Snort Question



  • HI,

    i am trying to add for example
    http://pgl.yoyo.org/adservers/serverlist.php?hostformat=snort&showintro=1
    which shows rules like
    alert tcp  any $HOME_NET any (msg:"101com.com"; classtype:trojan-activity; priority:1;)

    but i cant find a way to add this url to snort.

    So i tried to add the whole list manual to wan rules then custom.rules. but when add those there. snort fails to start and don't want to restart unless i clear the list again there.

    what is the correct way to add the url ( so it can automatically update) or how can i add this list manual?

    Question 2.
    can i also use a list like this
    https://easylist-downloads.adblockplus.org/easylist.txt
    in snort?
    via the url or manual.



  • At the moment the Snort package does not accept custom URLs for downloading rules.  It only supports three rule sets through built-in and hard-coded URLs.  The supported rule sets are Snort VRT, Emerging Threats and Snort GPLv2 Community Rules.

    Another user posted a new feature request for custom rules download URL support.  I am looking into providing that in an upcoming release of the Snort package.

    You can paste the actual rules from the list manually into the Custom Rules box, but you must be sure what you paste in is properly formatted for Snort.  I checked out the link you posted, and "as displayed in the browser" the entire displayed text won't work.  The lines at the top of the page are not properly marked as comments.

    As for your Question #2, "no" you can't use a list like that.  Snort rules have very specific format requirements.

    Bill



  • @bmeeks:

    At the moment the Snort package does not accept custom URLs for downloading rules.  It only supports three rule sets through built-in and hard-coded URLs.  The supported rule sets are Snort VRT, Emerging Threats and Snort GPLv2 Community Rules.

    Another user posted a new feature request for custom rules download URL support.  I am looking into providing that in an upcoming release of the Snort package.

    You can paste the actual rules from the list manually into the Custom Rules box, but you must be sure what you paste in is properly formatted for Snort.  I checked out the link you posted, and "as displayed in the browser" the entire displayed text won't work.  The lines at the top of the page are not properly marked as comments.

    As for your Question #2, "no" you can't use a list like that.  Snort rules have very specific format requirements.

    Bill

    i just copied

    alert tcp  any $HOME_NET any (msg:"101com.com"; classtype:trojan-activity; priority:1;)
    alert tcp  any $HOME_NET any (msg:"101order.com"; classtype:trojan-activity; priority:1;)
    alert tcp  any $HOME_NET any (msg:"123found.com"; classtype:trojan-activity; priority:1;)

    i didnt copy those comments with the # infront of it.

    as of point 2 i knew that but wanted to ask it :)



  • @musicwizard:

    i just copied

    alert tcp  any $HOME_NET any (msg:"101com.com"; classtype:trojan-activity; priority:1;)
    alert tcp  any $HOME_NET any (msg:"101order.com"; classtype:trojan-activity; priority:1;)
    alert tcp  any $HOME_NET any (msg:"123found.com"; classtype:trojan-activity; priority:1;)

    i didnt copy those comments with the # infront of it.

    as of point 2 i knew that but wanted to ask it :)

    The rules are missing the required SID and GID values (Signature ID and Generator ID).  The GID will, I think, default to 1 anyway, but you must have a SID.  Every rule needs its own unique SID.  The accepted practice is for user-generated rule SIDs to start at 9000000 and count up.  I did not notice the missing SIDs when I looked at the link yesterday.

    Bill



  • @bmeeks:

    @musicwizard:

    i just copied

    alert tcp  any $HOME_NET any (msg:"101com.com"; classtype:trojan-activity; priority:1;)
    alert tcp  any $HOME_NET any (msg:"101order.com"; classtype:trojan-activity; priority:1;)
    alert tcp  any $HOME_NET any (msg:"123found.com"; classtype:trojan-activity; priority:1;)

    i didnt copy those comments with the # infront of it.

    as of point 2 i knew that but wanted to ask it :)

    The rules are missing the required SID and GID values (Signature ID and Generator ID).  The GID will, I think, default to 1 anyway, but you must have a SID.  Every rule needs its own unique SID.  The accepted practice is for user-generated rule SIDs to start at 9000000 and count up.  I did not notice the missing SIDs when I looked at the link yesterday.

