Find snort rules name from snort alert



  • HI
    I am having difficulties to find snort rules from the alert
    Example :

    [] [1:2406235:192] ET RBN Known Russian Business Network IP UDP (118) []
    [Classification: Misc Attack] [Priority: 2]
    08/02-15:07:09.606751 218.75.149.210:53 -> 192.168.88.1:45560
    UDP TTL:44 TOS:0x0 ID:25003 IpLen:20 DgmLen:126
    Len: 98
    [Xref => http://doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork]

    So By looking at the alert , sid : 2406235

    But which snort rules is related to this alert ??
    Some of them are easy to know example : imp rules, but for some rules i cant understand which rules to check

    so how will i know which alert is related to which snort rules

    thanks for advise .



  • You've already identified that - rule number 2406235, revision 192 (you can tell it's a rule because the generator ID is 1).  The reference URL tells you where to get more information.

    You can find the rule itself by looking for the RULE_PATH entries (from memory) in your snort configuration file and then seeing which contains the rule number in question.  It would make your life easier if you ensured that your Snort interface (SGUIL or whatever you're using) has the same ruleset available to it.  The actual file names themselves aren't relevant.



  • Hi Thanks for your reply.

    But still i am confused about your this comments :
    "You can find the rule itself by looking for the RULE_PATH entries (from memory) in your snort configuration file and then seeing which contains the rule number in question. "

    I have installed by pfsense.
    and if i go to rules directory :/usr/local/etc/snort/rules

    I see the same rules which i am seeing from GUI interface of snort. but still i cant relate which rules shall i check for snor,  sid : 2406235

    Bellow is the rule path entry from snort.conf
    var RULE_PATH ../rules
    var SO_RULE_PATH ../so_rules
    var PREPROC_RULE_PATH ../preproc_rules

    Again if i go to rules directory i just see like bellow :

    pwd

    /usr/local/etc/snort/rules

    ls

    Makefile.am                            snort_icmp.rules
    VRT-License.txt                        snort_icmp.so.rules
    cgi-bin.list                            snort_imap.rules
    emerging-attack_response.rules          snort_imap.so.rules
    emerging-botcc.excluded                snort_info.rules
    emerging-compromised.rules              snort_local.rules
    emerging-current_events.rules          snort_misc.rules
    emerging-dos.rules                      snort_misc.so.rules
    emerging-drop.rules                    snort_multimedia.rules
    emerging-dshield.rules                  snort_multimedia.so.rules
    emerging-exploit.rules                  snort_mysql.rules
    emerging-game.rules                    snort_netbios.rules
    emerging-inappropriate.rules            snort_netbios.so.rules
    emerging-malware.rules                  snort_nntp.rules
    emerging-p2p.rules                      snort_nntp.so.rules
    emerging-policy.rules                  snort_oracle.rules
    emerging-rbn.rules                      snort_other-ids.rules
    emerging-readme.txt                    snort_p2p.rules
    emerging-scan.rules                    snort_p2p.so.rules
    emerging-sid-msg.map                    snort_policy.rules
    emerging-sid-msg.map.txt                snort_pop2.rules
    emerging-tor.rules                      snort_pop3.rules
    emerging-user_agents.rules              snort_rpc.rules
    emerging-virus.rules                    snort_rservices.rules
    emerging-voip.rules                    snort_scada.rules
    emerging-web.rules                      snort_scan.rules
    emerging-web_client.rules              snort_shellcode.rules
    emerging-web_server.rules              snort_smtp.rules
    emerging-web_specific_apps.rules        snort_smtp.so.rules
    emerging-web_sql_injection.rules        snort_snmp.rules
    emerging.conf                          snort_specific-threats.rules
    emerging.rules                          snort_spyware-put.rules
    open-test.conf                          snort_sql.rules
    pfsense-voip.rules                      snort_sql.so.rules
    snort_attack-responses.rules            snort_telnet.rules
    snort_backdoor.rules                    snort_tftp.rules
    snort_bad-traffic.rules                snort_virus.rules
    snort_bad-traffic.so.rules              snort_voip.rules
    snort_chat.rules                        snort_web-activex.rules
    snort_chat.so.rules                    snort_web-activex.so.rules
    snort_content-replace.rules            snort_web-attacks.rules
    snort_ddos.rules                        snort_web-cgi.rules
    snort_deleted.rules                    snort_web-client.rules
    snort_dns.rules                        snort_web-client.so.rules
    snort_dos.rules                        snort_web-coldfusion.rules
    snort_dos.so.rules                      snort_web-frontpage.rules
    snort_experimental.rules                snort_web-iis.rules
    snort_exploit.rules                    snort_web-iis.so.rules
    snort_exploit.so.rules                  snort_web-misc.rules
    snort_finger.rules                      snort_web-misc.so.rules
    snort_ftp.rules                        snort_web-php.rules
    snort_icmp-info.rules                  snort_x11.rules

    so i am in doubt , how will you know which file to edit for the rule of  sid : 2406235

    Thanks for your patience



  • egrep "sid:[ ]2406235;" /usr/local/etc/snort/rules/.rules

    Replace 2406235 with the rule number you're interested in.



  • HI
    Thanks
    thats  a easy way to find!!!

    did not realize you can find that by using egrep command

    Thanks again



  • [] [1:2406235:192] ET RBN Known Russian Business Network IP UDP (118) []

    Also most of the categories relate to the alert. With a little guesswork most of the time you can go right to it in the gui.

    emerging-rbn.rules

    ET= Emerging Threats


Log in to reply