Comments (8)
The oinkmaster config file has a pretty good list of use-cases that
rule-modification should handle. I agree with Russell that src/dst
modification is at the top of the list, but a generic regex-like interface is
very useful in enabling less-common but still useful modifications.
Oinkmaster examples-list:
# Example to enable a rule (in this case SID 1325) that is disabled by
# default, by simply replacing leading "#alert" with "alert".
# (You should really use 'enablesid' for this though.)
# Oinkmaster removes whitespaces next to the leading "#" so you don't
# have to worry about that, but be careful about possible whitespace in
# other places when writing the regexps.
# modifysid 1325 "^#alert" | "alert"
# You could also do this to enable it no matter what type of rule it is
# (alert, log, pass, etc).
# modifysid 1325 "^#" | ""
# Example to add "tag" stuff to SID 1325.
# modifysid 1325 "sid:1325;" | "sid:1325; tag: host, src, 300, seconds;"
# Example to make SID 1378 a 'drop' rule (valid if you're running
# Snort_inline).
# modifysid 1378 "^alert" | "drop"
# Example to replace first occurrence of $EXTERNAL_NET with $HOME_NET
# in SID 302.
# modifysid 302 "\$EXTERNAL_NET" | "\$HOME_NET"
# You can also specify that a substitution should apply on multiple SIDs.
# modifysid 302,429,1821 "\$EXTERNAL_NET" | "\$HOME_NET"
# You can take advantage of the fact that it's regular expressions and
# do more complex stuff. This example (for Snort_inline) adds a 'replace'
# statement to SID 1324 that replaces "/bin/sh" with "/foo/sh".
# modifysid 1324 "(content\s*:\s*"\/bin\/sh"\s*;)" | \
# "${1} replace:"\/foo\/sh";"
# If you for some reason would like to add a comment inside the actual
# rules file, like the reason why you disabled this rule, you can do
# like this (you would normally add such comments in oinkmaster.conf
# though).
# modifysid 1324 "(.+)" | "# 20020101: disabled this rule just for fun:\n#${1}"
# Here is an example that is actually useful. Let's say you don't care
# about incoming welchia pings (detected by SID 483 at the time of
# writing) but you want to know when infected hosts on your network
# scans hosts on the outside. (Remember that watching for outgoing
# malicious packets is often just as important as watching for incoming
# ones, especially in this case.) The rule currently looks like
# "alert icmp $EXTERNAL_NET any -> $HOME_NET any ..."
# but we want to switch that so it becomes
# "alert icmp $HOME_NET any -> $EXTERNAL_NET any ...".
# Here is how it could be done.
# modifysid 483 \
# "(.+) \$EXTERNAL_NET (.+) \$HOME_NET (.+)" | \
# "${1} \$HOME_NET ${2} \$EXTERNAL_NET ${3}"
# The wildcard (modifysid * ...) can be used to do all kinds of
# interesting things. The substitution expression will be applied on all
# matching rules. First, a silly example to replace "foo" with "bar" in
# all rules (that have the string "foo" in them, that is.)
# modifysid * "foo" | "bar"
# If you for some reason don't want to use the stream preprocessor to
# match established streams, you may want to replace the 'flow'
# statement with 'flags:A+;' in all those rules.
# modifysid * "flow:[a-z,_ ]+;" | "flags:A+;"
# Example to convert all rules of classtype attempted-admin to 'drop'
# rules (for Snort_inline only, obviously).
# modifysid * "^alert (.*classtype\s*:\s*attempted-admin)" | "drop ${1}"
# This one will append some text to the 'msg' string for all rules that
# have the 'tag' keyword in them.
# modifysid * "(.*msg:\s*".+?)"(\s*;.+;\s*tag:.*)" | \
# "${1}, going to tag this baby"${2}"
# There may be times when you want to replace multiple occurrences of a
# certain keyword/string in a rule and not just the first one. To
# replace the first two occurrences of "foo" with "bar" in SID 100,
# simply repeat the modifysid statement:
# modifysid 100 "foo" | "bar"
# modifysid 100 "foo" | "bar"
# Or you can even specify a SID list but repeat the same SID as many
# times as required, like:
# modifysid 100,100,100 "foo" | "bar"
# Enable all rules in the file exploit.rules.
# modifysid exploit.rules "^#" | ""
# Enable all rules in exploit.rules, icmp-info.rules and also SID 1171.
# modifysid exploit.rules, snmp.rules, 1171 "^#" | ""
# Disable all rules by default
modifysid * "(.+)" | "#${1}"
Original comment by [email protected]
on 20 Jul 2010 at 3:32
from pulledpork.
rulestate change and basic regex (not to modify the rule itself yet, that's
coming) exists.. perhaps some better documentation is in order... wanna help :-P
Original comment by [email protected]
on 25 Jul 2010 at 10:09
- Added labels: Type-Enhancement
- Removed labels: Type-Defect
from pulledpork.
happy to help -- not sure what you need? Please be more explicit :-P
:)
Original comment by [email protected]
on 25 Jul 2010 at 10:41
from pulledpork.
Just BTW I assume your pref would be to have a separate file for the arbitrary
modification along side the other conf files?
I just might get a few hours to look at adding code to do the mods using the
existing stuff as a template.
Original comment by [email protected]
on 25 Jul 2010 at 11:01
from pulledpork.
Yeah, I have already started on the modify code.. it will be a separate config
file. As to the help, I was thinking docs and use cases possibly
Original comment by [email protected]
on 25 Jul 2010 at 11:30
from pulledpork.
I'm happy to write some blurb for the start of the conf file with use cases
etc. Drop me a line when you are ready to go... :)
I'll also make some notes as I move stuff across from oinkmaster and make up a
transition doc...
Original comment by [email protected]
on 25 Jul 2010 at 11:39
from pulledpork.
Committed rev 146 that contains initial modifysid code, please checkout and
test at your leisure.
Original comment by [email protected]
on 26 Jul 2010 at 4:53
- Changed state: Started
from pulledpork.
it's in SVN and seems to work fine for me.. marking Fixed
Original comment by [email protected]
on 29 Sep 2010 at 10:16
- Changed state: Fixed
from pulledpork.
Related Issues (20)
- Unable to pull down emergingthreatspro rules list HOT 8
- Unable to download Suricata rules HOT 2
- Version 8 - Error: does not exist, please create this directory HOT 15
- Barnyard2 hangs on the sid file created with pulledpork using: sid_msg_version=2 HOT 3
- snort.rules not created HOT 4
- Windows path issue when running pulledpork
- Modifysid doesn't modify rules HOT 5
- 422 Unprocessable Entity HOT 6
- ERROR: can't set --dump-dynamic-rules /tmp/tha_rules/so_rules/ and no rules are being imported. HOT 10
- Unknown regexp modifier HOT 5
- Unable to process shared object rules for a previous version of snort3 HOT 2
- Snort3 - 422 Unprocessable Entity when trying to download rules HOT 3
- An error occurred: ERROR: /etc/snort//etc/snort/rules/app-detect.rules(0) Unable to open rules file "/etc/snort//etc/snort/rules/app-detect.rules": No such file or directory. HOT 1
- This is happening in Windows with latest release
- a lots of errors HOT 1
- Issuing reputation socket reload command - (Error) ?
- few of rules downloaded HOT 3
- IP Blocklists are not processed when -n flag is set
- Dolibarr v17.02 - Receipt Printer Issue HOT 2
- 422 Unprocessable Entity [ 422 ], Using the oinkcode provided by snort?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pulledpork.