CISA Alerts and Snort Signatures

  • I am subscribed to the US-CERT security emails. When they send out an alert, they say something like this in the email:

    "CISA developed the following Snort signature for use in detecting network activity associated with LokiBot activity."

    • alert tcp any any -> any $HTTP_PORTS (msg:"Lokibot:HTTP URI POST contains '/*/fre.php' post-infection"; flow:established,to_server; flowbits:isnotset,.tagged; content:"/fre.php"; http_uri; fast_pattern:only; urilen:<50,norm; content:"POST"; nocase; http_method; pcre:"//(?:alien|loky\d|donep|jemp|lokey|new2|loki|Charles|sev7n|dbwork|scroll/NW|wrk|job|five\d?|donemy|animation\dkc|love|Masky|v\d|lifetn|Ben)/fre.php$/iU"; flowbits:set,.tagged;classtype:http-uri; metadata:service http; metadata:pattern HTTP-P001,)

    My question is, am I already getting these signature updates via my Snort subscription or do I need to add these signatures manually? I have checked "Enable Snort VRT" and applied an Oinkmaster code, so I receive the free SNORT updates, but I don't know if CISA alerts are automatically included there. Seems like they should be, but I want to make sure.

  • That signature is not complete. It lacks a SID (Signature ID) field, unless you simply failed to copy in all of the rule.

    Every Snort (or Suricata) rule must have a unique SID. So I would say that the CISA rule is the basic "template", but you would need to create your own Custom Rule using this template and assign your custom rule its own GID (Generator ID), which is typically 1 for text rules like this and a unique SID.

  • Right, I get that, but that wasn't what my question was about. My question is about whether the CISA snort signatures are included in the snort ruleset that gets downloaded every day.

    I would think that they would be included since CISA is a national organization and the attacks being reported are significant, but I don't know if they are getting put into the snort rules automatically or whether I need do it manually every time that they send out an email.

  • I do not know if they are included or not. The easy way to see is to search through the Snort and/or ET rules with a tool such as grep. You will find the individual raw rules files in usr/local/etc/snort/rules on your firewall.

  • Thanks so much for pointing me to /usr/local/etc/snort/rules, I can search there. Based on the search, it appears that this CISA rule is not in my rules as of today. However, I think my rule updates are delayed by 30 days because I am on the free snort subscription. I will check again 30 days from now and reply to this post so that anyone else interested will know.

  • There is, I believe, a Snort Subscriber Rules mailing list you can subscribe to. Search for it on Google. You might find an answer to your question there.

    I suspect anyone can submit a rule to the Snort team for consideration and inclusion in their set of rules. And I would expect an organization such as CISA (US-CERT) to have considerable clout with the Snort rules team.

Log in to reply