tag:blogger.com,1999:blog-10259481.post7241749491731999845..comments2023-10-30T09:25:19.881-05:00Comments on Joel Esler: Writing Snort Rules CorrectlyJoel Eslerhttp://www.blogger.com/profile/05018134738510159518noreply@blogger.comBlogger18125tag:blogger.com,1999:blog-10259481.post-41601716234538646882013-03-14T02:52:00.112-05:002013-03-14T02:52:00.112-05:00Thanks.
That was helpful.Thanks.<br />That was helpful.Yaronhttps://www.blogger.com/profile/03886079919731047761noreply@blogger.comtag:blogger.com,1999:blog-10259481.post-42425788747060648782013-02-27T08:43:16.978-05:002013-02-27T08:43:16.978-05:00Essentially, that is correct. There are some othe...Essentially, that is correct. There are some other things like port buckets and what not in there, but yes, what you said is correct for the most part.Joel Eslerhttps://www.blogger.com/profile/05018134738510159518noreply@blogger.comtag:blogger.com,1999:blog-10259481.post-4886299045264395972013-02-27T03:18:55.596-05:002013-02-27T03:18:55.596-05:00Hi,
So if i have a rule that combines content:&quo...Hi,<br />So if i have a rule that combines content:"..." terms and pcre expression, what snort does is the following:<br />1. Match the longest pattern (fast pattern)<br />2. If (1) matches then match all patterns<br />3. If (2) matches invoke pcre over the entire packet<br /><br />Is that correct?Yaronhttps://www.blogger.com/profile/03886079919731047761noreply@blogger.comtag:blogger.com,1999:blog-10259481.post-12396092797027514242010-02-23T17:27:34.000-05:002010-02-23T17:27:34.000-05:00[...] that Joel has made all possible corrections ...[...] that Joel has made all possible corrections in the previous blog. You could read that from here: http://blog.joelesler.net/2010/02/writing-snort-rules-correctly.html. Thank you [...]Signature Analytics » Blog Archive » Errors/Correction in Tao of Signature Writing – Part 4http://sign.kaffenews.com/?p=97noreply@blogger.comtag:blogger.com,1999:blog-10259481.post-30886614091501135272010-02-23T05:32:30.000-05:002010-02-23T05:32:30.000-05:00A couple other people have sent me other questions...A couple other people have sent me other questions like that via Email, I've asked them to post them as comments on the blog so that the conversation can be kept in one place.<br><br>Glad that it helped Robby!Joelhttp://blog.joelesler.netnoreply@blogger.comtag:blogger.com,1999:blog-10259481.post-20291634487348693802010-02-24T16:57:45.000-05:002010-02-24T16:57:45.000-05:00somebody is over engineering their snort rules :) ...somebody is over engineering their snort rules :) <br><br>"If I were to have this rule running in real life, I wouldn’t have the second content match. Actually, in all reality, I wouldn’t have the pcre in there at all."<br><br>Thanks for the write up.shadowbqnoreply@blogger.comtag:blogger.com,1999:blog-10259481.post-66295935685104417742010-02-22T17:13:44.000-05:002010-02-22T17:13:44.000-05:00well done joel -first one I have bookmarked. very ...well done joel -<br>first one I have bookmarked. very nice explanation of a topic that is waaaaay over my head.iamnowonmainoreply@blogger.comtag:blogger.com,1999:blog-10259481.post-76246620585977995782010-02-22T18:50:30.000-05:002010-02-22T18:50:30.000-05:00Social comments and analytics for this post...This...<strong>Social comments and analytics for this post...</strong><br><br>This post was mentioned on Twitter by JoelEsler: Writing Snort Rules is harder than it looks http://goo.gl/fb/AtDn...uberVU - social commentshttp://www.ubervu.com/conversations/blog.joelesler.net/2010/02/writing-snort-rules-is-harder-than-it-looks.htmlnoreply@blogger.comtag:blogger.com,1999:blog-10259481.post-10298399225184848022010-04-04T08:49:21.000-05:002010-04-04T08:49:21.000-05:00[...] Writing Snort Rules Correctly AKPC_IDS += &q...