2

I just started to learn how to use Snort today.

However, I need a bit of help with my rules setup.

I am trying to look for the following code on the network sent to a machine. This machine has snort installed on it (as I installed it now).

The code I want to analyze on the network is in bytes. 

\xAA\x00\x00\x00\x00\x00\x00\x0F\x00\x00\x02\x74\x00\x00' (total of 14 bytes)

Now, I am looking at wanting to analyze the first 7 bytes of the code. For me if the 1st byte is (AA) and 7th byte is (0F). Then I want snort to set off an alarm.

So far my rules are:

alert tcp any any -> any any \
(content:"|aa 00 00 00 00 00 00 0f|"; msg:"break in attempt"; sid:10; rev:1; \
classtype:shellcode-detect; rawbytes;)
byte_test:1, =, aa, 0, relative;
byte_test:7 =, 0f, 7, relative;

I'm guessing I obviously have made a mistake somewhere. Maybe someone that is familair with snort could help me out?

Thanks.

Gagantous
  • 432
  • 6
  • 29
  • 69
user3419132
  • 21
  • 1
  • 2

1 Answers1

3

Congrats on deciding to learn snort.

Assuming the bytes are going to be found in the payload of a TCP packet your rule header should be fine:

alert tcp any any -> any any

We can then specify the content match using pipes (||) to let snort know that these characters should be interpreted as hex bytes and not ascii:

content:"|AA 00 00 00 00 00 00 0F|"; depth:8;

And since we only want the rule to match if these bytes are found in the first 8 bytes of the packet or buffer we can add "depth". The "depth" keyword modifier tells snort to check where in the packet or buffer the content match was found. For the above content match to return true all eight bytes must be found within the first eight bytes of the packet or buffer.

"rawbytes" is not necessary here and should only ever be used for one specific purpose; to match on telnet control characters. "byte_test" isn't needed either since we've already verified that bytes 1 and 8 are "AA" and "0F" respectively using a content match.

So, the final rule becomes: 

alert tcp any any -> any any ( \
msg:"SHELLCODE Break in attempt"; \
content:"|AA 00 00 00 00 00 00 0F|"; depth:8; \
classtype:shellcode-detect; sid:10;)

If you decide that this should only match inside a file you can use the "sticky" buffer "file_data" like so: 

alert tcp any any -> any any ( \
msg:"SHELLCODE Break in attempt"; file_data; \
content:"|AA 00 00 00 00 00 00 0F|"; depth:8; \
classtype:shellcode-detect; sid:10;)

This will alert if the shellcode is found inside the alternate data (file data) buffer.

If you'd like for your rule to only look inside certain file types for this shellcode you can use "flowbits" like so: 

alert tcp any any -> any any ( \
msg:"SHELLCODE Break in attempt"; \
flowbits:isset,file.pdf; file_data; \
content:"|AA 00 00 00 00 00 00 0F|"; depth:8; \
classtype:shellcode-detect; sid:10;)

This will alert if these bytes are found when the file.pdf flowbit is set. You will need the rule enabled that sets the pdf flowbit. Rules that set file flowbits and other good examples can be found in the community ruleset available for free here https://www.snort.org/snort-rules.

tcpee
  • 41
  • 1