Re: Hi all! (and a snort sig question)

[Snort User via Snort-sigs <snort-sigs () lists snort org>]

Hi Rob

At this point of inspection, the payload is handled by the SSL inspector,
and not by the HTTP inspector. So, we cannot use the HTTP buffers.
So, is it possible for you to match on the relevant bytes using content
matches without using buffers?

This is my understanding. I could be wrong :/

regards




On Wed, Oct 9, 2024 at 12:01 PM Rob Vandenbrink <rob () coherentsecurity com>
wrote:

> Cool, will do
>
>
>
> If I browse to an IP address, there is never an SNI (since there’s no
> “server name” to put there).  Confirmed this with a PCAP.
>
> So my thought was to write a sig that looks for an null SNI value, my
> current best gues would be this one, which should look for an FQDN in the
> SNI field, and if there’s no dot (which there should be) then trigger the
> alert.
>
>
>
> https_raw_url.host:!”.”
>
>     content:!"."; \
>
>     http_raw_uri:host; \
>
>     ssl_state:client_hello; \
>
>
>
> ==============
>
> Rob VandenBrink
>
> 519-589-1881
>
>
>
> *From:* Snort User <snort.user () gmail com>
> *Sent:* Wednesday, October 9, 2024 11:26 AM
> *To:* Rob Vandenbrink <rob () coherentsecurity com>
> *Cc:* snort-sigs () lists snort org
> *Subject:* Re: [Snort-sigs] Hi all! (and a snort sig question)
>
>
>
> I don't think so. I would definitely use *ssl_state:client_hello; *and
> then look to match the SNI portion of the SSL client hello packet and then
> try matching the dotted quad pattern.
>
> But as you are doing, the best way is to try out your sig against a pcap
>
>
>
>
>
>
>
> On Wed, Oct 9, 2024 at 11:09 AM Rob Vandenbrink <rob () coherentsecurity com>
> wrote:
>
> Ah, I thought that since the Hello packets are unencrypted that snort
> would still inspect at least those
>
>
>
> I do not have decrypt turned on (given historic Cisco Firepower+Snort
> issues), but I think I can convince one of my clients to give it a try now
> that they have new hardware and new code.
>
>
>
> Do either of those two latest signatures that I’m trying look OK though?
>
>
>
> ==============
>
> Rob VandenBrink
>
> 519-589-1881
>
>
>
> *From:* Snort User <snort.user () gmail com>
> *Sent:* Wednesday, October 9, 2024 10:16 AM
> *To:* Rob Vandenbrink <rob () coherentsecurity com>
> *Cc:* snort-sigs () lists snort org
> *Subject:* Re: [Snort-sigs] Hi all! (and a snort sig question)
>
>
>
> Hi Rob,
>
>
>
> For your signature to detect any HTTP artifact, snort would have to
> inspect SSL decrypted payload. In your case, I believe you have snort
> inspecting HTTPS, right?
>
>
>
> If you have some sort of set up where the HTTPS traffic is intercepted and
> then snort gets to inspect it, then the case is different.
>
>
>
> Thanks
>
>
>
> On Tue, Oct 8, 2024 at 3:31 PM Rob Vandenbrink via Snort-sigs <
> snort-sigs () lists snort org> wrote:
>
> Got it narrowed down now to:
>
> “look for a dot in the sni field, and fire if it’s not there”
>
>     content:!"."; \
>
>     http_raw_uri:host; \
>
>     ssl_state:client_hello; \
>
>
>
> or, look for the string “SNI” in the client hello (I realize that this
> likely isn’t there, I’ll need to dig for bitmaps for this I think)
>
>     content:!"SNI"; \
>
>     http_raw_uri; \
>
>     ssl_state:client_hello; \
>
>
>
> Anyway, neither fires – I’d figure that the first approach should work?
>
>
>
> ==============
>
> Rob VandenBrink
>
> 519-589-1881
>
>
>
> *From:* Rob Vandenbrink <rob () coherentsecurity com>
> *Sent:* Sunday, October 6, 2024 6:58 PM
> *To:* Rob Vandenbrink <rob () coherentsecurity com>;
> snort-sigs () lists snort org
> *Subject:* RE: Hi all! (and a snort sig question)
>
>
>
> Looking closer at the packets, there’s (of course) no SNI field when
> browsing by IP
>
> Trying a different approach now
>
>
>
>
>
> *From:* Snort-sigs <snort-sigs-bounces () lists snort org> *On Behalf Of *Rob
> Vandenbrink via Snort-sigs
> *Sent:* Thursday, October 3, 2024 5:45 PM
> *To:* snort-sigs () lists snort org
> *Subject:* [Snort-sigs] Hi all! (and a snort sig question)
>
>
>
> Hi everyone – long time snort user / new to this list though
>
>
>
> I’m trying to build a signature that triggers on a user browsing by IP
> address (instead of by fqdn or cn).
>
> So it would be fine with “https://www.cisco.com” but trigger on “
> https://23.56.210.155”  (or whatever cisco resolves to that day)
>
>
>
> So far I have this:
>
>
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET 443 ( \
>
>     msg:"BROWSER OTHER alert on direct ip browsing"; \
>
> *    content:"."; \*
>
> *    http_raw_uri:host; \*
>
> *    pcre:"/(?:[0-9]{1,3}\.){3}[0-9]{1,3}/"; \*
>
> *    ssl_state:client_hello; \*
>
>     sid:1000010; \
>
>     rev:33; \
>
>     gid:1; \
>
>     priority:4; \
>
>     classtype:unknown;  \
>
> )
>
>
>
> No joy on this at all – it reads fine into the config, but never fires.
>
>
>
> I think this is a basic misunderstanding on how to chain the field, the
> content and the pcre statement together.  They only parse if they’re in
> this order, but I have no clue how to get one line to relate to the next
> (the content line seems extraneous to me)
>
> If there was a decent reference website I’d go there, but most either
> document everything discretely (rather than in combination), or have really
> basic examples …
>
>
>
> If anyone has good thoughts on this, beverages are on me if you are ever
> at a SANSFIRE or SECTOR conference (or are in Ontario Canada near me).
>
>
>
> (and yes, when all is done I can play with http_uri and raw_uri to see
> which works best for evasive encoding)
>
> ==============
>
> Rob VandenBrink
>
> 519-589-1881
>
>
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists snort org
> https://lists.snort.org/mailman/listinfo/snort-sigs
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Please follow these rules:
> https://snort.org/faq/what-is-the-mailing-list-etiquette
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure
> to stay up to date to catch the most <a href="
> https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!