Mastering Snort: An Essential Snort Rules Cheat sheet -SecureMyOrg

By SecureMyOrg
on December 3, 2024

intrusion detection, snort

When it comes to securing your network, having the right tools is crucial. Snort rules form the backbone of the Snort Intrusion Detection and Prevention System (IDS/IPS), allowing network administrators to monitor, detect, and prevent potential threats effectively. This blog delves into Snort rules, offering insights, practical examples, and a handy Snort rules cheatsheet for quick reference.

What is Snort?

Snort, is an open-source network intrusion detection and prevention system (IDS/IPS). Developed by Martin Roesch in 1998, Snort has become one of the most widely used tools for monitoring and securing networks. It analyzes network traffic in real time, detects potential threats, and can block malicious activities.

What are Snort Rules?

At its core, Snort is an open-source network security solution capable of real-time traffic analysis and packet logging. Snort rules are configurations that dictate how the system identifies and responds to suspicious activity. By using these rules, Snort can detect a variety of threats, from port scans to complex web-based attacks.

A Snort rule consists of two main parts:

The Rule Header: Specifies the rule’s action, protocol, and source/destination conditions.
The Rule Options: Defines the specific content and behaviors to match.

Together, these components enable Snort to provide flexible and precise intrusion detection.

Anatomy of a Snort Rule

Understanding the structure of a Snort rule is the first step toward mastering its use. Here’s a breakdown:

1. Rule Header
The rule header defines the general conditions for the rule. It includes:

Action: Determines what happens when the rule is triggered (e.g., alert, log, drop).
Protocol: The type of traffic to monitor (e.g., TCP, UDP, ICMP).
Source/Destination: The IP addresses and port numbers involved.

Example Header:

plaintext
alert tcp any any -> 192.168.1.0/24 80

This header generates an alert for any TCP traffic to port 80 on the 192.168.1.0/24 network.

2. Rule Options
Options specify the finer details of the rule, such as patterns to match or metadata for categorization. Common options include:

msg: The alert message.
content: Payload to match within the packet.
sid: A unique rule identifier.
rev: The rule’s revision number.
classtype: Classifies the threat type (e.g., “web-application-attack”).

Example Options:

plaintext
(msg:"Possible SQL Injection"; content:"SELECT"; sid:1001; rev:1;)

Combined with the header, this example looks for SQL-related keywords in HTTP traffic.

Writing Your Own Snort Rules

Creating custom Snort rules empowers you to address unique network needs. Here’s a step-by-step approach:

Define the Goal: Identify the type of activity to monitor or block.
Craft the Header: Specify the action, protocol, and traffic conditions.
Add Relevant Options: Use options to pinpoint specific patterns or behaviors.
Test and Refine: Deploy the rule in a test environment before production use.

Example Custom Rule:

plaintext
(msg:"Possible SQL Injection"; content:"SELECT"; sid:1001; rev:1;)

This rule detects any traffic to port 23, commonly associated with Telnet.

Snort Rules Cheatsheet

Component	Description	Example
Action	What to do when the rule matches	alert, log, drop
Protocol	Type of traffic to monitor	tcp, udp, icmp
Source/Dest IP	Specify IP or use `any` for all	192.168.1.0/24, any
Port	Specify port or range	80, 1:1024, any
msg	Alert message to log	msg:"Suspicious Activity"
content	Payload string to match	content:"/login"
sid	Unique identifier for the rule	sid:1001;
rev	Revision number for tracking updates	rev:1;
classtype	Categorizes the type of alert	classtype:attempted-admin;
pcre	Matches using a Perl-compatible regex	pcre:"/^GET /";

This cheatsheet is a quick reference to simplify your journey using snort.

Examples of Common Snort Rules

1. Detect HTTP GET Requests:

plaintext
alert tcp any any -> any 80 (msg:"HTTP GET Request Detected"; content:"GET"; http_method; sid:1001; rev:1;)

Purpose: Detects HTTP GET requests to web servers on port 80.

http_method: Ensures the match is specifically in the HTTP method field.

