Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Snort Question

    IDS/IPS
    3
    9
    1637
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      musicwizard last edited by

      HI,

      i am trying to add for example
      http://pgl.yoyo.org/adservers/serverlist.php?hostformat=snort&showintro=1
      which shows rules like
      alert tcp  any $HOME_NET any (msg:"101com.com"; classtype:trojan-activity; priority:1;)

      but i cant find a way to add this url to snort.

      So i tried to add the whole list manual to wan rules then custom.rules. but when add those there. snort fails to start and don't want to restart unless i clear the list again there.

      what is the correct way to add the url ( so it can automatically update) or how can i add this list manual?

      Question 2.
      can i also use a list like this
      https://easylist-downloads.adblockplus.org/easylist.txt
      in snort?
      via the url or manual.

      1 Reply Last reply Reply Quote 0
      • bmeeks
        bmeeks last edited by

        At the moment the Snort package does not accept custom URLs for downloading rules.  It only supports three rule sets through built-in and hard-coded URLs.  The supported rule sets are Snort VRT, Emerging Threats and Snort GPLv2 Community Rules.

        Another user posted a new feature request for custom rules download URL support.  I am looking into providing that in an upcoming release of the Snort package.

        You can paste the actual rules from the list manually into the Custom Rules box, but you must be sure what you paste in is properly formatted for Snort.  I checked out the link you posted, and "as displayed in the browser" the entire displayed text won't work.  The lines at the top of the page are not properly marked as comments.

        As for your Question #2, "no" you can't use a list like that.  Snort rules have very specific format requirements.

        Bill

        1 Reply Last reply Reply Quote 0
        • M
          musicwizard last edited by

          @bmeeks:

          At the moment the Snort package does not accept custom URLs for downloading rules.  It only supports three rule sets through built-in and hard-coded URLs.  The supported rule sets are Snort VRT, Emerging Threats and Snort GPLv2 Community Rules.

          Another user posted a new feature request for custom rules download URL support.  I am looking into providing that in an upcoming release of the Snort package.

          You can paste the actual rules from the list manually into the Custom Rules box, but you must be sure what you paste in is properly formatted for Snort.  I checked out the link you posted, and "as displayed in the browser" the entire displayed text won't work.  The lines at the top of the page are not properly marked as comments.

          As for your Question #2, "no" you can't use a list like that.  Snort rules have very specific format requirements.

          Bill

          i just copied

          alert tcp  any $HOME_NET any (msg:"101com.com"; classtype:trojan-activity; priority:1;)
          alert tcp  any $HOME_NET any (msg:"101order.com"; classtype:trojan-activity; priority:1;)
          alert tcp  any $HOME_NET any (msg:"123found.com"; classtype:trojan-activity; priority:1;)

          i didnt copy those comments with the # infront of it.

          as of point 2 i knew that but wanted to ask it :)

          1 Reply Last reply Reply Quote 0
          • bmeeks
            bmeeks last edited by

            @musicwizard:

            i just copied

            alert tcp  any $HOME_NET any (msg:"101com.com"; classtype:trojan-activity; priority:1;)
            alert tcp  any $HOME_NET any (msg:"101order.com"; classtype:trojan-activity; priority:1;)
            alert tcp  any $HOME_NET any (msg:"123found.com"; classtype:trojan-activity; priority:1;)

            i didnt copy those comments with the # infront of it.

            as of point 2 i knew that but wanted to ask it :)

            The rules are missing the required SID and GID values (Signature ID and Generator ID).  The GID will, I think, default to 1 anyway, but you must have a SID.  Every rule needs its own unique SID.  The accepted practice is for user-generated rule SIDs to start at 9000000 and count up.  I did not notice the missing SIDs when I looked at the link yesterday.

            Bill

            1 Reply Last reply Reply Quote 0
            • M
              musicwizard last edited by

              @bmeeks:

              @musicwizard:

              i just copied

              alert tcp  any $HOME_NET any (msg:"101com.com"; classtype:trojan-activity; priority:1;)
              alert tcp  any $HOME_NET any (msg:"101order.com"; classtype:trojan-activity; priority:1;)
              alert tcp  any $HOME_NET any (msg:"123found.com"; classtype:trojan-activity; priority:1;)

              i didnt copy those comments with the # infront of it.

              as of point 2 i knew that but wanted to ask it :)

              The rules are missing the required SID and GID values (Signature ID and Generator ID).  The GID will, I think, default to 1 anyway, but you must have a SID.  Every rule needs its own unique SID.  The accepted practice is for user-generated rule SIDs to start at 9000000 and count up.  I did not notice the missing SIDs when I looked at the link yesterday.

