Find snort rules name from snort alert
-
HI
I am having difficulties to find snort rules from the alert
Example :[] [1:2406235:192] ET RBN Known Russian Business Network IP UDP (118) []
[Classification: Misc Attack] [Priority: 2]
08/02-15:07:09.606751 218.75.149.210:53 -> 192.168.88.1:45560
UDP TTL:44 TOS:0x0 ID:25003 IpLen:20 DgmLen:126
Len: 98
[Xref => http://doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork]So By looking at the alert , sid : 2406235
But which snort rules is related to this alert ??
Some of them are easy to know example : imp rules, but for some rules i cant understand which rules to checkso how will i know which alert is related to which snort rules
thanks for advise .
-
You've already identified that - rule number 2406235, revision 192 (you can tell it's a rule because the generator ID is 1). The reference URL tells you where to get more information.
You can find the rule itself by looking for the RULE_PATH entries (from memory) in your snort configuration file and then seeing which contains the rule number in question. It would make your life easier if you ensured that your Snort interface (SGUIL or whatever you're using) has the same ruleset available to it. The actual file names themselves aren't relevant.
-
Hi Thanks for your reply.
But still i am confused about your this comments :
"You can find the rule itself by looking for the RULE_PATH entries (from memory) in your snort configuration file and then seeing which contains the rule number in question. "I have installed by pfsense.
and if i go to rules directory :/usr/local/etc/snort/rulesI see the same rules which i am seeing from GUI interface of snort. but still i cant relate which rules shall i check for snor, sid : 2406235
Bellow is the rule path entry from snort.conf
var RULE_PATH ../rules
var SO_RULE_PATH ../so_rules
var PREPROC_RULE_PATH ../preproc_rulesAgain if i go to rules directory i just see like bellow :
pwd
/usr/local/etc/snort/rules
ls
Makefile.am snort_icmp.rules
VRT-License.txt snort_icmp.so.rules
cgi-bin.list snort_imap.rules
emerging-attack_response.rules snort_imap.so.rules
emerging-botcc.excluded snort_info.rules
emerging-compromised.rules snort_local.rules
emerging-current_events.rules snort_misc.rules
emerging-dos.rules snort_misc.so.rules
emerging-drop.rules snort_multimedia.rules
emerging-dshield.rules snort_multimedia.so.rules
emerging-exploit.rules snort_mysql.rules
emerging-game.rules snort_netbios.rules
emerging-inappropriate.rules snort_netbios.so.rules
emerging-malware.rules snort_nntp.rules
emerging-p2p.rules snort_nntp.so.rules
emerging-policy.rules snort_oracle.rules
emerging-rbn.rules snort_other-ids.rules
emerging-readme.txt snort_p2p.rules
emerging-scan.rules snort_p2p.so.rules
emerging-sid-msg.map snort_policy.rules
emerging-sid-msg.map.txt snort_pop2.rules
emerging-tor.rules snort_pop3.rules
emerging-user_agents.rules snort_rpc.rules
emerging-virus.rules snort_rservices.rules
emerging-voip.rules snort_scada.rules
emerging-web.rules snort_scan.rules
emerging-web_client.rules snort_shellcode.rules
emerging-web_server.rules snort_smtp.rules
emerging-web_specific_apps.rules snort_smtp.so.rules
emerging-web_sql_injection.rules snort_snmp.rules
emerging.conf snort_specific-threats.rules
emerging.rules snort_spyware-put.rules
open-test.conf snort_sql.rules
pfsense-voip.rules snort_sql.so.rules
snort_attack-responses.rules snort_telnet.rules
snort_backdoor.rules snort_tftp.rules
snort_bad-traffic.rules snort_virus.rules
snort_bad-traffic.so.rules snort_voip.rules
snort_chat.rules snort_web-activex.rules
snort_chat.so.rules snort_web-activex.so.rules
snort_content-replace.rules snort_web-attacks.rules
snort_ddos.rules snort_web-cgi.rules
snort_deleted.rules snort_web-client.rules
snort_dns.rules snort_web-client.so.rules
snort_dos.rules snort_web-coldfusion.rules
snort_dos.so.rules snort_web-frontpage.rules
snort_experimental.rules snort_web-iis.rules
snort_exploit.rules snort_web-iis.so.rules
snort_exploit.so.rules snort_web-misc.rules
snort_finger.rules snort_web-misc.so.rules
snort_ftp.rules snort_web-php.rules
snort_icmp-info.rules snort_x11.rulesso i am in doubt , how will you know which file to edit for the rule of sid : 2406235
Thanks for your patience
-
egrep "sid:[ ]2406235;" /usr/local/etc/snort/rules/.rules
Replace 2406235 with the rule number you're interested in.
-
HI
Thanks
thats a easy way to find!!!did not realize you can find that by using egrep command
Thanks again
-
[] [1:2406235:192] ET RBN Known Russian Business Network IP UDP (118) []
Also most of the categories relate to the alert. With a little guesswork most of the time you can go right to it in the gui.
emerging-rbn.rules
ET= Emerging Threats