Snort mailing list archives
Re: Hi all! (and a snort sig question)
From: Rob Vandenbrink via Snort-sigs <snort-sigs () lists snort org>
Date: Wed, 9 Oct 2024 15:09:10 +0000
Ah, I thought that since the Hello packets are unencrypted that snort would still inspect at least those I do not have decrypt turned on (given historic Cisco Firepower+Snort issues), but I think I can convince one of my clients to give it a try now that they have new hardware and new code. Do either of those two latest signatures that I’m trying look OK though? ============== Rob VandenBrink 519-589-1881 From: Snort User <snort.user () gmail com> Sent: Wednesday, October 9, 2024 10:16 AM To: Rob Vandenbrink <rob () coherentsecurity com> Cc: snort-sigs () lists snort org Subject: Re: [Snort-sigs] Hi all! (and a snort sig question) Hi Rob, For your signature to detect any HTTP artifact, snort would have to inspect SSL decrypted payload. In your case, I believe you have snort inspecting HTTPS, right? If you have some sort of set up where the HTTPS traffic is intercepted and then snort gets to inspect it, then the case is different. Thanks On Tue, Oct 8, 2024 at 3:31 PM Rob Vandenbrink via Snort-sigs <snort-sigs () lists snort org<mailto:snort-sigs () lists snort org>> wrote: Got it narrowed down now to: “look for a dot in the sni field, and fire if it’s not there” content:!"."; \ http_raw_uri:host; \ ssl_state:client_hello; \ or, look for the string “SNI” in the client hello (I realize that this likely isn’t there, I’ll need to dig for bitmaps for this I think) content:!"SNI"; \ http_raw_uri; \ ssl_state:client_hello; \ Anyway, neither fires – I’d figure that the first approach should work? ============== Rob VandenBrink 519-589-1881 From: Rob Vandenbrink <rob () coherentsecurity com<mailto:rob () coherentsecurity com>> Sent: Sunday, October 6, 2024 6:58 PM To: Rob Vandenbrink <rob () coherentsecurity com<mailto:rob () coherentsecurity com>>; snort-sigs () lists snort org<mailto:snort-sigs () lists snort org> Subject: RE: Hi all! (and a snort sig question) Looking closer at the packets, there’s (of course) no SNI field when browsing by IP Trying a different approach now From: Snort-sigs <snort-sigs-bounces () lists snort org<mailto:snort-sigs-bounces () lists snort org>> On Behalf Of Rob Vandenbrink via Snort-sigs Sent: Thursday, October 3, 2024 5:45 PM To: snort-sigs () lists snort org<mailto:snort-sigs () lists snort org> Subject: [Snort-sigs] Hi all! (and a snort sig question) Hi everyone – long time snort user / new to this list though I’m trying to build a signature that triggers on a user browsing by IP address (instead of by fqdn or cn). So it would be fine with “https://www.cisco.com” but trigger on “https://23.56.210.155” (or whatever cisco resolves to that day) So far I have this: alert tcp $HOME_NET any -> $EXTERNAL_NET 443 ( \ msg:"BROWSER OTHER alert on direct ip browsing"; \ content:"."; \ http_raw_uri:host; \ pcre:"/(?:[0-9]{1,3}\.){3}[0-9]{1,3}/"; \ ssl_state:client_hello; \ sid:1000010; \ rev:33; \ gid:1; \ priority:4; \ classtype:unknown; \ ) No joy on this at all – it reads fine into the config, but never fires. I think this is a basic misunderstanding on how to chain the field, the content and the pcre statement together. They only parse if they’re in this order, but I have no clue how to get one line to relate to the next (the content line seems extraneous to me) If there was a decent reference website I’d go there, but most either document everything discretely (rather than in combination), or have really basic examples … If anyone has good thoughts on this, beverages are on me if you are ever at a SANSFIRE or SECTOR conference (or are in Ontario Canada near me). (and yes, when all is done I can play with http_uri and raw_uri to see which works best for evasive encoding) ============== Rob VandenBrink 519-589-1881 _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org<mailto:Snort-sigs () lists snort org> https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Current thread:
- Hi all! (and a snort sig question) Rob Vandenbrink via Snort-sigs (Oct 04)
- Re: Hi all! (and a snort sig question) Rob Vandenbrink via Snort-sigs (Oct 07)
- Re: Hi all! (and a snort sig question) Rob Vandenbrink via Snort-sigs (Oct 08)
- Re: Hi all! (and a snort sig question) Snort User via Snort-sigs (Oct 09)
- Re: Hi all! (and a snort sig question) Rob Vandenbrink via Snort-sigs (Oct 10)
- Re: Hi all! (and a snort sig question) Snort User via Snort-sigs (Oct 09)
- Re: Hi all! (and a snort sig question) Rob Vandenbrink via Snort-sigs (Oct 10)
- Re: Hi all! (and a snort sig question) Snort User via Snort-sigs (Oct 10)
- Re: Hi all! (and a snort sig question) Rob Vandenbrink via Snort-sigs (Oct 10)
- Re: Hi all! (and a snort sig question) Al Lewis (allewi) via Snort-sigs (Oct 10)
- Re: Hi all! (and a snort sig question) Rob Vandenbrink via Snort-sigs (Oct 08)
- Re: Hi all! (and a snort sig question) Rob Vandenbrink via Snort-sigs (Oct 07)