can be anything else, like 
list of blacklisted shell commands or a list of blacklisted domain names, etc...
Many thanks,


Arneu


Date: Tue, 14 May 2013 10:29:10 -0400
Subject: Re: [Snort-sigs] Create a rule that takes its content from a file.
From: deusexmachina667 () gmail com

To: arneu99 () hotmail com

Hm...

You may want to look at the file-identify.rules category. This seems to be right up your alley.


http://vrt-blog.snort.org/2011/11/say-hello-to-file-identify-category.html



On Tue, May 14, 2013 at 10:07 AM, arneu sneu <arneu99 () hotmail com> wrote:




Hi,

I just installed Snort a few days ago and started to play with it by writing my own rules.
I would like my rule to take its content from a file, but I haven't find any information on this topic, neither in 
the manual, nor on the Internet. I found that the content-list keyword once existed in Snort, but it has apparently 
been removed about 6 years ago. Too bad, because it was exactly what I was looking for.


Would anybody have an idea on how to do such a thing with current snort features? I could write a rule for each of 
the lines of my file or use pcre with the list of possible values, but I was wondering if there was a way to do it 
with a rule taking its content from a file. If not, what is the correct approach to do this?



As an example, if I have a file containing a whitelist of file extensions, I would like to raise an alert when an 
email attachment having an extension that is not in the list is seen in the network traffic.

Many thanks for your help.



Cheers

Arneu



------------------------------------------------------------------------------

AlienVault Unified Security Management (USM) platform delivers complete

security visibility with the essential security capabilities. Easily and

efficiently configure, manage, and operate all of your security controls

from a single console and one unified framework. Download a free trial.

http://p.sf.net/sfu/alienvault_d2d
_______________________________________________

Snort-sigs mailing list

Snort-sigs () lists sourceforge net

https://lists.sourceforge.net/lists/listinfo/snort-sigs

http://www.snort.org





Please visit http://blog.snort.org for the latest news about Snort!


--
when does reality end? when does fantasy begin?



--
when does reality end? when does fantasy begin?

-------------- next part --------------
An HTML attachment was scrubbed...

------------------------------

------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d

------------------------------

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

End of Snort-sigs Digest, Vol 84, Issue 16
******************************************
------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault