[Discussion] feedback on IDS rules improvements

Tue Oct 15 06:24:39 UTC 2013

Hello,

I'm part of the MISP project (Malware Information Sharing Platform -
https://github.com/MISP) and working on improving the IDS rules the
platform generates automatically from it's data.

Could you have a look at the rules below and give me some advice how
to write them better? (or how to fix errors that would result in false
negatives? )

The PHP code itself can be seen at
https://github.com/MISP/MISP/blob/feature/IDSsuri/app/Controller/Component/NidsExportComponent.php
, however the rules below are probably more readable for NIDS people.

Of course we are focussing here on Suricata optimizations and not on Snort...

alert ip 1.1.1.1 any -> $HOME_NET any (msg: "MISP e1 Incoming From IP:
1.1.1.1";   classtype:trojan-activity; sid:3000011; rev:1; priority:4;
reference:url,http://localhost:8888/events/view/1;)

alert ip $HOME_NET any -> 1.1.1.1 any (msg: "MISP e1 Outgoing To IP:
1.1.1.1";   classtype:trojan-activity; sid:3000021; rev:1; priority:4;
reference:url,http://localhost:8888/events/view/1;)

alert udp any any -> any 53 (msg: "MISP e1 Hostname: host.name.com";
content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2;
content:"|00||04|host|04|name|03|com|00|"; fast_pattern; nocase;
classtype:trojan-activity; sid:3000031; rev:1; priority:4;
reference:url,http://localhost:8888/events/view/1;)
alert tcp any any -> any 53 (msg: "MISP e1 Hostname: host.name.com";
content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2;
content:"|00||04|host|04|name|03|com|00|"; fast_pattern; nocase;
flow:established;  classtype:trojan-activity; sid:3000032; rev:1;
priority:4; reference:url,http://localhost:8888/events/view/1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e1 Outgoing
HTTP Hostname: host.name.com"; flow:to_server,established; content:
"Host|3a| host.name.com"; fast_pattern; nocase; http_header; pcre:
"/[^A-Za-z0-9-]host\.name\.com[^A-Za-z0-9-]/H";
tag:session,600,seconds; classtype:trojan-activity; sid:3000033;
rev:1; priority:4; reference:url,http://localhost:8888/events/view/1;)

alert udp any any -> any 53 (msg: "MISP e1 Domain: domain.com";
content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2;
content:"|06|domain|03|com|00|"; fast_pattern; nocase;
classtype:trojan-activity; sid:3000041; rev:1; priority:4;
reference:url,http://localhost:8888/events/view/1;)
alert tcp any any -> any 53 (msg: "MISP e1 Domain: domain.com";
content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2;
content:"|06|domain|03|com|00|"; fast_pattern; nocase;
flow:established;  classtype:trojan-activity; sid:3000042; rev:1;
priority:4; reference:url,http://localhost:8888/events/view/1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e1 Outgoing
HTTP Domain: domain.com"; flow:to_server,established; content:
"Host|3a|"; nocase; http_header; content:"domain.com"; fast_pattern;
nocase; http_header; pcre: "/[^A-Za-z0-9-]domain\.com[^A-Za-z0-9-]/H";
tag:session,600,seconds; classtype:trojan-activity; sid:3000043;
rev:1; priority:4; reference:url,http://localhost:8888/events/view/1;)

# As far as I know no normalization occurs on SMTP headers? So
encoded/multi-line headers, subjects, filenames will not match these
rules?

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e1 Source
Email Address: malicious at sender.com"; flow:established,to_server;
content:"MAIL FROM|3a|"; nocase; content:"malicious at sender.com";
fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192;
tag:session,600,seconds; classtype:trojan-activity; sid:3000051;
rev:1; priority:4; reference:url,http://localhost:8888/events/view/1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e1
Destination Email Address: malicious at recipient.com";
flow:established,to_server; content:"RCPT TO|3a|"; nocase;
content:"malicious at recipient.com"; fast_pattern; nocase; content:"|0D
0A 0D 0A|"; within:8192; tag:session,600,seconds;
classtype:trojan-activity; sid:3000061; rev:1; priority:4;
reference:url,http://localhost:8888/events/view/1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e1 Bad
Email Subject"; flow:established,to_server; content:"Subject|3a|";
nocase; content:"Email subject of malicious mail"; fast_pattern;
nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds;
classtype:trojan-activity; sid:3000071; rev:1; priority:4;
reference:url,http://localhost:8888/events/view/1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e1 Bad
Email Attachment"; flow:established,to_server;
content:"Content-Disposition|3a| attachment|3b| filename|3d 22|";
content:"Malicious email attachment.doc|22|"; fast_pattern;
content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds;
classtype:trojan-activity; sid:3000081; rev:1; priority:4;
reference:url,http://localhost:8888/events/view/1;)

# This will probably not match, as the http:// should not be there, correct?
alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e1 Outgoing
HTTP URL: http://maliciousurl/gate.php"; flow:to_server,established;
content:"http://maliciousurl/gate.php"; fast_pattern; nocase;
http_uri; tag:session,600,seconds; classtype:trojan-activity;
sid:3000091; rev:1; priority:4;
reference:url,http://localhost:8888/events/view/1;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e1 Outgoing
HTTP URL: pagewithmaliciouscontent.php"; flow:to_server,established;
content:"pagewithmaliciouscontent.php"; fast_pattern; nocase;
http_uri; tag:session,600,seconds; classtype:trojan-activity;
sid:3000101; rev:1; priority:4;
reference:url,http://localhost:8888/events/view/1;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e1 Outgoing
User-Agent: Malicious user agent:versionx";
flow:to_server,established; content:"Malicious user agent:versionx";
fast_pattern; http_user_agent; tag:session,600,seconds;
classtype:trojan-activity; sid:3000111; rev:1; priority:4;
reference:url,http://localhost:8888/events/view/1;)

Thanks a lot !
Christophe

PS: Next step will be to provide a oinkmaster compatible package that
also contains md5s/sha1s, iprep, ...