Re: Hi all! (and a snort sig question)

[Rob Vandenbrink via Snort-sigs <snort-sigs () lists snort org>]

Cool, will do

If I browse to an IP address, there is never an SNI (since there’s no “server name” to put there).  Confirmed this with 
a PCAP.
So my thought was to write a sig that looks for an null SNI value, my current best gues would be this one, which should 
look for an FQDN in the SNI field, and if there’s no dot (which there should be) then trigger the alert.

https_raw_url.host:!”.”
    content:!"."; \
    http_raw_uri:host; \
    ssl_state:client_hello; \

==============
Rob VandenBrink
519-589-1881

From: Snort User <snort.user () gmail com>
Sent: Wednesday, October 9, 2024 11:26 AM
To: Rob Vandenbrink <rob () coherentsecurity com>
Cc: snort-sigs () lists snort org
Subject: Re: [Snort-sigs] Hi all! (and a snort sig question)

I don't think so. I would definitely use ssl_state:client_hello; and then look to match the SNI portion of the SSL 
client hello packet and then try matching the dotted quad pattern.
But as you are doing, the best way is to try out your sig against a pcap



On Wed, Oct 9, 2024 at 11:09 AM Rob Vandenbrink <rob () coherentsecurity com<mailto:rob () coherentsecurity com>> wrote:
Ah, I thought that since the Hello packets are unencrypted that snort would still inspect at least those

I do not have decrypt turned on (given historic Cisco Firepower+Snort issues), but I think I can convince one of my 
clients to give it a try now that they have new hardware and new code.

Do either of those two latest signatures that I’m trying look OK though?

==============
Rob VandenBrink
519-589-1881

From: Snort User <snort.user () gmail com<mailto:snort.user () gmail com>>
Sent: Wednesday, October 9, 2024 10:16 AM
To: Rob Vandenbrink <rob () coherentsecurity com<mailto:rob () coherentsecurity com>>
Cc: snort-sigs () lists snort org<mailto:snort-sigs () lists snort org>
Subject: Re: [Snort-sigs] Hi all! (and a snort sig question)

Hi Rob,

For your signature to detect any HTTP artifact, snort would have to inspect SSL decrypted payload. In your case, I 
believe you have snort inspecting HTTPS, right?

If you have some sort of set up where the HTTPS traffic is intercepted and then snort gets to inspect it, then the case 
is different.

Thanks

On Tue, Oct 8, 2024 at 3:31 PM Rob Vandenbrink via Snort-sigs <snort-sigs () lists snort org<mailto:snort-sigs () lists 
snort org>> wrote:
Got it narrowed down now to:
“look for a dot in the sni field, and fire if it’s not there”
    content:!"."; \
    http_raw_uri:host; \
    ssl_state:client_hello; \

or, look for the string “SNI” in the client hello (I realize that this likely isn’t there, I’ll need to dig for bitmaps 
for this I think)
    content:!"SNI"; \
    http_raw_uri; \
    ssl_state:client_hello; \

Anyway, neither fires – I’d figure that the first approach should work?

==============
Rob VandenBrink
519-589-1881

From: Rob Vandenbrink <rob () coherentsecurity com<mailto:rob () coherentsecurity com>>
Sent: Sunday, October 6, 2024 6:58 PM
To: Rob Vandenbrink <rob () coherentsecurity com<mailto:rob () coherentsecurity com>>; snort-sigs () lists snort 
org<mailto:snort-sigs () lists snort org>
Subject: RE: Hi all! (and a snort sig question)

Looking closer at the packets, there’s (of course) no SNI field when browsing by IP
Trying a different approach now


From: Snort-sigs <snort-sigs-bounces () lists snort org<mailto:snort-sigs-bounces () lists snort org>> On Behalf Of Rob 
Vandenbrink via Snort-sigs
Sent: Thursday, October 3, 2024 5:45 PM
To: snort-sigs () lists snort org<mailto:snort-sigs () lists snort org>
Subject: [Snort-sigs] Hi all! (and a snort sig question)

Hi everyone – long time snort user / new to this list though

I’m trying to build a signature that triggers on a user browsing by IP address (instead of by fqdn or cn).
So it would be fine with “https://www.cisco.com” but trigger on “https://23.56.210.155”  (or whatever cisco resolves to 
that day)

So far I have this:

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 ( \
    msg:"BROWSER OTHER alert on direct ip browsing"; \
    content:"."; \
    http_raw_uri:host; \
    pcre:"/(?:[0-9]{1,3}\.){3}[0-9]{1,3}/"; \
    ssl_state:client_hello; \
    sid:1000010; \
    rev:33; \
    gid:1; \
    priority:4; \
    classtype:unknown;  \
)

No joy on this at all – it reads fine into the config, but never fires.

I think this is a basic misunderstanding on how to chain the field, the content and the pcre statement together.  They 
only parse if they’re in this order, but I have no clue how to get one line to relate to the next (the content line 
seems extraneous to me)
If there was a decent reference website I’d go there, but most either document everything discretely (rather than in 
combination), or have really basic examples …

If anyone has good thoughts on this, beverages are on me if you are ever at a SANSFIRE or SECTOR conference (or are in 
Ontario Canada near me).

(and yes, when all is done I can play with http_uri and raw_uri to see which works best for evasive encoding)
==============
Rob VandenBrink
519-589-1881

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org<mailto:Snort-sigs () lists snort org>
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!