What are Snort Rules and their examples?
Let us get ample clarity upfront because, for all we know, the term Snort implies more than just one meaning.
In the business world, the Web and Cybersecurity, Snort refers to IDS– Intrusion Detection System. Because such detection helps you get proactive and secure the best interests of your business it is also known as IPS– Intrusion Prevention System.
If we drew a real-life parallel, Snort is your security guard. Snort Rules are the directions you give your security personnel. A typical security guard may be a burly man with a bit of a sleepy gait. With Snort and Snort Rules, it is downright serious cybersecurity.
By now, you are a little aware of the essence of Snort Rules. That should help when you imagine this scenario:
Your business is running strong, the future looks great and the investors are happy. All of a sudden, a cyber attack on your system flips everything upside down and now you wonder (/snort in anguish) What, Why, Damn! If only!
“Not me/ Not with my business” is such a common, deceptive belief with so many of us. In the same vein of ambiguity, many of us may still wonder if we need to know what Snort Rules are at a deeper level.
Well, there is no way out.
We know there is strength in numbers. But man, these numbers are scary!
In 2021, on average, there were 2200 cyber-attacks per day (that’s like an attack every 39 seconds!).
Before we discuss the snort rule with examples, and the different modes in which it is run, let us lay down the important features.
Alerting a malicious activity that could be a potential threat to your organization, is a natural feature of a snort rule. Crucial information like IP Address, Timestamp, ICPM type, IP Header length, and such are traceable with a snort rule.
There are multiple modes of alert you could generate: Fast, Full, None, CMG, Unsock, and Console are a few of the popular ones. Each of which is unique and distinct from one another.
For instance, if you need a full report that includes comprehensive details, the rule would look like the following:
Output alert_full: alert.full
And suppose you need a quick report that doesn’t need to be as elaborate as the full report, you could choose to get it with the following rule
Output alert_fast: alert.fast
As may be evident from the above examples, a snort rule is a single line code that helps to identify the nature of traffic. However, modern-day snort rules cater to larger and more dynamic requirements and so could be more elaborate as well.
Also, once you download Snort Rules, it can be used in any Operating system (OS). There is no limitation whatsoever. Be it Linux, Unix, Windows, Ubuntu or whichever for that matter, Snort secures your network just the same.
Since it is an open-source solution made to secure businesses, you may download it at no cost whatsoever. Just in case you needed the link to download:
Snort is the most popular IPS, globally speaking. The open-source IDS – Intrusion Detection System helps to identify and distinguish between regular and contentious activities over your network.
Snort Rules refers to the language that helps one enable such observation.
It is a simple language that can be used by just about anyone with basic coding awareness.
Signature: Signature-based IDS refers to the identification of data packets that have previously been a threat.
It identifies historic patterns or popular and malefic sequences and detects the same when a similar event is on the cards.
Protocol: In this method, Snort detects suspicious behavior from the source of an IP – Internet Protocol.
Every computer has a unique IP and the data that is sourced from a distrustful IP is detected and notified in real-time.
Besides high-level protocols like HTTP, Snort detects skeptical user behavior from 3 types of low-level Protocols – TCP, UDP, and ICMP.
Apparently, we may even be able to analyze data packets from different sources like ARP, IGRP, GRP, GPSF, IPX in the future.
Anomaly-based Inspection: There is a palpable difference between Signature/ Protocol-based IDS and Anomaly-based inspection.
While the other 2 rely on previous or historic behavior, Anomaly-based IDS detects and notifies of any type of behavior that can be viewed with a veil of suspicion.
Suspicious activities and attempts over Operating System (OS) Fingerprints, Server Message Block (SMB) probes, CGI attacks, Stealth Port Scans, Denial of Service (DoS) attacks etc are negated instantly with Snort.
We have touched upon the different types of intrusion detection above. It would serve well to be aware that Snort rules can be run in 3 different modes based on the requirements:
We are getting closer to understanding what snort rules are and their examples. So far so good with understanding the essence, features, and the different modes of Snort.
Frankly speaking, the examples and the cheat sheet to write snort rules that we will have later is why we are having this conversation in the first place.
However, doing so without getting familiar with these terms would be somewhat like playing basketball without knowing how to dribble the ball. So here it goes:
Popular ‘options’ include Content, Offset, Content-List, Flags etc. Each of these options is entered towards the end of the rule line and largely defines the essence and the output derived from the rule.
Now, please believe us when we say, we are ready to write the rules!
