Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-users] help writing snort rule

from [Joel Esler] Network Security [Permanent Link]
Subject: Re: [Snort-users] help writing snort rule
Date: Fri, 26 Jan 2007 10:45:29 -0500 
Bill,

Thanks for writing!

It looks like you have a couple issues.  
#1 -- You need to have your rule all on one line, or you need to use the "\" 
character at the end of your line in order to continue to the next line.  Like:

    alert ip any any -> $EXTERNAL_NET any \
    (pcre:"/\d{3}(\s|-)?\d{2}(\s|-)?\d{4}/"; msg:"SSN Detected in Clear \
    Text"; sid: 1000004 )

You also don't have a ";" at the end of your sid.

    alert ip any any -> $EXTERNAL_NET any \
    (pcre:"/\d{3}(\s|-)?\d{2}(\s|-)?\d{4}/"; msg:"SSN Detected in Clear \
    Text"; sid: 1000004; )

You need to also consider making your "ip" rule a tcp, or udp rule.  If you are 
interested in both pieces of traffic, then it would be faster and more 
efficient to write two rules, one for tcp and one for udp.

    alert tcp any any -> $EXTERNAL_NET any \
    (pcre:"/\d{3}(\s|-)?\d{2}(\s|-)?\d{4}/"; msg:"SSN Detected in Clear \
    Text"; sid: 1000004; )

    alert udp any any -> $EXTERNAL_NET any \
    (pcre:"/\d{3}(\s|-)?\d{2}(\s|-)?\d{4}/"; msg:"SSN Detected in Clear \
    Text"; sid: 1000005; )

In your TCP rule, it would be faster to add a flow statement.

    alert tcp any any -> $EXTERNAL_NET any \
    (flow:established,from_client; pcre:"/\d{3}(\s|-)?\d{2}(\s|-)?\d{4}/"; 
msg:"SSN Detected in Clear \
    Text"; sid: 1000004; )

That rule will look for SSN's from a client (you INITIATING the conversation.) 
in an established TCP session.

It's also not good to have a pure pcre rule.  Rules are 100x's more efficient 
with a preceeding content statement.  Now, I don't know what kind of content 
statement you could expect to be in your traffic.  Maybe the abbreviation "SSN"?

    alert tcp any any -> $EXTERNAL_NET any \
    (msg:"SSN Detected in Clear Text": flow:establised, from_client; 
content:"SSN"; pcre:"/\d{3}(\s|-)?\d{2}(\s|-)?\d{4}/";  \
    sid: 1000004; )

You could even get fancier and use a backreference in your your pcre to tell 
the second delimiter to be what the first delimiter was.  But I'll leave that 
for you to do :) 
You may also want to get rid of your "any any" statement.  

Does this help any?

Joel


On Thu, Jan 25, 2007 at 10:56:24PM -0800, it looks like Bill Lopez sent me:


   Trying to write a simple rule to parse for SSN in plain text - what am
   I doing wrong??




   alert ip any any -> $EXTERNAL_NET any
   (pcre:"/\d{3}(\s|-)?\d{2}(\s|-)?\d{4}/"; msg:"SSN Detected in Clear
   Text"; sid: 1000004 )



   rule returns this error


   ERROR: Unterminated rule in file /etc/snort/rules/TEST.rules, line 5

      (Snort rules must be contained on a single line or

       on multiple lines with a '\' continuation character

       at the end of the line,  make sure there are no

       carriage returns before the end of this line)

   Fatal Error, Quitting..


   Have tried multiple versions of pcre string but always return the same
   error..


   Bill Lopez

   Operating Engineers Trust Funds

   (626) 356-3524

   (626) 255-1066
shell-init: could not get current directory: getcwd: cannot access parent 
directories: No such file or directory



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV



_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





+---------------------------------------------------------------------+
joel esler          senior security consultant         1-706-627-2101
         gpg key: http://demo.sourcefire.com/jesler.pgp.key
+---------------------------------------------------------------------+

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-users] help writing snort rule, Matt Jonkman
Next by Date:  [Snort-users] snort 2.6.1.2 segfaults on 64bit Centos 4.2 system, Thomas Munn
Previous by Thread:  Re: [Snort-users] help writing snort rule, Matt Jonkman
Next by Thread:  Re: [Snort-users] help writing snort rule, Bill Lopez
Indexes:  [Date] [Thread] [Top] [All Lists]