Snort .Rules
Results 1 to 7 of 7

Thread: Snort .Rules

  1. #1
    Senior Member tampabay420's Avatar
    Join Date
    Aug 2002
    Posts
    953

    Snort .Rules

    Hey guys/gals -> Id like to start coding my own Snort .rules- although I seem to be having a bit of trouble understanding the syntax? If anyone who is familiar with the rules sets could possibly explain some of the details for us newbies

    Thanx in advance, Ill post any info I find
    yeah, I\'m gonna need that by friday...

  2. #2
    Senior Member
    Join Date
    Dec 2001
    Posts
    304

    Snort

    Yea, I dont really know much about the rules but thought I would post a snort.rules file just incase anyone wanted to check em out.

    THis is n3t.net snort.rules file. Maybe not what they are using now but this was in their download section

    anyways its attached to save room in the forum
    Violence breeds violence
    we need a world court
    not a republican with his hands covered in oil and military hardware lecturing us on world security!

  3. #3
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Wow Tamps..... Thats a pretty big question.......

    What specifically are you wanting to trap?

    I can explain a basic rule for you quite easily, for example:

    alert tcp $EXTERNAL_NET any -> 192.168.1.1 3389 (msg: "Terminal Services Inbound"; flags: S; classtype:misc-activity; )

    alert make an entry in the log

    tcp..... DUH!! Though choices are at least TCP, UDP and ICMP

    $EXTERNAL_NET the variable defined in your snort.conf file as those machines that are not owned by you

    any = any source port you could define a specific or a list

    -> indicates direction, (I don't think you can do a <- though)

    192.168.1.1 Destination Address you could place a variable such as $HOME_NET as defined in your snort.conf

    3389 Destination port: you could say "any" or you can set ranges

    msg: The message enclosed in quotes that you want entered in the alert log

    flags what flags must be set in the packet. Important: You gotta say something here if you are not defining any content otherwise it alerts on every packet and you get a ton of alerts..... trust me......

    classtype You must have a classtype and it must match one of the class-types defined in snort

    Thats pretty much it

    Alert, Protocol, where from, what sport, -> Where to, what dports, (what to say; what flags; what class-type; )

    test them before you use them.....<s>
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  4. #4
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    flags what flags must be set in the packet. Important: You gotta say something here if you are not defining any content otherwise it alerts on every packet and you get a ton of alerts..... trust me......
    What about UDP and ICMP? They don't have any flags, IIRC.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  5. #5
    Senior Member
    Join Date
    Apr 2002
    Posts
    1,050
    By the sacred **** of the sacred psychedelic tibetan yeti ....We\'ll smoke the chinese out
    The 20th century pharoes have the slaves demanding work
    http://muaythaiscotland.com/

  6. #6
    Senior Member
    Join Date
    Nov 2002
    Posts
    382
    This site may be helpful
    http://www.my-snort.org/
    [shadow] SHARING KNOWLEDGE[/shadow]

  7. #7
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    MsM: You are dead right of course...... I was in a bit of a hurry and a complete primer in TCP/IP was not at the front of my mind....<s>

    With ICMP you need to define content or itype, (echo request etc.) and with UDP you need content since there is no UDP type.

    Defining content can be a pain. I tried it a couple of times but don't have time to play with it. Basically you need Ethereal/tcpdumps of the packets you want to alert on and determine, hopefully, unique content within the packet, (in an http packet you might pull on "default.ida" for example), then you take the hex of that phrase and set it as content.

    Now, if you leave the rule like that poor old snort is going to grind, so you want to define as many parameters to the rule as you can. (I'm making educated guesses here......). Setting the flags to Push Ack would probably be good in this case so the packet would not pass through the rules filter to check for content if it doesn't have those flags set. Also, (if the "Default.ida" is always in the same place in the packet), there is an offset you can designate. This speeds up the rules filter since snort will skip straight to the offset and check for the match, if it doesn't find it the search stops otherwise it will simply search for the content throughout the entire packet.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •