Snort .Rules

[tampabay420]

Hey guys/gals -> I’d like to start coding my own Snort .rules- although I seem to be having a bit of trouble understanding the syntax? If anyone who is familiar with the rules sets could possibly explain some of the details for us newbies

Thanx in advance, I’ll post any info I find…

[Euclid]

Yea, I dont really know much about the rules but thought I would post a snort.rules file just incase anyone wanted to check em out.

THis is n3t.net snort.rules file. Maybe not what they are using now but this was in their download section

anyways its attached to save room in the forum

[Tiger Shark]

Wow Tamps..... Thats a pretty big question.......

What specifically are you wanting to trap?

I can explain a basic rule for you quite easily, for example:

alert tcp $EXTERNAL_NET any -> 192.168.1.1 3389 (msg: "Terminal Services Inbound"; flags: S; classtype:misc-activity; )

alert make an entry in the log

tcp..... DUH!! Though choices are at least TCP, UDP and ICMP

$EXTERNAL_NET the variable defined in your snort.conf file as those machines that are not owned by you

any = any source port you could define a specific or a list

-> indicates direction, (I don't think you can do a <- though)

192.168.1.1 Destination Address you could place a variable such as $HOME_NET as defined in your snort.conf

3389 Destination port: you could say "any" or you can set ranges

msg: The message enclosed in quotes that you want entered in the alert log

flags what flags must be set in the packet. Important: You gotta say something here if you are not defining any content otherwise it alerts on every packet and you get a ton of alerts..... trust me......

classtype You must have a classtype and it must match one of the class-types defined in snort

Thats pretty much it

Alert, Protocol, where from, what sport, -> Where to, what dports, (what to say; what flags; what class-type; )

test them before you use them.....<s>

[MrLinus]

flags what flags must be set in the packet. Important: You gotta say something here if you are not defining any content otherwise it alerts on every packet and you get a ton of alerts..... trust me......

What about UDP and ICMP? They don't have any flags, IIRC.

[prodikal]

Check this out tampabay http://www.cert.org/security-improve...s/i042.14.html
hope it helps look at this to http://packetstormsecurity.nl/papers...nort_rules.htm

[Networker]

This site may be helpful
http://www.my-snort.org/

[Tiger Shark]

MsM: You are dead right of course...... I was in a bit of a hurry and a complete primer in TCP/IP was not at the front of my mind....<s>

With ICMP you need to define content or itype, (echo request etc.) and with UDP you need content since there is no UDP type.

Defining content can be a pain. I tried it a couple of times but don't have time to play with it. Basically you need Ethereal/tcpdumps of the packets you want to alert on and determine, hopefully, unique content within the packet, (in an http packet you might pull on "default.ida" for example), then you take the hex of that phrase and set it as content.

Now, if you leave the rule like that poor old snort is going to grind, so you want to define as many parameters to the rule as you can. (I'm making educated guesses here......). Setting the flags to Push Ack would probably be good in this case so the packet would not pass through the rules filter to check for content if it doesn't have those flags set. Also, (if the "Default.ida" is always in the same place in the packet), there is an offset you can designate. This speeds up the rules filter since snort will skip straight to the offset and check for the match, if it doesn't find it the search stops otherwise it will simply search for the content throughout the entire packet.