Rule reference links in Snort/Surricata Alerts GUI


  • I stumbled upon reference URLs in the Emerging Threats rules that show information about the rule and threat when I was considering rules to disable/enable for an interface. For instance, if you saw the following "ET POLICY Executable served from Amazon S3" description in your alerts for your LAN interface, you could edit the LAN interface, go to the LAN Rules tab, change the selected rule set to emerging-policy.rules set, scroll down to the rule and double click on it (or click on the SID), and then you get a View Rules Raw Text popup window that shows this

    alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Executable served from Amazon S3"; flow:established,to_client; content:"Server|3A| AmazonS3"; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:url,blog.trendmicro.com/cybercriminals-using-amazon-web-services-aws-to-host-malware/; reference:url,www.securelist.com/en/blog/208188099/Financial_data_stealing_Malware_now_on_Amazon_Web_Services_Cloud; classtype:bad-unknown; sid:2013414; rev:5;)

    As you can see from this rule, there are two reference URLs embedded in the rule definition.

    What I am wondering is the the Alerts GUI can be altered to provide any and all links in a convenient way… maybe a column for rule references that displays something link this

    1, 2

    that are actually linked respectively to blog.trendmicro.com/cybercriminals-using-amazon-web-services-aws-to-host-malware/ and www.securelist.com/en/blog/208188099/Financial_data_stealing_Malware_now_on_Amazon_Web_Services_Cloud

    Software can do anything, right?


  • This would involve quite a bit of overhead.  Currently none of the references data is recorded with alerts.  That is just the way Snort and Suricata work.  The only thing you get is the GID:SID and a handful of other parameters.  The References are not included, so the PHP code would have to work some complicated magic behind the scenes to find and link the references.

    If you want this level of information, better to configure Snorby or a similar logging repository and send alerts over there.  Snorby has a process where it will automatically find the references if you configure a separate product to provide it the raw rules files.  To do this right and with decent speed would require a relational database.  You don't want that running on your firewall.

    Bill