    Bill

    Ah ok so i have to add a unique SID to each line. So i just put it in front? like

    9000000 alert tcp  any $HOME_NET any (msg:"101com.com"; classtype:trojan-activity; priority:1;)
    9000001 alert tcp  any $HOME_NET any (msg:"101order.com"; classtype:trojan-activity; priority:1;)
    9000002 alert tcp  any $HOME_NET any (msg:"123found.com"; classtype:trojan-activity; priority:1;)



  • @musicwizard:

    @bmeeks:

    @musicwizard:

    i just copied

    alert tcp  any $HOME_NET any (msg:"101com.com"; classtype:trojan-activity; priority:1;)
    alert tcp  any $HOME_NET any (msg:"101order.com"; classtype:trojan-activity; priority:1;)
    alert tcp  any $HOME_NET any (msg:"123found.com"; classtype:trojan-activity; priority:1;)

    i didnt copy those comments with the # infront of it.

    as of point 2 i knew that but wanted to ask it :)

    The rules are missing the required SID and GID values (Signature ID and Generator ID).  The GID will, I think, default to 1 anyway, but you must have a SID.  Every rule needs its own unique SID.  The accepted practice is for user-generated rule SIDs to start at 9000000 and count up.  I did not notice the missing SIDs when I looked at the link yesterday.

    Bill

    Ah ok so i have to add a unique SID to each line. So i just put it in front? like

    9000000 alert tcp  any $HOME_NET any (msg:"101com.com"; classtype:trojan-activity; priority:1;)
    9000001 alert tcp  any $HOME_NET any (msg:"101order.com"; classtype:trojan-activity; priority:1;)
    9000002 alert tcp  any $HOME_NET any (msg:"123found.com"; classtype:trojan-activity; priority:1;)

    No, the SID and GID are fields within the rule.  Look at some of the existing rules in the VRT or Emerging Threats lists.  Here is an example from Emerging Threats:

    
    alert tcp any any -> any 6666:7000 (msg:"ET CHAT IRC USER command"; flow:to_server,established; content:"USER|20|"; nocase; depth:5; content:"|203a|"; within:40; content:"|0a|"; within:40; flowbits:set,is_proto_irc; reference:url,doc.emergingthreats.net/2002023; classtype:misc-activity; sid:2002023; rev:15;)
    
    

    The SID in the rule example is 2002023.  When not provided, the GID is always assumed to be "1".

    I mean this in a constructive fashion and not as an insult, but you really need to do some Google research on Snort and how to write Snort rules if you want to go down the road of writing or using rules other than those provided by the Snort VRT or Emerging Threats folks.

    Bill



  • @musicwizard:

    HI,

    i am trying to add for example
    http://pgl.yoyo.org/adservers/serverlist.php?hostformat=snort&showintro=1
    which shows rules like
    alert tcp  any $HOME_NET any (msg:"101com.com"; classtype:trojan-activity; priority:1;)

    but i cant find a way to add this url to snort.

    So i tried to add the whole list manual to wan rules then custom.rules. but when add those there. snort fails to start and don't want to restart unless i clear the list again there.

    what is the correct way to add the url ( so it can automatically update) or how can i add this list manual?

    Question 2.
    can i also use a list like this
    https://easylist-downloads.adblockplus.org/easylist.txt
    in snort?
    via the url or manual.

    These are no valid Snort or Suricata rules. These are…well, no sure what they are...

    Maybe you should direct your question to the one providing you such invalid rules...

    -F



  • If you are trying to block DNS Query to those domains, heres how a Snort rule for that function looks like

    drop udp $HOME_NET any -> any 53 (msg:"Yoyo DNS Query"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"yoyo|03|org"; nocase; classtype:trojan-activity; sid:2145050; rev:1;)
    
    


  • i did some little research on snort but i might have missed it on custom rules.

    but i agree bmeeks :)

    @ fsansfil.
    Yes that is true the one that provided the list should have adjust it and he will do that. But the people that asked it in the first place provided wrong information about the way it works i guess so he didn't added it.