[...] Writing Snort Rules Correctly AKPC_IDS += "443,";Popularity: unranked [...]Writing Snort Rules Correctly | InfoSec Resourceshttp://www.information-security-training.com/client-side-exploits/writing-snort-rules-correctly/noreply@blogger.comtag:blogger.com,1999:blog-10259481.post-22075629032834695252010-08-02T02:42:49.000-05:002010-08-02T02:42:49.000-05:00This comment has been removed by a blog administrator.Remove Spywarehttp://security-wire.com/noreply@blogger.comtag:blogger.com,1999:blog-10259481.post-50765046707846507562010-02-23T10:01:00.000-05:002010-02-23T10:01:00.000-05:00Hey, question: "?" in perl extended rege...Hey, question: "?" in perl extended regexps makes a lazy expression, but I've been thinking about it in a different way than you've outlined it.<br><br>As you put it: "the “?” basically means “The Character that is directly in front of the “?” is optional”. So, it essentially means, when all put together the match is either a ‘ or a ” or not at all."<br><br>However, I've always thought of it as "inverse greedy". That is, if you don't put the question-mark there, the regex will try to match as long a string as possible that fits the parameters, but if you do include it, it, instead, matches as *short* a string as possible.<br><br>/c.*Monkey/<br><br>against<br><br>"cfooMonkeybarMonkey"<br><br>will give you the whole string, whereas<br><br>/c.*?Monkey/<br><br>will give you "cfooMonkey".<br><br>I feel like this doesn't quite jive with the way you've explained it.<br><br>Is this a perl e-regex thing? Have I missed something about the overall conceptualization of the "?" in pattern matches?Robby Dhttp://twitter.com/angwe/noreply@blogger.comtag:blogger.com,1999:blog-10259481.post-18290667377687950292010-02-23T10:12:00.000-05:002010-02-23T10:12:00.000-05:00No, you are right-ish. Inverse greedy is a good w...No, you are right-ish. Inverse greedy is a good way to say it. So, least as possible, even optionally. It's like a "*", whereas it's 0 or more, but the question mark is 0 or 1 essentially.<br><br>Does that help?<br><br>You can actually make the question mark lazy, (as opposed to greedy) by placing a second question mark after the first.Joelhttp://blog.joelesler.net/noreply@blogger.comtag:blogger.com,1999:blog-10259481.post-81411542982013352402010-02-23T10:29:00.001-05:002010-02-23T10:29:00.001-05:00I think that does help, actually.The reason I wasn...I think that does help, actually.<br><br>The reason I wasn't thinking in the way you were is that I've always only used the "?" as a modifier for a glob ("*") in which "inverse greedy" is the easiest way (for me) to think about it. However, when it is used by itself as a modifier, it is, as you put it, lazy: "it could be there, or not, doesn't matter".<br><br>/c.Monkey/<br><br>will match any string with at least one character between "c" and "Monkey" but *not* "cMonkey"<br><br>/c.?Monkey/<br><br>would match either case mentioned.<br><br>Guess I need to go actually *read* Mastering Reg Exp instead of using it as a reference book.<br><br>Thanks for the clarification!Robby Dhttp://twitter.com/angwe/noreply@blogger.comtag:blogger.com,1999:blog-10259481.post-2668327373747621222010-02-23T10:32:00.001-05:002010-02-23T10:32:00.001-05:00A couple other people have sent me other questions...A couple other people have sent me other questions like that via Email, I've asked them to post them as comments on the blog so that the conversation can be kept in one place.<br><br>Glad that it helped Robby!Joelhttp://blog.joelesler.net/noreply@blogger.comtag:blogger.com,1999:blog-10259481.post-32189609011733728732010-02-23T11:42:00.000-05:002010-02-23T11:42:00.000-05:00I have read your blog post regarding "Writing...I have read your blog post regarding "Writing Snort Rules is harder than it looks" You have explained it very well, but I have some questions.<br><br>Your final rules is<br><br>*alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:”ActiveX Exploit Signature Sample”; flow:to_client,established; content:”A105BD70-BF56-4D10-BC91-41C88321F47C”; nocase; content:”.Import(“; distance:0; pcre:”/]*classids*=s*[x22x27]?s*clsids*x3as*x7B?s*A105BD70-BF56-4D10-BC91-41C88321F47C/si”; reference:url,www.exploit-db.com/exploits/11204; rev:2;)*<br><br>In the exploit object tag can be placed anywhere. so it is not mandatory that the vulnerable method will come after the clsid.