              Bill

              Ah ok so i have to add a unique SID to each line. So i just put it in front? like

              9000000 alert tcp  any $HOME_NET any (msg:"101com.com"; classtype:trojan-activity; priority:1;)
              9000001 alert tcp  any $HOME_NET any (msg:"101order.com"; classtype:trojan-activity; priority:1;)
              9000002 alert tcp  any $HOME_NET any (msg:"123found.com"; classtype:trojan-activity; priority:1;)

              1 Reply Last reply Reply Quote 0
              • bmeeks
                bmeeks last edited by

                @musicwizard:

                @bmeeks:

                @musicwizard:

                i just copied

                alert tcp  any $HOME_NET any (msg:"101com.com"; classtype:trojan-activity; priority:1;)
                alert tcp  any $HOME_NET any (msg:"101order.com"; classtype:trojan-activity; priority:1;)
                alert tcp  any $HOME_NET any (msg:"123found.com"; classtype:trojan-activity; priority:1;)

                i didnt copy those comments with the # infront of it.

                as of point 2 i knew that but wanted to ask it :)

                The rules are missing the required SID and GID values (Signature ID and Generator ID).  The GID will, I think, default to 1 anyway, but you must have a SID.  Every rule needs its own unique SID.  The accepted practice is for user-generated rule SIDs to start at 9000000 and count up.  I did not notice the missing SIDs when I looked at the link yesterday.

                Bill

                Ah ok so i have to add a unique SID to each line. So i just put it in front? like

                9000000 alert tcp  any $HOME_NET any (msg:"101com.com"; classtype:trojan-activity; priority:1;)
                9000001 alert tcp  any $HOME_NET any (msg:"101order.com"; classtype:trojan-activity; priority:1;)
                9000002 alert tcp  any $HOME_NET any (msg:"123found.com"; classtype:trojan-activity; priority:1;)

                No, the SID and GID are fields within the rule.  Look at some of the existing rules in the VRT or Emerging Threats lists.  Here is an example from Emerging Threats:

                
                alert tcp any any -> any 6666:7000 (msg:"ET CHAT IRC USER command"; flow:to_server,established; content:"USER|20|"; nocase; depth:5; content:"|203a|"; within:40; content:"|0a|"; within:40; flowbits:set,is_proto_irc; reference:url,doc.emergingthreats.net/2002023; classtype:misc-activity; sid:2002023; rev:15;)
                
                

                The SID in the rule example is 2002023.  When not provided, the GID is always assumed to be "1".

                I mean this in a constructive fashion and not as an insult, but you really need to do some Google research on Snort and how to write Snort rules if you want to go down the road of writing or using rules other than those provided by the Snort VRT or Emerging Threats folks.

                Bill

                1 Reply Last reply Reply Quote 0
                • F
                  fsansfil last edited by

                  @musicwizard:

                  HI,

                  i am trying to add for example
                  http://pgl.yoyo.org/adservers/serverlist.php?hostformat=snort&showintro=1
                  which shows rules like
                  alert tcp  any $HOME_NET any (msg:"101com.com"; classtype:trojan-activity; priority:1;)

                  but i cant find a way to add this url to snort.

                  So i tried to add the whole list manual to wan rules then custom.rules. but when add those there. snort fails to start and don't want to restart unless i clear the list again there.

                  what is the correct way to add the url ( so it can automatically update) or how can i add this list manual?

                  Question 2.
                  can i also use a list like this
                  https://easylist-downloads.adblockplus.org/easylist.txt
                  in snort?
                  via the url or manual.

                  These are no valid Snort or Suricata rules. These are…well, no sure what they are...

                  Maybe you should direct your question to the one providing you such invalid rules...

                  -F

                  1 Reply Last reply Reply Quote 0
                  • F
                    fsansfil last edited by

                    If you are trying to block DNS Query to those domains, heres how a Snort rule for that function looks like

                    drop udp $HOME_NET any -> any 53 (msg:"Yoyo DNS Query"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"yoyo|03|org"; nocase; classtype:trojan-activity; sid:2145050; rev:1;)
                    
                    
                    1 Reply Last reply Reply Quote 0
                    • M
                      musicwizard last edited by

                      i did some little research on snort but i might have missed it on custom rules.

                      but i agree bmeeks :)

                      @ fsansfil.
                      Yes that is true the one that provided the list should have adjust it and he will do that. But the people that asked it in the first place provided wrong information about the way it works i guess so he didn't added it.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post