How to write Snort detection rules
From: http://kunming.cyberpolice.cn/aqjs/200010.html
Abstract Snort is a powerful lightweight network intrusion detection system. It has the ability to real-time data traffic analysis and log IP network packets, which can make protocol analysis, search / match the content. It can detect a variety of different attack methods, and conduct real-time alarms for attacks. In addition, Snort has good scalability and portability. This article will tell how to develop Snort rules. (2002-07-09 13:13:25) -------------------------------------- ----------------------------------------- BY scholar QSNORT is a Powerful lightweight network intrusion detection system. It has the ability to real-time data traffic analysis and log IP network packets, which can make protocol analysis, search / match the content. It can detect a variety of different attack methods, and conduct real-time alarms for attacks. In addition, Snort has good scalability and portability. This article will tell how to develop Snort rules. 1. Basic Snort uses a simple rule description language, this description language is easy to expand, and the function is also relatively powerful. Here are some of the most basic things: Each rule of SNORT must be in a row, its rule interpreter cannot parse the cross-line rules. Note: Some of the examples of this article are divided into two rows. Each rule of Snort can be divided into two parties: rule headers and rule options. The rule head includes: Rule's Action, protocol, source / destination IP address, subnet mask, and source / destination port. The rule option contains information (signatures, signature) of the alarm information and exception package, using these feature codes to determine whether to take a rule specified. this is an example: Alrt TCP Any ANY -> 192.168.1.0/24 111 (Content: "00 01 86 A5 |"; MSG: "Mountd Access"; Table 1. A simple Snort Rules From the beginning to the leftmost parentheses belong to the rule header, the part of the parentheses belongs to the rule option. The word in front of the rules option is called option Keywords. Note that the rule option is not required for each rule, which is to define packets that should be collected or alarm more detailed. Snort will only perform its rule behavior only if you match all options. If many options are combined, they are logical and relationships. Let us start from the rule head. 1.1 Include Snort User Specifies in the command line, the include keyword makes this rule file can contain rules in other rule files, very similar to the #include in the C language. Snort reads its content from the included file, replacing the incrude keyword. Format: 1.2 Varriables You can define variables in the Snort rule file. Format: Var example: Var my_net 192.168.1.0/24, 10.1.1.0/24] $ my_net any (flags: s; msg: 'synmeta packet "; Table 2. Variable Definitions and Use Rules Variable Name You can use a variety of ways to modify, you can use the operator to define the meta-variables. These modifications can be used to modify the operator: • Use.
$ VAR: Defines the metadata $ (var): Taking the contents of variable var as variable name $ (var: -default): as a variable name as a variable name, if Var is not defined, use Default as a variable name $ (VAR: ? message: Use the contents of the variable var as the variable name, and print the error message message and exit if it is not successful. For example: Var my_net $ (myu_net: -192.168.1.0 / 24) TCP Any any -> $ (MY_NET:? MY_NET IS undefined!) 23 Table 3. Advanced variable application 2. Rule Headers 2.1 Rule Action Rules Head contains information, including: which packets, sources of packets, what type of packets, and how to handle the matching packets. The first item of each rule is the rule action. Rule Behavior tells Snort How to deal with when a matching packet is found. In Snort, there are five default processing methods: Alert, Log, Pass, Activate, and Dynamic. Alert: Alarm information using the selected alarm method, and records the packet log: Record the packet pass: Ignore the packet Activate: Alarm, then open other Dynamic rules Dynamic: Keep idle state until it is activated by Activete rules, as a Log Rules You can also define your own rule type and link them with one or several output plugins. Then you can use these rules in Snort rules. This example will create a type, which will only output the log in TCPDUMP format: Send the log to Syslog and MySQL database: Ruletype Redalert {Type alert output alert_syslog: log_auth log_alert = Snort Database: log, user = Snort dbname = Snort Host = localhost} 2.2 protocol The second item of each rule is the protocol item. Currently, Snort can analyze protocols: TCP, UDP, and ICMP. In the future, it is possible to provide support for protocols such as ARP, ICRP, GRE, OSPF, RIP, IPX. 2.3 IP Address ip address and port information. Keywords Any can be used to define any IP address. Snort does not support parsing of hostnames. So the address can only use the form of digital / CIDR. / 24 Represents a Class C network; / 16 represents a B network; / 32 represents a specific host address. For example: 192.168.1.0/24 represents the address from 192.168.1.1 to 192.168.1.255. In the rules, you can use the negative operator to operate the IP address. It tells Snort to match all IP addresses except for the listed IP address. Negative operator use! For example, using a negative operator can easily rewrite the rules of Table 1, allowing it to alarm from an external network.
聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽Rules of the characters indicate that the IP address in this rule indicates that all IP source addresses are not the address of the internal network, and the destination address is the internal network address. You can also define an IP address list (IP LIST). The format of the IP address list is as follows: [IP address 1 / CIDR, IP address / CIDR, ....] Note that there is no space between each IP address. For example: Selert TCP! [192.1.0.1.04] Any -> [192.168.1.0/24, 10.1.1.0/24] 111 (Content: "| 00 01 86 A5 | "External mountd access";) 2.4 Port number in rules, there can be several ways to specify port numbers, including: Any, Static port number definition, port range, and using non-operation definitions . Any represents any legal port number; the static port number represents a single port number, for example: 111 (portmapper), 23 (Telnet), 80 (http), etc. Use range operators: You can specify the port number range. There are several ways to use range operators: Different purposes, for example: Log UDP Any ANY -> 192.168.1.0/24 1: 1024 Record from any port, its destination port number is between 1 and 1024 UDP packet Log TCP Any any -> 192.168.1.0/24: 600 records from any port, TCP data packets with a destination port number less than or equal to 6000 Log TCP ANY: 1024 -> 192.168.1.0 / 24 500: Recording source port number is less than or equal to 1024, the destination port number is greater than or equal to 500 TCP data packets Table 5. Sample of port range You can also use logical non-operator! Non-logical operations for ports ( Port Negation). Logical non-operators can be used for other rule types (except for the ANY type, very simple). For example, if you want to log except all ports outside the X-WINDOW system port, you can use the following rules: Log TCP Any ANY -> 192.168.1.0/24! 6000: 60 10 Table 6. Table 6. Logical Non-operation 2.5 Direction Operation Operator -> Represents the flow of packets. It is the source address of the packet and the source port of the packet, and the right is the destination address and port. In addition, there is a two-way operator <>, which makes Snort to this rule, two-way data transfer between two IP addresses, such as Telnet or POP3 conversations. The following rules indicate two-way data transfer to a Telnet conversation: LLOG! 192.168.1.0/24 Any <> 192.168.1.0/24 23 Table 7. Snort Rules using bidirectional operators Activate / Dynamic rules TheActivate / Dynamic rules extends the Snort function. Using the Activate / Dynamic rules, you can activate another rule using a rule. When a specific rule is started, if you want SNORT followed by logging the eligible packet, it is very convenient to use the Activate / Dynamic rule. In addition to a required option Activates, activation rules are very similar to the Alert Rule.
