[Discussion] feedback on IDS rules improvements

• Previous message (by thread): [Discussion] feedback on IDS rules improvements
• Next message (by thread): [Discussion] feedback on IDS rules improvements
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 10/15/2013 08:24 AM, Christophe Vandeplas wrote:
> Hello,
> 
> 
> I'm part of the MISP project (Malware Information Sharing Platform -
> https://github.com/MISP) and working on improving the IDS rules the
> platform generates automatically from it's data.
> 
> 
> Could you have a look at the rules below and give me some advice how
> to write them better? (or how to fix errors that would result in false
> negatives? )
> 
> The PHP code itself can be seen at
> https://github.com/MISP/MISP/blob/feature/IDSsuri/app/Controller/Component/NidsExportComponent.php
> , however the rules below are probably more readable for NIDS people.
> 
> Of course we are focussing here on Suricata optimizations and not on Snort...
> 
> 
> alert ip 1.1.1.1 any -> $HOME_NET any (msg: "MISP e1 Incoming From IP:
> 1.1.1.1";   classtype:trojan-activity; sid:3000011; rev:1; priority:4;
> reference:url,http://localhost:8888/events/view/1;)
> 
> 
> alert ip $HOME_NET any -> 1.1.1.1 any (msg: "MISP e1 Outgoing To IP:
> 1.1.1.1";   classtype:trojan-activity; sid:3000021; rev:1; priority:4;
> reference:url,http://localhost:8888/events/view/1;)

These 2 will be ip-only rules.


> 
> alert udp any any -> any 53 (msg: "MISP e1 Hostname: host.name.com";
> content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2;
> content:"|00||04|host|04|name|03|com|00|"; fast_pattern; nocase;
> classtype:trojan-activity; sid:3000031; rev:1; priority:4;
> reference:url,http://localhost:8888/events/view/1;)
> alert tcp any any -> any 53 (msg: "MISP e1 Hostname: host.name.com";
> content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2;
> content:"|00||04|host|04|name|03|com|00|"; fast_pattern; nocase;
> flow:established;  classtype:trojan-activity; sid:3000032; rev:1;
> priority:4; reference:url,http://localhost:8888/events/view/1;)
> alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e1 Outgoing
> HTTP Hostname: host.name.com"; flow:to_server,established; content:
> "Host|3a| host.name.com"; fast_pattern; nocase; http_header; pcre:
> "/[^A-Za-z0-9-]host\.name\.com[^A-Za-z0-9-]/H";
> tag:session,600,seconds; classtype:trojan-activity; sid:3000033;
> rev:1; priority:4; reference:url,http://localhost:8888/events/view/1;)
> 
> 
> alert udp any any -> any 53 (msg: "MISP e1 Domain: domain.com";
> content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2;
> content:"|06|domain|03|com|00|"; fast_pattern; nocase;
> classtype:trojan-activity; sid:3000041; rev:1; priority:4;
> reference:url,http://localhost:8888/events/view/1;)
> alert tcp any any -> any 53 (msg: "MISP e1 Domain: domain.com";
> content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2;
> content:"|06|domain|03|com|00|"; fast_pattern; nocase;
> flow:established;  classtype:trojan-activity; sid:3000042; rev:1;
> priority:4; reference:url,http://localhost:8888/events/view/1;)
> alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e1 Outgoing
> HTTP Domain: domain.com"; flow:to_server,established; content:
> "Host|3a|"; nocase; http_header; content:"domain.com"; fast_pattern;
> nocase; http_header; pcre: "/[^A-Za-z0-9-]domain\.com[^A-Za-z0-9-]/H";
> tag:session,600,seconds; classtype:trojan-activity; sid:3000043;
> rev:1; priority:4; reference:url,http://localhost:8888/events/view/1;)

You might want to try the dns_query keyword here:
content:"hostname"; dns_query;


> 
> # As far as I know no normalization occurs on SMTP headers? So
> encoded/multi-line headers, subjects, filenames will not match these
> rules?

Correct, not yet. We have tickets open.


> alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e1 Source
> Email Address: malicious at sender.com"; flow:established,to_server;
> content:"MAIL FROM|3a|"; nocase; content:"malicious at sender.com";
> fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192;
> tag:session,600,seconds; classtype:trojan-activity; sid:3000051;
> rev:1; priority:4; reference:url,http://localhost:8888/events/view/1;)
> 
> 
> alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e1
> Destination Email Address: malicious at recipient.com";
> flow:established,to_server; content:"RCPT TO|3a|"; nocase;
> content:"malicious at recipient.com"; fast_pattern; nocase; content:"|0D
> 0A 0D 0A|"; within:8192; tag:session,600,seconds;
> classtype:trojan-activity; sid:3000061; rev:1; priority:4;
> reference:url,http://localhost:8888/events/view/1;)
> 
> 
> alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e1 Bad
> Email Subject"; flow:established,to_server; content:"Subject|3a|";
> nocase; content:"Email subject of malicious mail"; fast_pattern;
> nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds;
> classtype:trojan-activity; sid:3000071; rev:1; priority:4;
> reference:url,http://localhost:8888/events/view/1;)
> 
> 
> alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e1 Bad
> Email Attachment"; flow:established,to_server;
> content:"Content-Disposition|3a| attachment|3b| filename|3d 22|";
> content:"Malicious email attachment.doc|22|"; fast_pattern;
> content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds;
> classtype:trojan-activity; sid:3000081; rev:1; priority:4;
> reference:url,http://localhost:8888/events/view/1;)
> 
> 
> # This will probably not match, as the http:// should not be there, correct?

Right. You will need something like:

content:"maliciousurl"; http_host; content:"gate.php"; http_uri;, maybe
with added depths and/or pcre's to make it doesn't match on
http://nonmaliciousurl/leftgate.php

> alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e1 Outgoing
> HTTP URL: http://maliciousurl/gate.php"; flow:to_server,established;
> content:"http://maliciousurl/gate.php"; fast_pattern; nocase;
> http_uri; tag:session,600,seconds; classtype:trojan-activity;
> sid:3000091; rev:1; priority:4;
> reference:url,http://localhost:8888/events/view/1;)
> 
> 
> alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e1 Outgoing
> HTTP URL: pagewithmaliciouscontent.php"; flow:to_server,established;
> content:"pagewithmaliciouscontent.php"; fast_pattern; nocase;
> http_uri; tag:session,600,seconds; classtype:trojan-activity;
> sid:3000101; rev:1; priority:4;
> reference:url,http://localhost:8888/events/view/1;)
> 
> 
> alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e1 Outgoing
> User-Agent: Malicious user agent:versionx";
> flow:to_server,established; content:"Malicious user agent:versionx";
> fast_pattern; http_user_agent; tag:session,600,seconds;
> classtype:trojan-activity; sid:3000111; rev:1; priority:4;
> reference:url,http://localhost:8888/events/view/1;)

The content should be: content:"versionx"; http_user_agent; here?


In general it's not needed to add the "fast_pattern;" everywhere.
Suricata will select a pattern to use automatically (usually the
longest). The fast_pattern keyword is used to override this.

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

• Previous message (by thread): [Discussion] feedback on IDS rules improvements
• Next message (by thread): [Discussion] feedback on IDS rules improvements
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]