Showing posts with label Snort. Show all posts
Showing posts with label Snort. Show all posts

Tuesday, 17 December 2013

[IP-reputation-snort-rule-generator] A tool to generate Snort rules based on public IP reputation data

A tool to generate Snort rules or Cisco IDS signatures based on public IP/domain reputation data.

Usage



./tepig.pl [ [--file=LOCAL_FILE] | [--url=URL] ] [--csv=FIELD_NUM] [--sid=INITIAL_SID] [--ids=[snort|cisco]] | --help
LOCAL_FILE is a file stored locally that contains a list of malicious domains, IP addresses and/or URLs. If omitted then it is assumed that a URL is provided. URL is a URL that contains a list of malicious domains, IP addresses or URLs. The default is https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist. FIELD_NUM is the field number (indexing from 0) that contains the information of interest. If omitted then the file is treated as a simple list. INITIAL_SID is the SID that will be applied to the first rule. Every subsequent rule will increment the SID value. The default is 9000000.

Examples

Malicious IP address

./tepig.pl --url=https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist
https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist is a plain text file containing a list of known bad IP addresses. At the time of writing, the first entry is 108.161.130.191. The first rule output would be:
alert ip any any <> 108.161.130.191 any (msg:"Traffic to known bad IP (108.161.130.191)"; reference:"url,https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist"; sid:9000000; rev:0;)
This rule looks for any traffic going to or coming from the bad IP address.

Malicious Domain

./tepig.pl --url=http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/Storm_2_domain_objects_3-11-2011.txt
http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/Storm_2_domain_objects_3-11-2011.txt is a plain text file containing a list of known bad domain names. At the time of writing the first entry is *.bethira.com. The first rule output would be:
alert udp any any -> any 53 (msg:"Suspicious DNS lookup for *.bethira.com"; reference:"url,http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/Storm_2_domain_objects_3-11-2011.txt"; content:\"|01 00 00 01 00 00 00 00 00 00|\"; depth: 10; offset: 2; content:"|07|bethira|03|com"; nocase; distance:0; sid:9000000; rev:0;)
This rule looks for any DNS lookup for the bad domain.


Posted by at No comments:
Labels: , , , ,

Sunday, 7 July 2013

[Snort 2.9.5] Network intrusion prevention and detection system (IDS/IPS)


Snort® is an open source network intrusion prevention and detection system (IDS/IPS) developed by Sourcefire. Combining the benefits of signature, protocol, and anomaly-based inspection, Snort is the most widely deployed IDS/IPS technology worldwide. With millions of downloads and nearly 400,000 registered users, Snort has become the de facto standard for IPS.


[*] New additions

* Added tracking of FTP data channel for file transfers as file_data for Snort rules.

* Add support for doing PAF based on services loaded thru the attribute table and hardened PAF code/removed --disable-paf

* Added decoding support for Cisco ERSPAN

* Added tracking of HTTP uploads as file_data for Snort rules.

* Added ability to use event filters with PPM rules

* Added a control channel command to reload the Snort configuration to give feedback on new configuration.  This improves on the older sigHUP which would just result in Snort exiting and restarting if the new configuration required a restart.

* Added a configuration option to perfmon to write flow-ip data to a file

* New decoding alert for IPv6 Routing type 0 header.

* Added the ability to sync basic session state from one Snort to another via a side channel communication between the two Snort instances.  NOTE:  This is currently experimental.

[*] Improvements

* Improved Stream's midstream pickup handling for TCP state processing,
  sequence validation, and reassembly.  Thanks to John Eure.

* Added a parse error for a rule if there is a relative content used after a content that is 'fast_pattern only'.

* Improved HTTP PAF reassembly capabilities to be better aligned on PDU boundaries, terminate if not actually HTTP, and to include all appropriate line feeds.

* Hardened the code related to dynamic modules.  Removed --disable- dynamicplugin configuration option since rule and preprocessor shared libraries are here to stay.

* Improved parsing of IP lists for reputation

* Update to Teredo processing and Snort rule evaluation when the inner IPv6 packet doesn't have payload.  Thanks to Yun Zheng Hu & L0rd Ch0de1m0rt for reporting the issue & crafting traffic to reproduce. 

* Improved logging of packets associated with alerts when a Stream reassembled packet triggers multiple Snort rules.

* Improvements to the Snort manual including documentation of specific rule options and configuration items.  Thanks to Nicholas Horton and many others.

* Removed a bunch of dead code paths, updated to use more current memory functions for easier code maintenance and portability.  Thanks to William Parker.

[*] Deletions

* Remove deprecated unified support, use unified2 for all of your logging needs.

Posted by at No comments:
Labels: , , , , ,

Monday, 15 April 2013

[Topera] The IPv6 port scanner invisible to Snort (IDS)


Topera is a brand new TCP port scanner under IPv6, with the particularity that these scans are not detected by Snort.

Snort is the most known IDS/IPS and is widely used in many different critical environments. Some commercial tools (Juniper or Checkpoint ones) use it as detection engine also.

Mocking snort detection capabilities could suppose a high risk in some cases.

All the community is invited to test it in any environment and we would be thankful if you send us any feedback.

We keep researching on the security implications that the "new" IPv6 protocol will have in different environments. 


You can see an example of execution of Topera here:



Posted by at No comments:
Labels: , , , , , , , ,
Subscribe to: Comments (Atom)