We talked about over-simplification a few moments ago, here’s what it was about. This reference table below could help you relate to the above terms and get you started with writing ‘em rules.
|Rule Action||Protocol||Source IP Address||Source Port||Flow||Destination IP Address||Destination Port||Message|
|alert||top||any||21||>||10.199.12.8||any||(msg: “TCP Packet Detected” nd: 1000:610)|
For the uncomplicated mind, life is easy. Why should writing Snort rules get you in a complicated state at all? Just why!
After such a scintillating 🙃 tour de Snort, you could be keen and ready to download Snort right away and rock the keyboard. Well, you are not served fully yet. Here’s the real meal and dessert.
alert tcp 192.168.1.0/24 any -> 188.8.131.52 25 (content: “hacking”; msg: ”malicious packet”; sid:2000001;)
Alert tcp any any -> 192.168.10.5 443 (msg: “TCP SYN flood”; flags:!A; flow: stateless; detection_filter: track by_dst, count 70, seconds 10; sid:2000003;)
alert tcp any any -> any 445 (msg: “conficker.a shellcode”; content: “|e8 ff ff ff ff c1|^|8d|N|10 80|1|c4|Af|81|9EPu|f5 ae c6 9d a0|O|85 ea|O|84 c8|O|84 d8|O|c4|O|9c cc|IrX|c4 c4 c4|,|ed c4 c4 c4 94|&<O8|92|\;|d3|WG|02 c3|,|dc c4 c4 c4 f7 16 96 96|O|08 a2 03 c5 bc ea 95|\;|b3 c0 96 96 95 92 96|\;|f3|\;|24|i| 95 92|QO|8f f8|O|88 cf bc c7 0f f7|2I|d0|w|c7 95 e4|O|d6 c7 17 f7 04 05 04 c3 f6 c6 86|D|fe c4 b1|1|ff 01 b0 c2 82 ff b5 dc b6 1b|O|95 e0 c7 17 cb|s|d0 b6|O|85 d8 c7 07|O|c0|T|c7 07 9a 9d 07 a4|fN|b2 e2|Dh|0c b1 b6 a8 a9 ab aa c4|]|e7 99 1d ac b0 b0 b4 fe eb eb|”; sid: 2000002; rev: 1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:”FTP wuftp bad file completion attempt [“;flow:to_server, established; content:”|?|”; content:”[“; distance:1; reference:bugtraq,3581; reference:bugtraq,3707; reference:cve,2001-0550; reference:cve,2001-0886; classtype:misc-attack; sid:1377; rev:14;)
alert tcp any any -> any any (msg:Possible BugBear B Attack FuzzRuleId cor(\’||?| 63 e7|\’); content:||?| 63 e7|; regex; dsize:>21;) alert tcp any any -> any any (msg:Possible BugBear B Attack FuzzRuleId cor(\’|3b |?| e7|\’); content:|3b |?| e7|; regex; dsize:>21;)
alert tcp any any -> any any (msg:Possible BugBear B Attack FuzzRuleId cor(\’|3b 63 |?||\’); content:|3b 63 |?||; regex; dsize:>21;)
alert udp any any -> any 69 (msg:TFTP GET Admin.dll; content: |0001|; offset:0; depth:2; content:admin.dll; offset:2; nocase; classtype:successful-admin; reference:url, www.cert.org/advisories/CA-2001-26.html; sid:1289; rev:2;)
alert udp any any -> any 69 (msg:TFTP GET Admin.dll; content: |0001|; offset:0; content:admin.dll; offset:2; nocase; classtype:successful-admin; reference:url, www.cert.org/advisories/CA-2001-26.html; sid:1289; rev:2;)
There are thousands of stock rules and so many more you can write depending on the need and requirements of your business. Shall we discuss them all right away? Or, figure out the ones which could save you the M?
By the way, If numbers did some talking within context…(source: welivesecurity)
Simple things like the Snort itself for example goes such a long way in securing the interests of an organization. So many organizations with hundreds and thousands of years of collective human capital have gone down to dust due to the treachery of cyber fraud in the recent past.
Perhaps why cybersecurity for every enterprise and organization is a non-negotiable thing in the modern world. Coming back to Snort, it is an open-source system which means you can download it for free and write the relevant rules in the best interest of your organization and its future.
|Need Help With Snort?|
Talk to our CyberSecurity Expert
Circa Las Vegas
Thurs. Aug 5th
Cybersecurity Reunion Pool Party at BlackHat 2021