Find snort rules name from snort alert

fosiul

HI
I am having difficulties to find snort rules from the alert
Example :

[] [1:2406235:192] ET RBN Known Russian Business Network IP UDP (118) []
[Classification: Misc Attack] [Priority: 2]
08/02-15:07:09.606751 218.75.149.210:53 -> 192.168.88.1:45560
UDP TTL:44 TOS:0x0 ID:25003 IpLen:20 DgmLen:126
Len: 98
[Xref => http://doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork]

So By looking at the alert , sid : 2406235

But which snort rules is related to this alert ??
Some of them are easy to know example : imp rules, but for some rules i cant understand which rules to check

so how will i know which alert is related to which snort rules

thanks for advise .

Cry Havok

You've already identified that - rule number 2406235, revision 192 (you can tell it's a rule because the generator ID is 1).  The reference URL tells you where to get more information.

You can find the rule itself by looking for the RULE_PATH entries (from memory) in your snort configuration file and then seeing which contains the rule number in question.  It would make your life easier if you ensured that your Snort interface (SGUIL or whatever you're using) has the same ruleset available to it.  The actual file names themselves aren't relevant.

fosiul

Hi Thanks for your reply.

But still i am confused about your this comments :
"You can find the rule itself by looking for the RULE_PATH entries (from memory) in your snort configuration file and then seeing which contains the rule number in question. "

I have installed by pfsense.
and if i go to rules directory :/usr/local/etc/snort/rules

I see the same rules which i am seeing from GUI interface of snort. but still i cant relate which rules shall i check for snor,  sid : 2406235

Bellow is the rule path entry from snort.conf
var RULE_PATH ../rules
var SO_RULE_PATH ../so_rules
var PREPROC_RULE_PATH ../preproc_rules

Again if i go to rules directory i just see like bellow :

pwd

/usr/local/etc/snort/rules

ls

Makefile.am                            snort_icmp.rules
VRT-License.txt                        snort_icmp.so.rules
cgi-bin.list                            snort_imap.rules
emerging-attack_response.rules          snort_imap.so.rules
emerging-botcc.excluded                snort_info.rules
emerging-compromised.rules              snort_local.rules
emerging-current_events.rules          snort_misc.rules
emerging-dos.rules                      snort_misc.so.rules
emerging-drop.rules                    snort_multimedia.rules
emerging-dshield.rules                  snort_multimedia.so.rules
emerging-exploit.rules                  snort_mysql.rules
emerging-game.rules                    snort_netbios.rules
emerging-inappropriate.rules            snort_netbios.so.rules
emerging-malware.rules                  snort_nntp.rules
emerging-p2p.rules                      snort_nntp.so.rules
emerging-policy.rules                  snort_oracle.rules
emerging-rbn.rules                      snort_other-ids.rules
emerging-readme.txt                    snort_p2p.rules
emerging-scan.rules                    snort_p2p.so.rules
emerging-sid-msg.map                    snort_policy.rules
emerging-sid-msg.map.txt                snort_pop2.rules
emerging-tor.rules                      snort_pop3.rules
emerging-user_agents.rules              snort_rpc.rules
emerging-virus.rules                    snort_rservices.rules
emerging-voip.rules                    snort_scada.rules
emerging-web.rules                      snort_scan.rules
emerging-web_client.rules              snort_shellcode.rules
emerging-web_server.rules              snort_smtp.rules
emerging-web_specific_apps.rules        snort_smtp.so.rules
emerging-web_sql_injection.rules        snort_snmp.rules
emerging.conf                          snort_specific-threats.rules
emerging.rules                          snort_spyware-put.rules
open-test.conf                          snort_sql.rules
pfsense-voip.rules                      snort_sql.so.rules
snort_attack-responses.rules            snort_telnet.rules
snort_backdoor.rules                    snort_tftp.rules
snort_bad-traffic.rules                snort_virus.rules
snort_bad-traffic.so.rules              snort_voip.rules
snort_chat.rules                        snort_web-activex.rules
snort_chat.so.rules                    snort_web-activex.so.rules
snort_content-replace.rules            snort_web-attacks.rules
snort_ddos.rules                        snort_web-cgi.rules
snort_deleted.rules                    snort_web-client.rules
snort_dns.rules                        snort_web-client.so.rules
snort_dos.rules                        snort_web-coldfusion.rules
snort_dos.so.rules                      snort_web-frontpage.rules
snort_experimental.rules                snort_web-iis.rules
snort_exploit.rules                    snort_web-iis.so.rules
snort_exploit.so.rules                  snort_web-misc.rules
snort_finger.rules                      snort_web-misc.so.rules
snort_ftp.rules                        snort_web-php.rules
snort_icmp-info.rules                  snort_x11.rules

so i am in doubt , how will you know which file to edit for the rule of  sid : 2406235

Thanks for your patience

Cry Havok

egrep "sid:[ ]2406235;" /usr/local/etc/snort/rules/.rules

Replace 2406235 with the rule number you're interested in.

fosiul

HI
Thanks
thats  a easy way to find!!!

did not realize you can find that by using egrep command

Thanks again

g4m3c4ck

[] [1:2406235:192] ET RBN Known Russian Business Network IP UDP (118) []

Also most of the categories relate to the alert. With a little guesswork most of the time you can go right to it in the gui.

emerging-rbn.rules

ET= Emerging Threats