WRITING CUSTOM SNORT RULES
Hello friends in this post blog I’am gonna explain how to write custom Snort rules with simple teaching techniques. There are a lot of documentation about snort in internet but first times when I decided to learn writing snort rules, I was baffled and confused about it. As an instructor, mentor and consultant, I everytime beleive and defend and idea; If you wanna learn a subject you firstly should solve the essence of the subject, for this, according to my method; build it, setup it, work it, run it then reverse it assemble it and learn it. From my point of view , for learning how to writing custom rule for snort, I studied network protocol, I research defence techniques and I joined my knowledges with my malware analysis ability and red team techniques expreince. I detect the confusing points and I will explain all of them step by step for you. According to Snort documents we will implement some operations from the payloads. Before we start learning snort, first we will explain the description of a payload. “When data is sent over the Internet, each unit transmitted includes both header information and the actual data being sent. The header identifies the source and destination of the packet, while the actual data is referred to as the payload. Because header information, or overhead data, is only used in the transmission process, it is stripped from the packet when it reaches its destination. Therefore, the payload is the only data received by the destination system.” [1] If you don’t have any idea network protocols please learn network basics and protocols before read this blogpost. First I was confused about documents by the keywords. I asked myself ok keywords is written but how do they work, Where they effect in a packet? All right they effect payload of the packets but we need to know what is the payload. Lets inspect a TCP connection and examine a tcp payload. For creating a TCP packet I simply use nc tool and send something over socket connection. Before We start I present you my Udemy Trainings if you want you can benefit my training for learning deeply;
As you see in the wireshark, I clicked the related network packet ( actually segment because it works at layer 4) and displayed the Data field. It’s payload for a TCP segment. Sniffer can shows us the payload part of the data. If you look after TCP header you can see the part of a segment like shown below;
I created an FTP connection and TCP payload is shown the below;
Let’s send a Http GET request for downloading a malicious exe file to create a HTTP connection and repeat the same process for network packet in wireshark. Choose the related packet and click it for retriewing payload.
We can give thousands of the example for other protocols but my aim is not teaching you network protocols, I am trying to overcome confusing about payload for following chapter. I lastly demostrate query part of a DNS packet ;
As you see for writing snort rules firstly we need to know protocols and their structure. I also mention about payload so we won’t be confused about payload.
SNORT
Snort is an open source network intrusion prevention system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching, and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. For installing Snort to Ubuntu client, just execute apt-get install snort command.
apt-get install snort [2,3]
After comlpletion of snort installation we go on talking about structure of snort. Please have a glance the diagram is show below;
[4] Snort Structure Diagram
The packet decoder is responsible for receiving packets from different network interfaces and conducting initial analysis of packets. The preprocessor is a plug-in for further processing of the decoded packets. Its functions include HTTP URI normalization, packet defragmentation, TCP flow reassembly, and so on. The core of Snort is the detection engine, which can match the packets according to the configured rules. Rule matching is critical to the overall performance of Snort*. So for performance issues we need to use rule keywords. We mention about it later. The Logging and Alerting System as well as the various Output modules are responsible for logging or triggering alerts based on each rule action. Snort rule structure is shown the below;
Before begining writing custom signutures, I am gonna give you some information about snort configuration for after snort installation process. First use locate command for finding snort configuration file;
After that examine the configuration of the snort.conf file. First thing we have to do is setting network variables with network addresses. We use them for writing rules later. In our rule structure contains action network or IP and port direction and destination so we will use network variables for generating rules. Be careful setting them because for example, If your HOME_NET variable mismatches your local network, your rule doesn’t work.
After setting related variables we keep on configuring snort.conf. We should set rules directory in snort.conf file for that reason we configure path like is shown below;
We need to set rule path for Detection engine. Detection Engine should be know where snort rules are located. After that we tune the rules. You might want to be active some rules and be passive others. For this reason you can set rule state from config file;
After setting the rules we are ready for creating new snort rules. For understanding issue deeply, Before writing rules I first create packets, because packets are created by me natureally I created payload too. I will use scapy for generating packets, at the next step I will analyze them by using wireshark then I will explain the snort filter and I will write custom signutures. Ok let’s go!
I use scapy for generating network packets. First of all we create a TCP and it’s payload and analyze it with Wireshark. In Kali side I created packet is like shown below [6] First I created randomly variables for creating payloads. After payload creations with this varibles, They facialtes keyword teaching process. I teach you snort rule keywords with this variable.
Lets aggregate the variables for creating our first payload;
Ok let’s send it Snort installed box and sniff traffic with wireshark. As you see our datapayload is prepreared for sending. Let’s send it;
After sending packet, let’s analyze the packet at Ubuntu side and see what includes it’s payload by using Wireshark:
Now we see the payload. Let’s create snort rules for this payload step by step. Our first keyword is content. Content keyword searches the specified content at the payload. For example assume that a malicious file connects internet and shellbackdoor string pass through its network flow. If you wanna detect it you can use content keyword. Lets apply it;
Our rules say that If from any network’s any port to internal network’s 1337 TCP connections contains shellbackdoor string alert with “xyz RAT” message and its classtype is defined as trojan activity, revision number 1 and rule id (sid) is identified as 10000000. Let’s run snort and test the rule;
I use scapy for sending packets;
Snort generated an alert like this:
Process management and cpu utilization is very important. So CPU, memory hardware issues can restrict us. We use offset, depth, within distance, fast patterns and other keywords for optimization and performance issues. I will update my rule with offset keyword. Offset keyword is used for, beginning point of payload is added the specified offset value and content searching is implemented from offset point to rest of the payload. For example remember our datapayload. We specified shellbackdoor as a content but we didn’t set an offset value. It’s cumbersome for sources.
Lets update our rule and send packet to the target with scapy;
It works but snort engine search this pcaket from offset value plus distance from beginning to rest of the packet. It causes performance lost. So if we specified the length of the content which we want to detect, snort searches content after offset value within specified length. For this reason we use depth keyword. We also can use distance keyword for adding plus distance to offset point. When the depth keyword is used, searching starts from offset point and searches the content specified depth value area.
First check our content length. Then we use 23 as offset value, 0 as a distance because I immediately search from offset point to 13 bytes distance forward point so I use depth 13 keyword. That means, hey snort go 23 bytes after from starting point of the payload and, beetween your point and next 13 bytes point search shellbackdoor content.
Rule is written like shown below;
Lets run snort and observe alerts.
After first pattern match, we search exploit string in the traffic. We want our rule provides us first match and inadditional to second match will be exploit. For this reason we use second content as exploit and we give a distance value which defines new content search how much bytes are far from pervious match point will be implemented. After distance we specify within keyword for telling snort howmany bytes are examined for our new search for finding new content. Let’s give an example;
Our new rule is written like shown below;
When I triggred scap code alert is genareted by the snort;
After inspect the tcp payloads and teach you content, dept, offset, distance, within keywords lets analyze and write rules for DNS request. I will give you an example it for showing you hex content. In the first example we create a DNS packet with scapy and send it from Home_Net to other networks. I want to generate alert when this domain is querried by the end points. [7]
We run dnsspoof tool at Kali box for answer non exist DNS names.
Ok we assume that c2c-server.local malicious and black listed for our blue team and we want to write a custom snort rule for this. First analyze the pcap and inspect UDP.
Snort provides us contentent searching with hex values. We write this rule for using hex values of the domain name;
When end point sends a prdefined balck listed DNS query snort generates various alerts against the incident;
In the last example we investigate an explotation Incident. Lets examine the pcap file;
When we inpect the packet we can see junk codes. Our first content must be 41 then we define second content as nops and we must choose some spesific shellcode chars. I wrote a rule for this like shown below;
[8] TCPREPLAY
In this post we discuss Snort and writing for it custom rules. I hope it will be useful for you. In next blog post Se will discuss SURICATA and I will learn how to write custom signitures on suricata.
See You Friends.
References
1. https://techterms.com/definition/payload
2. https://blog.rapid7.com/2017/01/11/how-to-install-snort-nids-on-ubuntu-linux/
3. https://hostadvice.com/how-to/how-to-install-snort-on-an-ubuntu-18-04-vps-or-dedicated-server/
4. https://software.intel.com/en-us/articles/hyperscan-and-snort-integration
5. http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node27.html
6. https://scapy.readthedocs.io/en/latest/usage.html