<br>/<br><br> Microsoft Works 7 WkImgSrv.dll crash POC<br> <br> function payload() {<br>var num = -1;<br>obj.WksPictureInterface = num;<br> }<br> <br><br><br><br><br><br><br><br>http://www.milw0rm.com/exploits/5460<br><br>/in the above exploit the vulnerable method is above the clsid. so what I feel, it is worth to remove the distance modifier to the second content match.<br><br>My final rule will be<br><br>**alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:”ActiveX Exploit Signature Sample”; flow:to_client,established; content:”A105BD70-BF56-4D10-BC91-41C88321F47C”; nocase; content:”.Import(“; nocase; pcre:”/]*classids*=s*[x22x27]?s*clsids*x3as*x7B?s*A105BD70-BF56-4D10-BC91-41C88321F47C/si”; reference:url,www.exploit-db.com/exploits/11204; rev:3;)<br><br>Please correct me if I am wrong.wolveenoreply@blogger.comtag:blogger.com,1999:blog-10259481.post-10526283024132679462010-02-23T12:14:00.001-05:002010-02-23T12:14:00.001-05:00Wolvee wrote me this via email and I asked him to ...Wolvee wrote me this via email and I asked him to put it as a comment on the blog. <br><br>This is exactly the type of discussion that I was hoping to provoke by writing this post.<br><br>The trick is with this rule is, what does the ".Import(" get us? False Positive reduction I say in the post, and while that's partially correct, if we zoom back from it and look at the big picture. What does this get us?<br><br>The answer is, nothing. The point of the rule is to match the ActiveX. So why did I put the content match in there?<br><br>I put it in there to illustrate how to place two content matches and make the second one <em>relative</em> to the first. In other words, have match one, then match 2 after match one.<br><br>If I were to have this rule running in real life, I wouldn't have the second content match. Actually, in all reality, I wouldn't have the pcre in there at all.Joelhttp://blog.joelesler.net/noreply@blogger.comtag:blogger.com,1999:blog-10259481.post-68200519528483061142010-03-27T18:07:00.001-05:002010-03-27T18:07:00.001-05:00Hi Joel,Good article, it has however confused me a...Hi Joel,<br><br>Good article, it has however confused me a bit.Im relatively new to snort, have been using it since a while but yesterday found myself fully blank when a friend of mine asked me a question:<br><br>Ive seen the terms snort rules and snort signatures being used interchangeably across many texts. I would really like to know which is which. e.g.<br>which heading would the rule below come under:<br><br>Snort Rule example or Snort Signature Example:<br><br>alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Worm propagation attempt"; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1 0 1|"; content:"sock"; content:"send"; reference:bugtraq,5310; classtype:misc-attack; reference:bugtraq,5311; sid:2003; rev:2;)<br><br>Comments, help, pointers appreciated? Im sure there are others who have came across the same controversy.<br><br>--------------------------------------------------------------------------------------------------------------------<br><br>I replied to this as, yes it is a snort rule, which is taking action based on finding a certain signature in the traffic.<br><br>At the back of my mind I wasnt fully sure myself as ive seen several texts in which authors have confused the terms by using them interchangeably. That is why I believe its best to ask someone who knows.<br><br>Ive noticed you have also used it interchangeably in this article when you are proposing the corrected snort rule.<br><br>Hoping for a positive response.<br>-fimzfimznoreply@blogger.comtag:blogger.com,1999:blog-10259481.post-41326712694770936912010-03-28T10:13:00.001-05:002010-03-28T10:13:00.001-05:00We call Snort rules, rules. Signatures are tradit...We call Snort rules, rules. Signatures are traditionally look for "x" and match it. We have much much more functionality within Snort rules, (moving within a packet, judging numerical values and jumping, moving backwards in a packet for a match, etc.) <br><br>The one above is a simple rule. It's looking for several pieces of content.Joelhttp://blog.joelesler.net/noreply@blogger.com