?
Solved

add rules to snort

Posted on 2009-02-23
5
Medium Priority
?
1,199 Views
Last Modified: 2013-11-29
Dear experts,

I used snort to capture same data to a file.

I am testing some malicious code that have not signatures within the default snort. So, I have to write my own rules.

I found some examples and explanations about writing snort rules such as
alert tcp any any -> 192.168.1.0/24 111 (content:"|00 01 86 a5|"; msg:"mountd access";)

The question: How can I added my own rules to snort and test it ?

I will be grateful for any help.
Thanks in advance.

Regards.
0
Comment
Question by:Tree_PRO
  • 3
  • 2
5 Comments
 

Author Comment

by:Tree_PRO
ID: 23720532
Dear experts,

When I added the question I thought the question is too easy and I will find more answers and maybe some one will told me you don't need to ask that according to its easy. But the question is a bit hard.

I hope if there is any experts could help me with the question.

I will be glad for answers.
Regards.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 23730190
Some rules are easy, some are hard. Unique applications and out of the ordinary traffic is a little easier to write. I wrote the PWDump rules: http://xinn.org/Snort-fgdump.html The rule basically finds the applications name in the packet once the file has copied over. All that logic isn't really in that rule, it just so happens, that when the password dumping tools start to setup their services, they copy themselves over to the host, and when they do, the filename of the service they are going to start is something like "fgdump.svc" So you can see that those characters aren't very likely to trigger a false positive.
Other rules are not so easy...  
Do you have any pcap's you can share?
http://www.emergingthreats.net/index.php/component/content/article/1-latest/160-new-pcap-parser-available.html
http://doc.emergingthreats.net/bin/view/Main/GeneralFAQ
Write the rules, then see if you can catch yourself, that's basically it...
-rich
0
 

Author Comment

by:Tree_PRO
ID: 23733727
Thanks richrumble for your reply.

I have some ideas about snort and I have been tested it a lot before, the rules writing is easy to do, for example this one:
alert tcp any any -> 192.168.1.0/24 111 (content:"|00 01 86 a5|"; msg:"mountd access";)

But the problem or what I do not understand it is that I do not know where can I save these rules in snort. Is there any special file within snort tool that I can insert my rules to ?
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 2000 total points
ID: 23734249
just add it into the other rule files... look in your snort.conf file to see the file location of your snort rules, on linux it's typically /etc/snort/rules ... your rule looks for mount access, maybe add it to policy rules, or local rules... make sure that rule set is not commented out in your snort.conf file.
-rich
0
 

Author Comment

by:Tree_PRO
ID: 23734293
Grate , thanks that what I want :)

Regards.
0

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like me and like multiple layers of protection, read on!
Let's take a look into the basics of ransomware—how it spreads, how it can hurt us, and why a disaster recovery plan is important.
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question