2. Detect FTP Login Attempts:

plaintext
alert tcp any any -> any 21 (msg:"FTP Login Attempt"; content:"USER"; sid:1002; rev:1;)

Purpose: Monitors FTP traffic on port 21 and detects when a username (USER) is sent.

3. Detect SQL Injection Attempts:

plaintext
alert tcp any any -> any 80 (msg:"SQL Injection Attempt"; content:"SELECT"; nocase; sid:1003; rev:1;)

Purpose: Identifies potential SQL injection attempts in HTTP traffic.

nocase: Makes the content match case-insensitive.

4. Detect ICMP Ping Requests (Ping Sweep):

plaintext
alert icmp any any -> any any (msg:"ICMP Ping Detected"; itype:8; sid:1004; rev:1;)

Purpose: Detects ICMP Echo Request packets (ping packets), which are often used for network reconnaissance.

itype:8: Matches ICMP Echo Request messages.

5. Detect SSH Brute-Force Attempts:

plaintext
alert tcp any any -> any 22 (msg:"SSH Brute Force Detected"; threshold:type both, track by_src, count 5, seconds 60; sid:1005; rev:1;)

Purpose: Alerts when there are more than 5 SSH connection attempts from the same source within 60 seconds.

threshold: Prevents alert flooding by setting limits on trigger frequency.

6. Block Outbound Traffic to Malicious IPs:

plaintext
drop tcp any any -> 203.0.113.10 any (msg:"Outbound to Malicious IP"; sid:1006; rev:1;)

Purpose: Drops all traffic destined for a known malicious IP address.

7. Detect Unauthorized DNS Queries:

plaintext
alert udp any any -> any 53 (msg:"Unauthorized DNS Query"; content:"dangersite.com"; nocase; sid:1007; rev:1;)

Purpose: Monitors DNS traffic and detects queries to a specific domain (dangersite.com).

8. Detect Malware Beaconing:

plaintext
alert tcp any any -> any 443 (msg:"Suspicious HTTPS Beaconing"; content:"/malware-beacon"; sid:1008; rev:1;)

Purpose: Detects HTTPS traffic containing specific strings associated with malware communication.

9. Detect Email with Suspicious Attachments:

plaintext
alert tcp any any -> any 25 (msg:"Suspicious Email Attachment"; content:".exe"; sid:1012; rev:1;)

Purpose: Scans SMTP traffic for emails with .exe attachments, which might indicate malware.

10. Detect Cross-Site Scripting (XSS) Attempts:

plaintext
alert tcp any any -> any 80 (msg:"Possible XSS Detected"; content:"<script>"; nocase; sid:1014; rev:1;)

Purpose: Monitors HTTP traffic for <script> tags, a common element in XSS attacks.

11. Detect Buffer Overflow Attempts:

plaintext
alert tcp any any -> any 80 (msg:"Buffer Overflow Detected"; content:"AAAA"; sid:1010; rev:1;)

Purpose: Detects patterns in payloads that might indicate a buffer overflow exploit (e.g., a large string of repetitive characters).

12. Detect ZIP File Transfers:

plaintext
alert tcp any any -> any 80 (msg:"ZIP File Transfer Detected"; content:"PK"; sid:1011; rev:1;)

Purpose: Monitors HTTP traffic for the signature of ZIP files (starting with PK).

13. Detect TOR Traffic:

plaintext
alert tcp any any -> any any (msg:"TOR Traffic Detected"; content:"torproject"; sid:1015; rev:1;)

Purpose: Identifies traffic associated with the TOR network.

These examples represent just a fraction of what can be achieved with Snort rules. From detecting outdated protocols to identifying advanced persistent threats (APTs), the possibilities are nearly endless. By leveraging Snort’s flexibility and customizing rules for your environment, you can create a robust defense tailored to your network’s unique needs.

