Thursday, July 9, 2015

Snort++ Rule Changes

Snort++ has some cool new rule features you may want to know about, including abbreviated rule headers and support for more rule protocols.  The basic rule structure is:

    action proto src_nets src_ports dir dst_nets dst_ports ( body )

where:

  • action is alert, drop, block, etc.
  • proto is ip, icmp, tcp, udp, http, ftp, ..., or file
  • src_nets and dst_nets are an IP address or list
  • src_ports and dst_ports are a port, port list, or any
  • nets and ports may be literals or variables
  • dir is either -> for unidirectional or <> for bidirectional

Here is a simplified example:

    alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
    (
        flow:to_client,established;
        file_data; content: "readystatechange";
        metadata:service http, service imap, service pop3;
        sid:27568; rev:1;
    )

Note that this is specifying FILE_DATA_PORTS and 3 different services.  We can simplfiy that a little now:

    alert file $EXTERNAL_NET -> $HOME_NET
    (
        flow:to_client,established;
        file_data; content: "readystatechange";
        sid:27568; rev:2;
    )

Revision 2 of this rule uses the new file protocol and omits ports and services.  This means:
  • Detection is better because we aren't limited to the specified proto, ports, or services.
  • Performance is better because we don't need to search raw TCP packets or service specific file data.
  • And that comes with using *less* memory for the search engine because we reduce the number of rule groups.
To detect this file regardless of networks or direction, do something like revision 3:

    alert file
    (
        file_data; content: "readystatechange";
        sid:27568; rev:3;
    )

(Note that file_data implies flow:established in Snort++.)

More details:
  • If you omit ports they default to any.
  • If you omit networks, you they default to any.
  • If you omit networks, you must omit ports and direction too.
  • Protocol must be configured via the binder or wizard.
  • AppID will provide additional service protocols when that is ported.
  • File rules must have file_data fast patterns.
  • Service rules may have file_data fast patterns.
  • Ports must match for service rules (like alert http).
  • Port handling is not changed wrt metadata:service.
Also keep an eye on the enhanced start up and shutdown stats to help tune your rules.  We will cover fast patterns and rule groups in a future post.