Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Newer
Older
100755 149 lines (136 sloc) 6.109 kb
c72dee2 @mrash added snort_compat.pl
authored
1 #!/usr/bin/perl -w
2 #
28536ef @mrash - Re-worked to handle Snort rule port ranges that have an endpoint th…
authored
3 ###############################################################################
c72dee2 @mrash added snort_compat.pl
authored
4 #
5 # File: snort_compat.pl
6 #
28536ef @mrash - Re-worked to handle Snort rule port ranges that have an endpoint th…
authored
7 # Purpose: To assist in the construction of a set of Snort rules that can be
8 # made compatible with psad.
c72dee2 @mrash added snort_compat.pl
authored
9 #
b13f6ba @mrash Minor update Netfilter -> iptables wording
authored
10 # Methodology: Psad exclusively uses iptables log messages as its source
28536ef @mrash - Re-worked to handle Snort rule port ranges that have an endpoint th…
authored
11 # of intrusion detection data. This means that psad cannot accurately
12 # detect most Snort rules because payload data is not available (the
b13f6ba @mrash Minor update Netfilter -> iptables wording
authored
13 # iptables string match extension can provide string matching capabilities
28536ef @mrash - Re-worked to handle Snort rule port ranges that have an endpoint th…
authored
14 # against application layer data; see "fwsnort" at
15 # http://www.cipherdyne.org/fwsnort). However, there are several backdoor
16 # programs, DDoS tools, and other suspect traffic that can be inferred from
17 # looking at transport layer data (for tcp and udp) as long as it does not
18 # involve a commonly used IANA specified port number. For example, consider
19 # the following three Snort rules, which are designed to detect various
20 # communication aspects of the Trin00 DDoS tool:
c72dee2 @mrash added snort_compat.pl
authored
21 #
28536ef @mrash - Re-worked to handle Snort rule port ranges that have an endpoint th…
authored
22 # alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"DDOS Trin00 Attacker to Master default startup password"; flow:established,to_server; content:"betaalmostdone"; reference:arachnids,197; classtype:attempted-dos; sid:233; rev:3;)
23 # alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"DDOS Trin00 Attacker to Master default password"; flow:established,to_server; content:"gOrave"; classtype:attempted-dos; sid:234; rev:2;)
24 # alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"DDOS Trin00 Attacker to Master default mdie password"; flow:established,to_server; content:"killme"; classtype:bad-unknown; sid:235; rev:2;)
c72dee2 @mrash added snort_compat.pl
authored
25 #
28536ef @mrash - Re-worked to handle Snort rule port ranges that have an endpoint th…
authored
26 # Each of the above rules uses the Snort "content" keyword to detect a
27 # specific aspect of the Trin00 communication in order to be able to
28 # distinguish the "default startup password" from the "default password"
29 # for example. Each of the rules only applies to traffic over an
30 # established TCP session (see the "established" argument give to the
31 # "flow" keyword). It is impossible to extract the same level of
b13f6ba @mrash Minor update Netfilter -> iptables wording
authored
32 # granularity from iptables logs alone. However, if iptables logs a SYN
28536ef @mrash - Re-worked to handle Snort rule port ranges that have an endpoint th…
authored
33 # packet directed to TCP port 27665, it is a good bet that a Trin00 DDoS
34 # client is attempting to contact a Trin00 master client. Hence psad will
35 # generate the alert "DDOS Trin00 Attacker to Master" upon monitoring such
b13f6ba @mrash Minor update Netfilter -> iptables wording
authored
36 # a packet in the iptables log. Even if the Snort rules above are
28536ef @mrash - Re-worked to handle Snort rule port ranges that have an endpoint th…
authored
37 # improved by the Snort community to use the more advanced features of the
38 # Snort rules language, the basic fact that SYN packets to TCP/27665 may
39 # be associated with the Trin00 DDoS remains. This is the general
40 # methodology used to write psad signatures that are derived from Snort
41 # rules. Of course, this type of analysis is not possible for heavily
42 # utilized services that run over IANA specified ports (such as web, dns,
43 # and stmp servers for example). Detecting attacks over such services
44 # requires application data inspection as provided by the Snort rules
45 # language. The snort_compat.pl script generates a listing of Snort rules
46 # that may be compatible with psad. The resulting rules are then reviewed
47 # and altered for inclusion within the psad signatures file.
