[Discussion] feedback on IDS rules improvements
Victor Julien
lists at inliniac.net
Tue Oct 15 08:04:04 UTC 2013
On 10/15/2013 08:24 AM, Christophe Vandeplas wrote:
> Hello,
>
>
> I'm part of the MISP project (Malware Information Sharing Platform -
> https://github.com/MISP) and working on improving the IDS rules the
> platform generates automatically from it's data.
>
>
> Could you have a look at the rules below and give me some advice how
> to write them better? (or how to fix errors that would result in false
> negatives? )
>
> The PHP code itself can be seen at
> https://github.com/MISP/MISP/blob/feature/IDSsuri/app/Controller/Component/NidsExportComponent.php
> , however the rules below are probably more readable for NIDS people.
>
> Of course we are focussing here on Suricata optimizations and not on Snort...
>
>
> alert ip 1.1.1.1 any -> $HOME_NET any (msg: "MISP e1 Incoming From IP:
> 1.1.1.1"; classtype:trojan-activity; sid:3000011; rev:1; priority:4;
> reference:url,http://localhost:8888/events/view/1;)
>
>
> alert ip $HOME_NET any -> 1.1.1.1 any (msg: "MISP e1 Outgoing To IP:
> 1.1.1.1"; classtype:trojan-activity; sid:3000021; rev:1; priority:4;
> reference:url,http://localhost:8888/events/view/1;)
These 2 will be ip-only rules.
>
> alert udp any any -> any 53 (msg: "MISP e1 Hostname: host.name.com";
> content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2;
> content:"|00||04|host|04|name|03|com|00|"; fast_pattern; nocase;
> classtype:trojan-activity; sid:3000031; rev:1; priority:4;
> reference:url,http://localhost:8888/events/view/1;)
> alert tcp any any -> any 53 (msg: "MISP e1 Hostname: host.name.com";
> content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2;
> content:"|00||04|host|04|name|03|com|00|"; fast_pattern; nocase;
> flow:established; classtype:trojan-activity; sid:3000032; rev:1;
> priority:4; reference:url,http://localhost:8888/events/view/1;)
> alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e1 Outgoing
> HTTP Hostname: host.name.com"; flow:to_server,established; content:
> "Host|3a| host.name.com"; fast_pattern; nocase; http_header; pcre:
> "/[^A-Za-z0-9-]host\.name\.com[^A-Za-z0-9-]/H";
> tag:session,600,seconds; classtype:trojan-activity; sid:3000033;
> rev:1; priority:4; reference:url,http://localhost:8888/events/view/1;)
>
>
> alert udp any any -> any 53 (msg: "MISP e1 Domain: domain.com";
> content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2;
> content:"|06|domain|03|com|00|"; fast_pattern; nocase;
> classtype:trojan-activity; sid:3000041; rev:1; priority:4;
> reference:url,http://localhost:8888/events/view/1;)
> alert tcp any any -> any 53 (msg: "MISP e1 Domain: domain.com";
> content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2;
> content:"|06|domain|03|com|00|"; fast_pattern; nocase;
> flow:established; classtype:trojan-activity; sid:3000042; rev:1;
> priority:4; reference:url,http://localhost:8888/events/view/1;)
> alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e1 Outgoing
> HTTP Domain: domain.com"; flow:to_server,established; content:
> "Host|3a|"; nocase; http_header; content:"domain.com"; fast_pattern;
> nocase; http_header; pcre: "/[^A-Za-z0-9-]domain\.com[^A-Za-z0-9-]/H";
> tag:session,600,seconds; classtype:trojan-activity; sid:3000043;
> rev:1; priority:4; reference:url,http://localhost:8888/events/view/1;)
You might want to try the dns_query keyword here:
content:"hostname"; dns_query;
>
> # As far as I know no normalization occurs on SMTP headers? So
> encoded/multi-line headers, subjects, filenames will not match these
> rules?
Correct, not yet. We have tickets open.
> alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e1 Source
> Email Address: malicious at sender.com"; flow:established,to_server;
> content:"MAIL FROM|3a|"; nocase; content:"malicious at sender.com";
> fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192;
> tag:session,600,seconds; classtype:trojan-activity; sid:3000051;
> rev:1; priority:4; reference:url,http://localhost:8888/events/view/1;)
>
>
> alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e1
> Destination Email Address: malicious at recipient.com";
> flow:established,to_server; content:"RCPT TO|3a|"; nocase;
> content:"malicious at recipient.com"; fast_pattern; nocase; content:"|0D
> 0A 0D 0A|"; within:8192; tag:session,600,seconds;
> classtype:trojan-activity; sid:3000061; rev:1; priority:4;
> reference:url,http://localhost:8888/events/view/1;)
>
>
> alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e1 Bad
> Email Subject"; flow:established,to_server; content:"Subject|3a|";
> nocase; content:"Email subject of malicious mail"; fast_pattern;
> nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds;
> classtype:trojan-activity; sid:3000071; rev:1; priority:4;
> reference:url,http://localhost:8888/events/view/1;)
>
>
> alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e1 Bad
> Email Attachment"; flow:established,to_server;
> content:"Content-Disposition|3a| attachment|3b| filename|3d 22|";
> content:"Malicious email attachment.doc|22|"; fast_pattern;
> content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds;
> classtype:trojan-activity; sid:3000081; rev:1; priority:4;
> reference:url,http://localhost:8888/events/view/1;)
>
>
> # This will probably not match, as the http:// should not be there, correct?
Right. You will need something like:
content:"maliciousurl"; http_host; content:"gate.php"; http_uri;, maybe
with added depths and/or pcre's to make it doesn't match on
http://nonmaliciousurl/leftgate.php
> alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e1 Outgoing
> HTTP URL: http://maliciousurl/gate.php"; flow:to_server,established;
> content:"http://maliciousurl/gate.php"; fast_pattern; nocase;
> http_uri; tag:session,600,seconds; classtype:trojan-activity;
> sid:3000091; rev:1; priority:4;
> reference:url,http://localhost:8888/events/view/1;)
>
>
> alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e1 Outgoing
> HTTP URL: pagewithmaliciouscontent.php"; flow:to_server,established;
> content:"pagewithmaliciouscontent.php"; fast_pattern; nocase;
> http_uri; tag:session,600,seconds; classtype:trojan-activity;
> sid:3000101; rev:1; priority:4;
> reference:url,http://localhost:8888/events/view/1;)
>
>
> alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e1 Outgoing
> User-Agent: Malicious user agent:versionx";
> flow:to_server,established; content:"Malicious user agent:versionx";
> fast_pattern; http_user_agent; tag:session,600,seconds;
> classtype:trojan-activity; sid:3000111; rev:1; priority:4;
> reference:url,http://localhost:8888/events/view/1;)
The content should be: content:"versionx"; http_user_agent; here?
In general it's not needed to add the "fast_pattern;" everywhere.
Suricata will select a pattern to use automatically (usually the
longest). The fast_pattern keyword is used to override this.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Discussion
mailing list