EnGarde creates Snort rules to make hackers have nowhere to hide

Snort is an open-source network intrusion detection system that monitors network communication in real time. Through protocol analysis and Content Search and matching, Snort can detect attack methods, including rejecting server attacks, buffer overflow, CGI attacks, and secretly scanning ports. The vitality of Snort lies in its powerful rules.

You can think that writing Snort rules is just like writing a program. Snort rules include variables, keywords, and functions. Why do we need to write rules? The reason is that without these rules, Snort will not be able to detect hacker attacks. This article will discuss the issue of writing rules.

Prerequisites:

You need:

1. A machine that can develop rules. These rules should not run on a production server, because they can only be used as examples for your reference.

2. You also need a client computer and connect it to the machine running Snort.

3. Install EnGarde Secure Community 3.0.18 (or later) with Snort ).

Syntax problems

The syntax may seem a bit strange at the beginning, but this section will explain this problem, so that you can start to write your own rules. Snort rules are divided into the rule header and rule options. First, the rule header contains rules, actions, protocols, source addresses and target addresses, source ports, and target ports. The second part is the rule option, which contains information about a warning message and a packet (if you want to take an action, you should read this information ).

For example: alert tcp any-> 192.168.1.0/24 111 (content: "| 00 01 86 a5 |"; msg: "mountd access ";)

In the above example, the Section before parentheses belongs to the rule header, and the section inside parentheses belongs to the rule option section.

Rule Action:

The rule action describes the "who, where, and what" Problem of a data packet, and specifies what to do in the event after the rule is triggered. When writing rules, you can select from the following keywords:

· Alert-generate a warning using the selected warning method and record the packet.

· Log-record this packet.

· Pass-ignore this packet.

Protocol:

The next part of the rule is the protocol. Some popular protocols include TCP, UDP, and ICMP. However, Snort supports many other protocols and continues to add new protocols.

Source IP Address

The part that follows the protocol is the IP address. It defines where the data packet comes from. You can use the keyword "any" to define all IP addresses. You can even write a rule that matches any address except your specified IP address. This is done by using "!" This negative operator is implemented.

Source Port

It refers to the port from which the data packet comes from. You can also use the "any" keyword for the port number. You can also use ":" To define a port in a range. For example, defines all ports from 1 to 1000.

Direction operator:

The direction operator "->" is used to define the communication direction applicable to the rule. In other words, it indicates where the communication enters or comes from your computer.

Target address

The next part is the target address. It defines the destination of a data packet. Similar to the source address, you can also use the "any" keyword or define an address that will not trigger the rule.

Target Port

The target IP address is followed by the target port number, that is, the port number that the data packet tries to connect. The options here are the same as the source port.

Rule options

All content in parentheses is called rule options. A commonly used keyword is "content", but you can also use many other keywords. The keyword "content" allows you to set rules, search for specific content in the data packet payload, and stimulate a response.

For example:

Alert tcp any-> 192.168.1.0/24 143 (content: "| 90C8 C0FF FFFF |/bin/sh ";
Msg: "IMAP buffer overflow! ";)
 

As shown in the preceding example, we check whether the data packet contains a Binary Byte code and text.

Basic Format

Action protocol Source IP Address Source Port direction target IP address target port (Rule option)
 

Add a new rule

Now that we have a basic understanding of the syntax for Snort rules, we can add a new rule to the system:

First, log on as the root user and convert it to sysadm_r:

[Test_server] # newrole-r sysadm_r
Authenticating root.
Password:
[Test_server] # setenforce 0
 

Next, edit the Snort. conf file and use your favorite editor to modify/var/chroot/snort/etc/snort. conf. We need to include the following lines:

Include local. rules
 

This tells Snort to use the new rule stored in local. rules.

Now we can create the local. rules file:

[Test_server] # cd/var/chroot/snort/etc
[Test_server] # touch local. rules
 

The next part is interesting because we need to write rules. Open local. rules in an editor and add the following lines. Note that this rule is only an example. You must ensure that it cannot be used in a real environment:

Alert tcp any-> any 80 (msg: "Sample alert"; classtype: misc-attack;
Sid: 2002973; rev: 1 ;)
 

Finally, restart Snort to make the new rule take effect.

[Test_server] #/etc/init. d/snortd restart
 

A simple example

Now that we have added a new rule, Let's explain the role of the rule and take a look at its specific application.

The newly added rule is:

Alert tcp any-> any 80 (msg: "example warning"; classtype: misc-attack;
Sid: 2002973; rev: 1 ;)
 

How rules work:

When a user tries to access a Web site, the above rules will be stimulated. When a rule is triggered, a warning is displayed, showing a message. The keyword "alert" for the action here generates a message using the defined method, and then records the packet. The Protocol of the packet we are detecting is TCP, and all IP addresses and port numbers have been defined. The destination address is defined on any IP address connected to port 80. Finally, the keyword "msg" for the rule option tells the recorder and warning engine to display the message "sample warning ".

Test

Now you must be interested in how your rules run. To see the specific role of the rule, you need to track the warning log of Snort.

[Test_server] # cd/var/chroot/snort/var/log/snort
[Test_server] # tail-f alert
 

Open a Web browser and enter the IP address of your test server.

Now you can view the warning records of Snort. You will see a message from Snort, which is caused by the rules we just added.

[**] [1: 2002973: 1] Sample alert [**]
[Classification: Misc Attack] [Priority: 2]
12/12-15:35:22. 130162 test_client: 35524-> test_server: 80
Tcp ttl: 64 TOS: 0x0 ID: 35734 IpLen: 20 DgmLen: 52 DF
* ** A ** Seq: 0x5F3B46F0 Ack: 0x85067266 Win: 0xB7 TcpLen: 32
TCP Options (3) => nop ts: 49925498 1529581
 

Sample of effective load detection

Add the following rows to/var/chroot/snort/etc/local. rules:

Alert tcp any-> any 80
(Content: "index. pl"; sid: 12345678; rev: 1; classtype: misc-attack ;)
 

As you can see, we have compiled a rule to detect any communication connected to port 80 based on "index. pl.

Note that in the Snort warning log, you should be able to see a message similar to the following:

[**] [1: 2002973: 1] Sample alert [**]
[Classification: Misc Attack] [Priority: 2]
12/13-08:13:20. 545431 test_client: 32950-> test_server: 80
Tcp ttl: 64 TOS: 0x0 ID: 11275 IpLen: 20 DgmLen: 52 DF
* ** A *** Seq: 0x188A67A3 Ack: 0xF74B200C Win: 0xD8 TcpLen: 32
TCP Options (3) => nop ts: 64899598 45624
 

This is just the beginning

With your knowledge, you can now start to learn more about how to write your own rules. The official Snort document contains every detail of the syntax. As you write your Snort rules in depth, you will notice that you have not noticed network attackers before.