c72dee2 @mrash added snort_compat.pl
authored
48 #
28536ef @mrash - Re-worked to handle Snort rule port ranges that have an endpoint th…
authored
49 ###############################################################################
c72dee2 @mrash added snort_compat.pl
authored
50 #
51
52 use Data::Dumper;
53 use strict;
54
55 #=========================== config =============================
56 my $services_file = '/etc/services';
57 my $rules_dir = 'snort_rules';
58
59 ### ignore all snort rules in these files
60 my @ignore_files = (
61 'deleted.rules',
62 'exploit.rules', ### really need content inspection for these
63 'web-misc.rules',
64 'chat.rules'
65 );
66 #========================= end config ===========================
67
68 my %services;
69 my @files;
70
71 open S, "< $services_file" or die " ** Could not open $services_file";
72 my @lines = <S>;
73 close S;
74 for my $line (@lines) {
75 chomp $line;
76 ### sunrpc 111/tcp
77 if ($line =~ m|^\s*(\S+)\s+(\d+)/(\S+)|) {
78 my $service = $1;
79 my $port = $2;
80 my $proto = $3;
81 $services{$proto}{$port} = $service;
82 }
83 }
28536ef @mrash - Re-worked to handle Snort rule port ranges that have an endpoint th…
authored
84 $services{'tcp'}{'80'} = '' unless defined $services{'tcp'};
85 $services{'udp'}{'53'} = '' unless defined $services{'udp'};
c72dee2 @mrash added snort_compat.pl
authored
86
87 if ($ARGV[0]) {
88 push @files, $ARGV[0];
89 } else {
90 opendir D, $rules_dir or die " ** Could not open $rules_dir";
91 @files = readdir D;
92 closedir D;
93 }
94
95 FILE: for my $file (@files) {
96 next unless $file =~ /rules/;
97 for my $ignore_file (@ignore_files) {
98 next FILE if $file eq $ignore_file;
99 }
100 open R, "< $rules_dir/$file" or die;
101 my @rules = <R>;
102 close R;
103
104 print "### $file\n";
105 RULE: for my $rule (@rules) {
106 chomp $rule;
107 next RULE unless $rule =~ /^\s*alert/;
108 if ($rule =~ m|^alert\s+(\S+)\s+(\S+)\s+(\S+)
109 \s+(\S+)\s+(\S+)\s+(\S+)|x) {
110 my $proto = $1;
111 my $src_p = $3;
112 my $dst_p = $6;
113 next RULE if $src_p =~ /\$/; ### skip things like $HTTP_PORTS
114 next RULE if $dst_p =~ /\$/;
115
116 next RULE if ($rule =~ /content:/
117 and $src_p eq 'any' and $dst_p eq 'any');
28536ef @mrash - Re-worked to handle Snort rule port ranges that have an endpoint th…
authored
118
119 if (not defined $services{$proto}) {
c72dee2 @mrash added snort_compat.pl
authored
120 print $rule, "\n";
121 } else {
28536ef @mrash - Re-worked to handle Snort rule port ranges that have an endpoint th…
authored
122 my @src_p_arr;
123 my @dst_p_arr;
124 if ($src_p =~ /:/) {
125 @src_p_arr = split /\s*:\s*/, $src_p;
126 } else {
127 push @src_p_arr, $src_p;
128 }
129 if ($dst_p =~ /:/) {
130 @dst_p_arr = split /\s*:\s*/, $dst_p;
131 } else {
132 push @dst_p_arr, $dst_p;
133 }
134
135 for my $src_p (@src_p_arr) {
136 next RULE if defined $services{$proto}{$src_p};
137 }
138 for my $dst_p (@dst_p_arr) {
139 next RULE if defined $services{$proto}{$dst_p};
140 }
141
142 print $rule, "\n";
c72dee2 @mrash added snort_compat.pl
authored
143 }
144 }
145 }
146 print "\n";
147 }
148 exit 0;
Something went wrong with that request. Please try again.