Optimizing Snort Rules

Optimizing Snort rules is critical for maintaining high performance and ensuring accurate detection. In order to optimize, follow these tips:

1. Understand Network Baseline

Before creating or optimizing rules, it’s essential to understand normal network traffic patterns:

Analyze Traffic: Use packet capture tools (e.g., Wireshark) to identify typical traffic.
Segment Networks: Focus on high-risk areas (e.g., external-facing servers or critical systems).
Identify Critical Assets: Determine what needs the most protection to prioritize rule coverage.

2. Write Precise Rules

Precise rules reduce false positives and processing overhead. Follow these best practices:

Narrow Rule Scope: Avoid using broad terms like any any unless necessary. Specify source/destination IPs, ports, and protocols.
Focus on Relevant Traffic: Apply rules to protocols and ports actually in use.
Use Content Matching Effectively: Be specific with patterns (e.g., content:"/login"; rather than content:"log";).
Employ Case Sensitivity: Use nocase only if necessary to avoid unnecessary matches.

3. Reduce Rule Overlap

Avoid redundancy among rules by combining similar detection patterns:

Group Related Conditions: Use logical operators (e.g., | or and) to streamline rules.
Audit Existing Rules: Remove duplicate or obsolete rules, especially from outdated threats.

4. Use Rule Thresholds

Thresholds control how often a rule triggers, reducing noise:

Limit Alerts: Use the threshold option to prevent flood alerts for frequent events.
Track by Source/Destination: Set thresholds for specific IPs or hosts.

5. Categorize and Prioritize Rules

Organize rules by severity and functionality for efficient management:

Use classtype: Assign categories like attempted-user or policy-violation for clarity.
Focus on Critical Rules: Ensure rules for critical assets or known exploits are prioritized.
Disable Unused Rules: Temporarily disable rules not applicable to your environment.

6. Utilize Advanced Features

Advanced Snort rule features enhance detection accuracy:

Regular Expressions (PCRE): Match complex patterns using pcre.
Byte Tests: Perform advanced checks on packet data.
Metadata Tags: Add meaningful metadata for better rule management and reporting.

Example of PCRE usage:

plaintext
alert tcp any any -> any 80 (msg:"SQL Injection Detected"; pcre:"/select.+from.+users/i"; sid:2004; rev:1;)

7. Monitor Performance

Keep track of Snort’s impact on system resources:

Analyze CPU and Memory Usage: Overloaded systems may drop packets, missing detections.
Fine-Tune Rules: Disable resource-heavy rules or use BPF (Berkeley Packet Filter) to limit processed traffic.
Enable Profiling: Use Snort’s --enable-profiling option to identify slow rules.

8. Regularly Update Rules

Threats evolve, and outdated rules may fail to detect new vulnerabilities:

Subscribe to Rule Updates: Use Snort’s built-in tools to fetch updated rules from reliable sources (e.g., Snort VRT or Emerging Threats).
Customize as Needed: Tailor downloaded rules to fit your environment.

Conclusion

Mastering Snort rules is an essential skill for network security professionals. By understanding their structure, writing custom rules, and leveraging the Snort rules cheatsheet, you can harness Snort’s full potential to protect your network effectively.

Whether you’re setting up basic alerts or implementing advanced intrusion prevention strategies, Snort rules offer unparalleled flexibility and control. Stay proactive, and ensure your rules evolve with emerging threats to maintain a robust defense.

References

About SecureMyOrg

At SecureMyOrg, we uncover and fix all possible security vulnerabilities of mobile and web, while providing solutions to mitigate risks. We are trusted by renowned companies like Yahoo, Gojek and Rippling, and with 100% client satisfaction, you’re in safe hands!

Some of the things people reach out to us for –

Building their cybersecurity program from scratch – setting up cloud security using cost-effective tools, SIEM for alert monitoring, building policies for the company
Vulnerability Assessment and Penetration Testing ( VAPT ) – We have certified professionals, with certifications like OSCP, CREST – CPSA & CRT, CKA and CKS
DevSecOps consulting
Red Teaming activity
Regular security audits, before product release
Full time security engineers.