[Intrusions] Assessing Your Malware Exposure with Snort

Wes Young wcyoung at buffalo.edu
Fri Mar 11 18:46:01 GMT 2005 

I wonder, is it possible to define a variable with an 'include' 
statement?

var $BAD_DNS = include bad_domains.rules

having the snort alert dynamically generate the content, or make the 
content a var?... i haven't had a to check it out to see if it will 
even work in snort, but maybe a conceptual idea that might work in teh 
future for things like this?

then you can add/remove domains in a rule-type file instead?


On Mar 10, 2005, at 4:21 PM, Matt Jonkman wrote:

> Thanks for the clarification Brian.
>
> I had started to combine these rules into multi-condition pcre. Making 
> one rule out of 30 or 40 original single domain rules. And I can't 
> remember where the heck I put them now or I'd link to them for you.
>
> So my question is, will this be more efficient in a single comdin 
> match per rule, or multiple?
>
> Matt
>
> Brian wrote:
>>> I have written a few thousand Snort rules that are intended to 
>>> detect successful HTTP communication with hosts known to be evil. 
>>> They look for domain names in the Host string so they are not 
>>> subject to evasion by changing IP addresses.
>>>
>>> If you would like to give them a try you can grab them from 
>>> http://www.kgb.to/malware.html .
>> Interesting.
>> The meat of one of your rules is:
>>     flow:established;
>>     pcre:"/(Host\:)\s[a-zA-Z0-9.-]+(\.whenyousearch.com\r\n)/";
>> Your rules are going to be slow.  Here are the few issues I see so
>> far:
>>     * Your regular expression is matching when you don't need to, 
>> causing
>>       pcre to do un-needed work.     * By not using content, you are 
>> not making use of the multi-pattern       match engine in Snort.     
>> * Since all of the rules I looked at are looking for traffic going
>>       towards the web server, you should limit your flow to
>>       "to_server" as well.
>> My tweaked "for speed" meat of the rule version is:
>>     flow:established,to_server; content:"whenyousearch.com"; nocase;
>>     pcre:"/^Host\x3a\s*[a-z0-0\.-]+\.whenyousearch.com/smi";
>> Brian Caswell
>> _______________________________________________
>> Intrusions mailing list
>> Intrusions at lists.sans.org
>> http://www.dshield.org/mailman/listinfo/intrusions
>
> -- 
> --------------------------------------------
> Matthew Jonkman, CISSP
> Senior Security Engineer
> Infotex
> 765-429-0398 Direct Anytime
> 765-448-6847 Office
> 866-679-5177 24x7 NOC
> my.infotex.com
> www.offsitefilter.com
> www.bleedingsnort.com
> --------------------------------------------
>
>
> NOTICE: The information contained in this email is confidential
> and intended solely for the intended recipient. Any use,
> distribution, transmittal or retransmittal of information
> contained in this email by persons who are not intended
> recipients may be a violation of law and is strictly prohibited.
> If you are not the intended recipient, please contact the sender
> and delete all copies.
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
>
>
>
--
Wes

I wish I could come up with some witty sigs

More information about the Intrusions mailing list