Dynamic Rule and Log Rule are also very similar, but it requires an option: Activated_by. Dynamic rules also require another option: Count. When a activation rule is started, it opens the Dynamic rules indicated by the digital indication after the Activate / ActiVated_by option, record the count packet. The following is a rule of Activate / Dynamic rule: grace_net any -> $ home_net 143 (Flags: Pa; Content: "| E8c0ffffff | in |; activate: 1; Table 8.Activate / Dynamic rule The rule makes Snort a alarm when it detects the IMAP buffer overflow, and records the subsequent 50 packets from the No. 143 port of $ HOME_NET. If the buffer overflows successfully Then, the next 50 packets sent to this network with the same service port (this example is the 143 port), which will have important data, which is useful to future analysis. 3. Rule options The rule option constitutes the core of the Snort intrusion detection engine, which is very easy to use, and it is very powerful and easy to expand. In each Snort rule, the options are splitted using a semicolon. Rule option keyword and its parameters Use a colon segmentation. Urban files (Snort version 1.7), Snort has 23 rule options: MSG: Message in the alarm and log LogTo: record the log to a user specified by the user, not output to Standard output file TTL: Test the value of the TTL field of the IP Baotou TTL: Test the value ID of the TOS domain of the IP Baotou: Test if the IP packet flag (Fragment ID) domain is a specific value iPoption: View IP option (IP Option) Domain Fragbits: Fragmentation bit DSize: Test the size of the data package data segment Flags: Test TCP Sign (FLAG) is a value SEQ: Is the serial number of the TCP package is a certain Value ACK: The ACKNOWLEDGEMENT domain is a value ITYPE: Test ICMP Packet Type (TYPE) Domain ICODE: Test ICMP Packet Code (CODE) Domain ICMP_ID: Test ICMP Switching Pack (ICMP Echo ID) Whether it is a value content: Search mode in the data segment of the packet: Search mode list of Offset: Set the offset of the start search Start search: Set Search Maximum Depth NOCASE: Sizeless Sensitive Match Content String Session: Stripping a Dialogue Application Layer Information RPC: Observing the RPC Services Calling Resp for Specific Applications Resp: Activation Response (Disconnect, etc.) React: Activate the reaction measures (blocking web site) 3.1 MSG msg rule option tells the log engine to print the information at the same time when copying the package, and the warning message output by the alarm engine. It is just a simple text string that is used as an escap. Format: MSG: ""; 3.2 logto LogTo Option Tell Snort to record all packets that trigger a rule all the packets to the specified file. Use this option to handle data from NMAP scanning, HTTP CGI scanning is very convenient. Note If you use binary log mode, this option will be invalid.
Format: "
Note: Test is case sensitive. The data contained in thecontent option can be mixed with text and binary data. Binary data is typically packed in the pipes (|), represented by the bytecode. The byte code uses a 16-en-numeric number to represent binary data. Table 10 is a SNORT rule that mixed text and binary data. i And binary data format: Content: ""; 3.10 Offset When using the Content rule option, the Offset rule option is its modifier. This keyword sets the starting position when the content of Content is modeled. This rule option is useful in some cases, such as a CGI scan, a string to search, never appear in the first 4 bytes of a packet. Note: Setting offset value must be careful, it may cause misponse! This rule option can only be used with the Content rule option. Format: It is used to set the largest search depth to reduce unnecessary search, so that Snort searches only in the area where the signature may occur, for example, if you search for "CGI-Bin / PHF" in a web binding package You don't have to waste time search outside the first 20 bytes of packet load data. The rules of Table 11 combine Content, Offset, Depth. "cgi-bin / pHf"; offset: 3; Depth: 22; MSG: "CGI-PHF Access"; Table 11. Containing Content , The rule of the Offset and Depth rule options: Depth:; 3.12 NOCase NOCASE makes the case when matching the content mode, sensitive. Snort will no longer distinguish the case of each ASCII character. Format: . Use the NOCASE modifier rule 3.13 Flags This rule option is used to test the flag of the TCP Baotou. In fact, there are eight effective signs in Snort: f: FIN (TCP flag byte the left one) S: SYN R: RST P: PSH A: ACK S: ACK U: URG 2: Reserved Bits 2 1 : Reserved bit 1 (the rightmost side of the flag byte) You can also use the logical operator to perform the specified flag bit: : ALL, the specified flag bit and other flag bits are true *: any, specified The marked position in the flag is true!: NOT, in addition to the specified flag, any flag is true to detect abnormal behavior, such as detection at an IP protocol stack fingerprint characteristics or Other suspicious behaviors. Table 13 is a detection rule for SYN-FIN scanning. ? The option involves the serial number of the TCP package.
