© 2006, Vorant Network Security, Inc.

EZ Snort RulesFind the Truffles, Leave the Dirt

David J. BiancoVorant Network Security, Inc.

david@vorant.com

Table of Contents• Intro to Snort Configuration• Anatomy of a Snort Rule• Detection Options• Rule Writing Tips

Intro to Snort Configuration• Snort follows a “Unixy” configuration

philosophy• Configuration is plaintext• Powerful & complex

• Snort configuration consists of:• Global configuration (snort.conf)• Optional *.rules file(s)• Additional files (not covered in this

presentation)

Sources of Snort Rules• Sourcefire VRT Rules

• The “gold standard”• Subscription fee applies• Free for anyone to use after 7 days

• Snort.org Community Rules• Contributed by snort users• Free for use by anyone (GPL)

http://www.snort.org/pub-bin/downloads.cgi

Sources of Snort Rules• Bleeding Edge Snort

• Contributed by snort users• Focus on quick releases with minimal testing

• Breaking threats• “experimental” detections

http://www.bleedingsnort.com/

A Peek Into snort.confvar HOME_NET 192.168.3.0/24

var EXTERNAL_NET !$HOME_NET

var DNS_SERVERS [192.168.3.1,192.168.3.10]

var HTTP_SERVERS [192.168.3.1,192.168.3.2,192.168.3.88]

var HTTP_PORTS 80

var RULE_PATH /usr/local/snortrules

[a bunch of snort engine configuration options]

include $RULE_PATH/local.rules

include $RULE_PATH/bad-traffic.rules

include $RULE_PATH/attack-responses.rules

include $RULE_PATH/bleeding-all.rules

Include $RULE_PATH/community-bot.rules

The Most Basic Rule

alert tcp any any -> any any (msg:”Sample alert”;)

The Rule Header

alert tcp any any -> any any (msg:”Sample alert”;)

• Header contains the following fields• Action (log, alert)• Protocol (ip, tcp, udp, icmp, any)• Src IP & Port• Dst IP & Port• Direction operator (“->”, “<>”)

The Rule Header

alert tcp $EXTERNAL_NET any -> 192.168.3.0/24 80 (msg:”Sample alert”;)

• Src or dst IP addresses can be:• Variables ($HOME_NET)• Individual IP addresses• CIDR blocks• Lists of the above

(“[192.168.3.12,192.168.3.9]”)• Ports can be

• Individual ports• Port ranges (“80:85”, “:1024”, “1025:”)

The Rule Body

alert tcp any any -> any any (msg:”Sample alert”;)

• The body is usually the complex part• Begins and ends with “()”• Series of “rule options” (keywords, with

optional parameters) separated by “;”

Types of Rule Options• Five types of options

• Metadata• Payload detection• Non-payload detection• Post-detection• Thresholding and suppression

• To keep things “EZ”, we’ll focus on the firsttwo types

Metadata Options• Metadata options provide snort with

information about the rule itself or pass oninformation to the analyst• Examples:

• “msg” specifies the human-readable alert message• “reference” includes a URL for more info• “classtype” and “priority” give some idea about the

type of attack and the severity of the event• “sid” and “rev” uniquely identify the rule (including

revisions & edits)

Metadata Example

• Use of “classtype” implies a default priorityfor each class• Defaults for each class are in the manual• Use the “priority” option to override these

• Each sid must be unique• Choose a sid range > 4,000,000 to avoid

conflicts with popular rule providers

alert tcp $EXTERNAL_NET any -> 192.168.3.0/24 80(msg:”Sample alert”; classtype: web-application-activity;reference:url,http://www.vorant.com/advisories/20060405.html;sid:2000123; rev:1;)

Payload Detection Options• Look inside the packet payload (not the packet

headers)• “The meat” of IDS!

• There are many options to fit many needs, butstart with the basics• “content” looks for a string of bytes• “nocase” modified content, makes it case insensitive• “offset” skips a certain number of bytes before

searching• “pcre” allows the use of Perl-compatible regular

expressions (support must be compiled in)

Payload Example

• Looks for the case-insensitive string“http://www.vorant.com/test.cgi?id=pwn3d” in alltraffic matched by the rule header

• Skips the first 12 bytes of each packet beforestarting search, for efficiency

• Note inclusion of hex ASCII code for the “:”.• The “|3a|” notation is good for non-printable data (or

“:”, which must not be used in content match

alert tcp $EXTERNAL_NET any -> 192.168.3.0/24 80(msg:”Sample alert”;content:”http|3a|//www.vorant.com/test.cgi?id=pwn3d”; nocase;offset:12; classtype: web-application-activity;reference:url,http://www.vorant.com/advisories/20060405.html;sid:2000123; rev:1;)

Payload Example #2

• Alerts on all GET requests for an HTML page(.htm or .html both work)• “i” option to pcre asks for case-insensitive matching

• A simple content match could be used, butsometimes…• content is not flexible enough to match the data• a single PCRE may be more clear than a bunch of

individual content matches

alert tcp $EXTERNAL_NET any -> 192.168.3.0/24 80(msg:”Sample alert”; pcre:”/GET.*\.htm/i”; classtype: web-application-activity;reference:url,http://www.vorant.com/advisories/20060405.html;sid:2000123; rev:1;)

Go With the Flow• TCP is a stateful protocol

• Requires a certain setup and teardown for avalid connection

• Servers discard TCP packets not associatedwith valid sessions

• TCP data without a valid session has littlechance of harming your server, but it takesCPU time to process

• Solution: track TCP sessions and restrict rulesto established sessions

The “flow” Option

• Technically a “non-payload” option• “established” option specifies that the rule only

alerts on valid TCP sessions• “to_server” option further restricts matching to

packets going to the “server”• Snort assumes the “client” is the session initiator, so

the server is the recipient

alert tcp $EXTERNAL_NET any -> 192.168.3.0/24 80(msg:”Sample alert”; flow: to_server,established;pcre:”/GET.*\.htm/i”; classtype: web-application-activity;reference:url,http://www.vorant.com/advisories/20060405.html;sid:2000123; rev:1;)

Writing Efficient Rules• Be as specific as possible in the header

• Beware of the “any” keyword• Specify the protocol, IP addresses and ports• IP lists are fine, but use CIDR blocks when the list

gets long• Use “flow: established” for TCP sessions• Body options are evaluated in order until match

is unsuccessful, so list broad matches first• Content matches are faster than PCRE• Use a “content” match before a PCRE, to weed

out packets that can’t match• content:”GET”; nocase; pcre:”GET.*\.htm”;

Other Rule-Writing Tips• Keep your rules in the local.rules file

• Back it up!• If snort doesn’t restart after you add your

new rule, check /var/log/messages fordetails

• When writing a complex rule, start smalland build it piece-by-piece

Questions?