Snort mailing list archives

Re: Hi all! (and a snort sig question)

From: Snort User via Snort-sigs <snort-sigs () lists snort org>
Date: Wed, 9 Oct 2024 10:15:41 -0400

Hi Rob,

For your signature to detect any HTTP artifact, snort would have to inspect
SSL decrypted payload. In your case, I believe you have snort inspecting
HTTPS, right?

If you have some sort of set up where the HTTPS traffic is intercepted and
then snort gets to inspect it, then the case is different.

Thanks

On Tue, Oct 8, 2024 at 3:31 PM Rob Vandenbrink via Snort-sigs <
snort-sigs () lists snort org> wrote:

Got it narrowed down now to:

“look for a dot in the sni field, and fire if it’s not there”

    content:!"."; \

    http_raw_uri:host; \

    ssl_state:client_hello; \



or, look for the string “SNI” in the client hello (I realize that this
likely isn’t there, I’ll need to dig for bitmaps for this I think)

    content:!"SNI"; \

    http_raw_uri; \

    ssl_state:client_hello; \



Anyway, neither fires – I’d figure that the first approach should work?



==============

Rob VandenBrink

519-589-1881



*From:* Rob Vandenbrink <rob () coherentsecurity com>
*Sent:* Sunday, October 6, 2024 6:58 PM
*To:* Rob Vandenbrink <rob () coherentsecurity com>;
snort-sigs () lists snort org
*Subject:* RE: Hi all! (and a snort sig question)



Looking closer at the packets, there’s (of course) no SNI field when
browsing by IP

Trying a different approach now





*From:* Snort-sigs <snort-sigs-bounces () lists snort org> *On Behalf Of *Rob
Vandenbrink via Snort-sigs
*Sent:* Thursday, October 3, 2024 5:45 PM
*To:* snort-sigs () lists snort org
*Subject:* [Snort-sigs] Hi all! (and a snort sig question)



Hi everyone – long time snort user / new to this list though



I’m trying to build a signature that triggers on a user browsing by IP
address (instead of by fqdn or cn).

So it would be fine with “https://www.cisco.com” but trigger on “
https://23.56.210.155”  (or whatever cisco resolves to that day)



So far I have this:



alert tcp $HOME_NET any -> $EXTERNAL_NET 443 ( \

    msg:"BROWSER OTHER alert on direct ip browsing"; \

*    content:"."; \*

*    http_raw_uri:host; \*

*    pcre:"/(?:[0-9]{1,3}\.){3}[0-9]{1,3}/"; \*

*    ssl_state:client_hello; \*

    sid:1000010; \

    rev:33; \

    gid:1; \

    priority:4; \

    classtype:unknown;  \

)



No joy on this at all – it reads fine into the config, but never fires.



I think this is a basic misunderstanding on how to chain the field, the
content and the pcre statement together.  They only parse if they’re in
this order, but I have no clue how to get one line to relate to the next
(the content line seems extraneous to me)

If there was a decent reference website I’d go there, but most either
document everything discretely (rather than in combination), or have really
basic examples …



If anyone has good thoughts on this, beverages are on me if you are ever
at a SANSFIRE or SECTOR conference (or are in Ontario Canada near me).



(and yes, when all is done I can play with http_uri and raw_uri to see
which works best for evasive encoding)

==============

Rob VandenBrink

519-589-1881


_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules:
https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure
to stay up to date to catch the most <a href="
https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

Current thread:

Hi all! (and a snort sig question) Rob Vandenbrink via Snort-sigs (Oct 04)
- Re: Hi all! (and a snort sig question) Rob Vandenbrink via Snort-sigs (Oct 07)
  - Re: Hi all! (and a snort sig question) Rob Vandenbrink via Snort-sigs (Oct 08)
    - Re: Hi all! (and a snort sig question) Snort User via Snort-sigs (Oct 09)
    - Re: Hi all! (and a snort sig question) Rob Vandenbrink via Snort-sigs (Oct 10)
    - Re: Hi all! (and a snort sig question) Snort User via Snort-sigs (Oct 09)
    - Re: Hi all! (and a snort sig question) Rob Vandenbrink via Snort-sigs (Oct 10)
    - Re: Hi all! (and a snort sig question) Snort User via Snort-sigs (Oct 10)
    - Re: Hi all! (and a snort sig question) Rob Vandenbrink via Snort-sigs (Oct 10)
    - Re: Hi all! (and a snort sig question) Al Lewis (allewi) via Snort-sigs (Oct 10)