In essence, it detects whether there is a static serial number collection, so this rule option is very useless. This option is included in the considering of integrity. Format: SEQ: 3.15 ACK This rule option relates to a confirmation domain of the TCP Baotou (Acknowledge). So far, it has only one actual use: detect NMAP TCP ping scans. When the scanner NMAP performs TCP ping scan, set the confirmation number (4 bytes) of the TCP header to 0, then issue a TCP ACK package to the target host to determine if the target host is running. Table 14 is a rule that detects this detection: Use of use: The value corresponding to each ICMP package is as follows: 0: Return answer 3: Unable to reach the destination 4: Suppress Source 5: Redirection (Change Path) 8: Request 11: IP Packet Timeout 12: IP Packet Parameters 13: Time stamp request 14: Time stamp answering 15: Information request 16: Information Answer 17: Address Mask Request 18: Address Mask Response Note: Denial of service and submerged packets sometimes use the invalid ICMP type, you can use this The rule option is detected on the invalid ICMP type, that is, the value in this rule option is not the value listed above. Format: Also, other values can also be used to detect suspicious packets. Format: 3.18 session SESEST keywords joined from Snort-1.3.1.1, used to peel off the user from the TCP session. This rule option can be used if you want to observe the user in Telnet, Rlogin, FTP, and even the Web session process. The session rules option has two parameters Keywords: Printable, All. With Printable, Snort will only output printable data; use all, Snort outputs all data, and the non-printable data is indicated in 16. However, this feature will greatly reduce the speed of Snort, so it is not suitable for large loads, and it is best to use binary log file format. Table 15 is a rule of a Telnet session: Log TCP Any Any <> 192.168.1.0/24 23 (session: printable;) Table 15. Record printable Telnet session data [Printable | All]; 3.19 ICMP_ID ICMP_ID Rule Options Used to detect if the ICMP ID number of the ICMP feedback number is a specific value. The reason why this rule option is used because some of the secret channel program uses a static ICMP domain when communicating. In order to perform the Stacheldreht detection rules, this special plugin has been developed, which is written by Max Vision (a famous white hacker, translator's note). However, it helps to detect some other potential attacks.
Format: Comp_id :; 3.20 ICMP_SEQ ICMP_SEQ Rules Options Used to detect if an ICMP sequence number of the ICMP serial number is a specific value. The reason why this rule option is used because some of the secret channel program uses a static ICMP domain when communicating. In order to perform the STACHELDREHT detection rules, this special plugin has been developed, which are written by max visions. However, it helps to detect some other potential attacks. Format: Only when these three variables match, it is successful. Assignment * can be used instead of process (Procedure) and version number. Format: rpc:; example: alert tcp any any -> 192.168.1.0/24 111 (rpc: 100000, *, 3; msg: "RPC getport (TCP)";) alert UDP Any ANY -> 192.168.1.0/24 111 (RPC: 100000, *, 3; MSG: "RPC getPort (UDP)"; Alutt UDP Any ANY -> 192.168.1.0/24 111 (RPC: 100083, *, *; msg: "RPC TTDB";) Alarm Rules 3.22 Resp For packets that match a certain rule, you can take the Snort's flexible response (Flexible Reponse, FlexResp) mechanism through the Resp keyword. Using the FlexResp plugin, Snort can actively disconnect the malicious connection. Below is the parameter of this module: RST_SND: Send TCP-RST Packet RST_RCV to the sender socket: Send TCP-RST packets RST_all: Send TCP-TST packet ICMP_NET in both directions: Send ICMP_NET_UNREACH Packet ICMP_HOST to the sender: Send ICMP_HOST_UNREACH Packet ICMP_PORT to the sender: Send ICMP_PORT_UNREACH Packet ICMP_ALL to the sender: Send the above type ICMP data package to the sender's various types of parameters, each parameter Between the comma. Format: resp :; example: alert tcp any any -> 192.168.1.0/24 1524 (flags: S; resp: rst_all; msg: "Root shell backdoor attempt";) alert udp Any any -> 192.1.168.1.0 / 31 (RESP: ICMP_PORT, ICMP_HOST; MSG: "Hacker's Paradise Access Attempt"; Table 17. FlexResp Rules 3.23 Content-List Use content-list Keywords to specify more Multi-text string, breaking through the Content rule option, only specifying a single string limit. Table 18 is a Conternt-List file. Each string of characters to search for a row. This rule option is the basis for using the React keyword.
