-
Notifications
You must be signed in to change notification settings - Fork 0
Enhanced Rule Types in Snort 3: A Comprehensive Guide
Snort 3 introduces three new rule types to simplify and enhance rule writing: service rules, file rules, and file identification rules.
Service rules allow matching traffic of a particular service without specifying network addresses, ports, or direction. They are useful for service-specific targeting.
- Format: action service service_name
- Example
alert http
(
msg:"SERVER-WEBAPP This rule only looks at HTTP traffic";
flow:to_server,established;
http_uri;
content:"/admin.php",fast_pattern,nocase;
content:"cmd=",nocase;
pcre:"/[?&]cmd=[^&]*?\x3b/i";
sid:1;
)
- alert http: This line defines an alert rule for HTTP traffic.
- msg:"SERVER-WEBAPP This rule only looks at HTTP traffic";: A message that describes the purpose of the rule.
- flow:to_server,established;: Specifies the flow direction to the server and requires an established connection.
- http_uri;: Ensures that the rule applies to HTTP URIs.
- content:"/admin.php",fast_pattern,nocase;: Looks for the string "/admin.php" case-insensitively with a fast pattern match.
- content:"cmd=",nocase;: Looks for the string "cmd=" case-insensitively.
- pcre:"/[?&]cmd=[^&]*?\x3b/i";: Uses a Perl Compatible Regular Expression (PCRE) to match URLs containing "cmd=".
- sid:1;: Sets the Snort rule ID to 1.
File rules match a specific file regardless of protocol, IPs, ports, or service. They are helpful for targeting files irrespective of network details.
- Format: action file
alert file
(
msg:"MALWARE-OTHER Win.Ransomware.Agent payload download attempt";
file_data;
content:"secret_encryption_key",fast_pattern,nocase;
classtype:trojan-activity;
sid:3;
)
- alert file: Defines an alert rule for file-related activity.
- msg:"MALWARE-OTHER Win.Ransomware.Agent payload download attempt";: Describes the purpose of the rule.
- file_data;: Indicates that the rule applies to file content.
- content:"secret_encryption_key",fast_pattern,nocase;: Looks for the string "secret_encryption_key" case-insensitively with a fast pattern match.
- classtype:trojan-activity;: Classifies the rule as related to trojan activity.
- sid:3;: Sets the Snort rule ID to 3.
File identification rules enable file type identification without alerting or blocking traffic. They define file types for subsequent rules.
- Format: file_id
file_id (
msg:"Windows/DOS executable file";
file_meta:type MSEXE, id 21, category "Executables,Dynamic Analysis Capable,Local Malware Analysis Capable";
file_data;
content:"| 4D 5A |", depth 2, offset 0;
gid:4;
sid:16;
rev:1;
)
- file_id: Indicates that this rule is for file identification.
- msg:"Windows/DOS executable file";: Describes the file type being identified.
- file_meta:type MSEXE, id 21, category "Executables,Dynamic Analysis Capable,Local Malware Analysis Capable";: Sets metadata for the identified file type.
- file_data;: Indicates that the rule applies to file content.
- content:"| 4D 5A |", depth 2, offset 0;: Looks for the hexadecimal pattern "| 4D 5A |" at a depth of 2 bytes starting from the beginning of the file.
- gid:4; sid:16; rev:1;: Sets the Snort rule group ID, rule ID, and revision.
- To use file identification rules, ensure the file_id and file_policy builtins are enabled in your Snort 3 configuration.
In conclusion, Snort 3 introduces three powerful new rule types that enhance rule writing capabilities: service rules, file rules, and file identification rules. These rule types provide more flexibility and granularity in targeting specific traffic, files, and file types, making Snort 3 a versatile and robust intrusion detection system (IDS) tool.
For more detailed information and examples, refer to the official Snort documentation and resources
By leveraging these new rule types effectively, security professionals can create more accurate and targeted intrusion detection rules to protect networks and systems from various threats.