Monday, October 22, 2012

Rule Category Reorganization Phase 3


Beginning back in April 2012, the Vulnerability Research Team (VRT) began its Rule Category Reorganization effort to realign the rules into an easier to understand category structure.

We are continuing that effort with the VRT’s upcoming rule release, adding the following categories:

BROWSER-PLUGINS -- This category contains rules that look for, and control, the traffic of certain applications that are considered plugins to the browser.  ActiveX as an example.

INDICATOR-SHELLCODE -- This category contains detection for generic shellcode being found in traffic.  This category is largely a carry-over from the previous shellcode.rules category.

OS-LINUX -- This category contains detection for vulnerabilities present in the Linux family of Operating Systems.  Made to be enabled by those users that have any Linux OS on the network.

OS-SOLARIS  -- This category contains detection for vulnerabilities present in the Sun (now Oracle) Solaris OS.  Made to be enabled by those users that have any version of Solaris OS on the network.

OS-WINDOWS -- This category contains detection for vulnerabilities present in the Windows family of Operating Systems.  Made to be enabled by those users that have any version of Windows OS present on the network.  This is mutually exclusive of products from Microsoft like Office which is in the FILE-OFFICE category.

OS-OTHER -- This category contains detection for vulnerabilities in other Operating Systems not listed above.  Android, AIX, etc.

POLICY-SPAM -- This category contains rules that are specifically tailored to detect spam within emails.  Largely a carry-over from the present phishing-spam.rules category.

PROTOCOL-FINGER -- This category contains rules for vulnerabilities that are found or are delivered through the finger protocol.

PROTOCOL-FTP -- This category contains rules for vulnerabilities that are found or are delivered through the FTP protocol.

PROTOCOL-ICMP -- This category contains rules for vulnerabilities that are found inside, are delivered through, or information about the ICMP protocol.  Largely a carry-over from the present icmp.rules and icmp-info.rules categories.

PROCOTOL-IMAP -- This category contains rules for vulnerabilities present inside of or delivered by the ICMP protocol.

PROCOTOL-POP -- This category contains rules for vulnerabilities present inside of or delivered through the POP protocols.

PROTOCOL-SERVICES -- This category contains rules for vulnerabilities present inside of, or delivered through the "RServices" features.  Largely a carry-over from the present rservices.rules.

PROTOCOL-VOIP -- This category contains rules for vulnerabilities present inside of, or delivered through "VOIP" protocols or products.  Largely a carry-over from the present voip.rules categories, but all VOIP related products will be consolidated here for easy use.

PUA-ADWARE -- This category contains rules for the detection of Adware found in traffic.  Largely a carry over of the present spyware-put.rules category, but falling in line with the naming convention with our other products and for the easy consolidation into one category from multiple places.

PUA-OTHER -- This category will contain anything that is considered a "Potentially Unwanted Application" that does not fit into the other PUA categories.

SERVER-APACHE -- This category will contain rules for the detection of vulnerabilities present in the Apache Web Server family of products.

SERVER-IIS -- This category will contain rules for the detection of vulnerabilities present in the Microsoft IIS family of products.

SERVER-MSSQL -- This category will contain rules for the detection of vulnerabilities present in the Microsoft MSSQL family of products.

SERVER-MYSQL -- This category will contain rules for the detection of vulnerabilities present in the Oracle MySQL family of products.  Largely a carry-over from the present mysql.rules category.

SERVER-ORACLE -- This category will contain rules for the detection of vulnerabilities present in the Oracle Database.  Largely a carry-over from the present oracle.rules category.

SERVER-WEBAPP -- This category will contain rules for the detection of vulnerabilities present in "Web based Applications".

SERVER-OTHER -- This category will contain rules for the detection of vulnerabilities against servers not otherwise listed above.

To include these in your snort.conf please add the following lines to the rule section at the end, if you are using pulledpork in it's default mode, you shouldn't need to do anything:

include $RULE_PATH/browser-plugins.rules
include $RULE_PATH/indicator-shellcode.rules
include $RULE_PATH/os-linux.rules
include $RULE_PATH/os-solaris.rules
include $RULE_PATH/os-windows.rules
include $RULE_PATH/os-other.rules
include $RULE_PATH/policy-spam.rules
include $RULE_PATH/protocol-finger.rules
include $RULE_PATH/protocol-ftp.rules
include $RULE_PATH/protocol-icmp.rules
include $RULE_PATH/protocol-imap.rules
include $RULE_PATH/protocol-pop.rules
include $RULE_PATH/protocol-services.rules
include $RULE_PATH/protocol-voip.rules
include $RULE_PATH/pua-adware.rules
include $RULE_PATH/pua-other.rules
include $RULE_PATH/server-apache.rules
include $RULE_PATH/server-iis.rules
include $RULE_PATH/server-mssql.rules
include $RULE_PATH/server-mysql.rules
include $RULE_PATH/server-oracle.rules
include $RULE_PATH/server-other.rules
include $RULE_PATH/server-webapp.rules

Updated default Snort.conf's are here: https://www.snort.org/configurations

If you are using the Sourcefire product, PulledPork, or Oinkmaster, the vast majority of you should be unaffected. These products will handle the transition just fine. The only way you will be affected using PulledPork (or Oinkmaster's related tools) is if you use enablesid.conf or disablesid.conf to enable or disable entire categories of rules.