What is Snort Rule and How to write one ?
What is Snort Rule ?
It is a Network Intrusion Detection and Prevention System which uses Rules.
It also does real time analysis of the network traffic. It uses libpcap for linux/unix environment and for windows it uses winpcap.
How to write Snort Rule ?
It contains Rule Header and Rule Option.
Rule Header:
It identifies actions such as alerts, logs, passwords.
Rule Action : It is used to tell what actions to take when certain conditions are met.
Pass : It tells Snort Rule to ignore the packets.
Log: It is used to Log the packets.
Alert: It is used to generate a alert message when conditions are true for a traffic.
Activate: It is used to create a alert and also activate another rule to check for more conditions.
Dynamic: These rules are triggered by a different rule using activate rule option.
User Defined Action: It is used to create a our own rule option(s).
Rule Option :
It identifies rule alert’s message.
Message: It is used to log the packets and alert when a rule is fired.
Reference: It includes the reference to the external attack identification system.
Generator ID: It identifies what part of the snort rule to fired when certain event has occurred.
Snort Rule Id: It uniquely identifies the snort rule.
Revision: It uniquely identifies the revision of snort rule.
ClassType: It is used to categorize a rule as it detects a attack from the attack class.
Priority: It is used to assign the security level to the rule.
Metadata: It is used to give more information to the Rule.
Examples :
alert tcp any any -> any 80 ( msg: “TCP Traffic alert”; content: “login”; flags:s; sid:100;)
alert udp any any -> any any ( msg: “UDP Traffic alert”; content: “login”; sid:101;)
alert : It is a Rule Action. Snort will generate the alert when the conditions are satisfied.
any : It’s for Source IP address. By setting it as “any”, snort will look for all the source IP’s.
any : It’s for Source Port number. With “any”, snort will look in all the ports.
-> : It’s for the direction to flow. From Source to Destination.
any : It’s for Destination IP address. By setting it as “any”, snort will look for all the destination IP’s.
any : It’s for Destination Port number. With “any”, snort will look in all the ports.
alert icmp any any -> $HOME_NET any (msg:”ICMP test”; sid:1001; rev:1; classtype:icmp-event;)
Example 2)
Snort Rule For EternalBlue Vulnerability:
Refer to the previous blog “Eternalblue vulnerability” to perform exploit on SMB.
There we have captured the pcap and we can see that, there we’ve got lots of ‘A’ character in the pacp
We will use the hex value of this ‘A’ character which is ’41’ in our snort rule, as it is more efficient then ACSII value. We have 1449 ‘A’ characters, so we will put 1449 ’41’ inside our rule.
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:”Possible buffer overflow attempt over port 445.”; content:”|4141…14141|”;sid:10000006; rev:1;)
As you can see, in our Security Onion, Squirt is able to fired up our Rule:
Example 3)
Snort Rule For Heartbleed Vulnerability:
Here in the pcap, we can see the data flow in plain text. We will use that info in our rule.
alert tcp $External_NET 443 -> $HOME_NET any (msg:”Plaintest HTTP headers User-Agent and Host detected over port 443 (response from server).”;flow:from-server, established; content;”User|2d|Agent”; content:”Host|3a|”; sid:10000008; rev:1;)
You May Also Like
FTP and how to Pentest FTP
Exploitation with Eternalblue : Win7
