1 / 12

Snort rules

Snort rules. 2006.10.11 黃暉清. tools. Snort MySQL Analysis Console for Intrusion Database(ACID) Php 開發的 web-base 介面程式,觀看 snort alert 、管理 db 。 ADODB :讓 ACID 有能力存取 MySQL 。 PHPLot 、 JPGraph :使 ACID 可畫統計圖表。. Snort Rules. Rule file 路徑: var RULE_PATH ./rule Download rules :

davida
Download Presentation

Snort rules

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Snort rules 2006.10.11 黃暉清

  2. tools • Snort • MySQL • Analysis Console for Intrusion Database(ACID) • Php開發的web-base介面程式,觀看snort alert、管理db。 • ADODB:讓ACID有能力存取MySQL。 • PHPLot、JPGraph:使ACID可畫統計圖表。

  3. Snort Rules • Rule file路徑: • var RULE_PATH ./rule • Download rules: • http://www.snort.org/pub-bin/downloads.cgi • Subscription release • Register user release • Unregistered user release • Community rules • 自訂: • Include $RULE_PATH/myrules.rules

  4. Snort rules格式 Rules option Rule header • Alert tcp !$HOME_NET any -> $HOME_NET 445 (msg:”External NetBIOS Assess”;) • Example: • alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda .nws"; flow:to_server,established; content:"|00|.|00|N|00|W|00|S"; reference:url,www.f-secure.com/v-descs/nimda.shtml; classtype:bad-unknown; sid:1294; rev:10; Alert tcp any any -> any any (msg: “TCP Traffic”;)

  5. Snort rules (cont.) • msg:警示名稱。 • Flow:to_server,established: • 由client向server發出請求信號,established為已建立連線之通訊。 • Content: • 掃描TCP payload內容的選項。 • 含16進位(用||包起來)及ASCII碼。 • 順序無影響。 • 含定位、掃描長度選項:offset-depth,distance-within

  6. Snort rules (cont.) distance within • Example: • Content: “00”; depth:1 • Content: “|FF|SMB”; depth:4; offset:4 • Content: “I|00|P|00|C|00 24 00 00|”; distance:33; nocase; 相對位移 IP header TCP header content1 content2 絕對位移 offset depth

  7. Snort rules (cont.) 000 : 00 00 00 52 FF 53 4D 42 75 00 00 00 00 18 07 C8 010 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FE 020 : 00 58 C0 00 04 FF 00 52 00 08 00 01 00 27 00 00 030 : 5C 00 5C 00 57 00 49 00 4E 00 53 00 4E 00 4F 00 040 : 52 00 54 00 5C 00 49 00 50 00 43 00 24 00 00 00 050 : 3F 3F 3F 3F 3F 00

  8. Snort rules (cont.) • Byte_test: 1,>,127,7,relative; #判斷式比對 • Byte_test: 2,>,7,33,little,relative; • 08 00 → 0008 • Classtype: protocol-command-decode; • alert分類,分類及priority定義於/usr/local/etc/snort/classification.config • Sid:1294: rule編號。 • <100: 保留 • 100 ~ 1000,000: snort官方使用。 • > 1000,000: 用戶自行使用。

  9. Snort rules (cont.) • Rev:4 ,用於定義目前rule版本。 • Uritent: snort會由此定義的關鍵字掃描URI。 • Example: cmd.exe, etc/password… • Example: “../..” ,”..%255c..” • Reference: 參考資訊。 • Byte_jump: 2,7,little,relative • 跳過X個byte不掃描,offset = offset + 7 + 2 + (X+1)

  10. Snort rules (cont.) • 加入pcre比對語法: • Example: Alert tcp any any -> any 21 ( flow:to_server, established; content:”root” ; pcre:“/user\s+root/i”

  11. Example rule - MsBlast • alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC ISystemActivator path overflow attempt little endian unicode"; flow:to_server,established; content:"|05|"; depth:1; byte_test:1,&,16,3,relative; content:"|5C 00 5C 00|"; byte_test:4,>,256,-8,little,relative; flowbits:isset,dce.isystemactivator.bind; reference:bugtraq,8205; reference:cve,2003-0352; reference:nessus,11808; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2351; rev:11;)

  12. Example rule - Sasser • alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB lsass DsRolerUpgradeDownlevelServer WriteAndX unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; byte_test:4,>,256,0,little,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2514; rev:9;

More Related