# ADULT SITESPOULTS 3.24 React The basic reaction is to block the site to be accessed, such as porn sites. The Snort's FlexResp plug-in can take the initiative to turn off the malicious connection. If the connection is HTTP or proxy server port, the FlexResp plugin issues an HTML / JavaScript warning message to the browser. This rule option can use the following parameters: block: Close the connection and issue a Note Warn: WARNING This two parameters are basic parameters, they can be used in combination with the optional parameters: MSG: Define to be included in warning information The text proxy :: Using the proxy server port Send a warning message Optional parameters Use a comma to separate, the react keyword should be placed at the end of the option. For example: Selert TCP Any Any <> 192.168.1.0/24 80 (Content-List: "Adults"; MSG: "Not for Children!"; React: Block, MSG;) .1.0 / 24 Any (Content-List: "Adults"; MSG: "Adults List Access Attempt"; React: block;) Preprocessors) 4.1 Preprocessor Summary Support for pre-processors from Snort-1.5. With this support, users and programmers can easily write modular plugins to extend the functionality of SNORT. The preprocessor runs after the packet is decoded before the detection engine is called. With this mechanism, SNORT can modify or analyze the packet in a manner of Out of Band. Preprocessor keywords can be loaded and configured, and the format is as follows: .1 minfrag This pre-processor tests whether the size of the slice package is a specific value. The data package fragment is usually done with the router between the source / destination address. In general, the fragmentation generated by commercial network equipment will not be less than 512 bytes. Based on this, we can monitor very small slice, and small slice packs are generally produced, mainly for use. Small fragments hide data. Format: MINFREG:
Format: The pre-processing module is developed by Patrick Mullen, which can get more information from his personal home page. The Snort port scan detection pre-processing module is mainly made: record the port scanning of ports initiated by a single source IP address to the standard log device. If you specify a log file, you record the scanned IP address and port number and scan types to this log file. The parameters used by this module include: Monitoring network: Specify the network to perform port scan monitoring in the format of the IP address / subnet mask. Number of ports: The number of ports accessed within the Detection Period. Detection Period: The time required to reach a set port accesses, in seconds. Log Directory / File: Save a directory / file for warning information. Warning information can also be written to the default warning file. Format: PPortscan:
Format: Timeout, Ports, Maxbytes , for example: proprocessor stream: Timeout 5, Ports 21 23 80 8080, MaxBytes 16384 Dection engine If you need more information about SPADE, please refer to the readme.spake file in the Snort Source code, or http://www.silicondefense.com/spice/. Use this module to make Snort to statistical ANOMAL DECTION, which is a new detection engine. If you are interested, please refer to the relevant documentation in the source code and the documentation for the SilicondEfense site. 5. Output Module 5.1 Overview of Output Modules Snort Output Module is a new feature joined from version 1.6, making Snort's output more flexible. When Snort calls its alarm or log subsystem, the specified output module will be called. Setting the rules of the output module and setting the pre-processing module very similar. Multiple output plugins can be specified in the Snort configuration file. If several output plugins are specified for the same type (alarm, log), the SNORT calls these plugins sequentially when the event occurs. Using standard logs and alarm systems, by default, the output module sends data to / var / log / snor directory, or the user uses the directory specified by the -l command line switch. rules file, the output module using the specified output Keywords: format: output name:
Format: alert_full:
