Snort Dynamic Rules Preview

On my flights to and from the GFIRST 2006 conference this week, I got a chance to read the manual for Snort 2.6.0RC1. The most obvious addition to Snort 2.6 is the ability to add preprocessors, detection capabilities, and rules as dynamically loadable modules. This feature is activated by running configure with the --enable-dynamicplugin switch. Preprocessors and detection capabilities are more of an issue for Snort developers, since few Snort users code their own features. The advantage of the dynamic engine is that developers can write their own modules without having to patch Snort itself.

Most Snort users customize Snort by writing their own rules. Beginning with Snort 2.6.0RC1, the new C-style rule language is in place. If you read the snort_manual.pdf included with snort-2.6.0RC1.tar.gz, you will see a discussion of the new format starting in section 5.1.5 (Dynamic Rules). Here is an example of a rule in the old format:

alert tcp $HOME_NET 12345:12346 -> $EXTERNAL_NET any  (msg:"BACKDOOR netbus active"; 
flow:from_server,established;  content:"NetBus"; reference:arachnids,401; 
classtype:misc-activity;  sid:109; rev:5;)

Here is an example of the same rule in the new format. You can find this rule, sid109.c, in the /src/snort-2.6.0RC1/src/dynamic-examples/dynamic-rule directory.

It looks like this:

/*
 * sid109.c
 *
 * Copyright (C) 2006 Sourcefire,Inc
 * Steven A. Sturges 
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 *
 * Description:
 *
 * This file is part of an example of a dynamically loadable rules library.
 *
 * NOTES:
 *
 */

#include "sf_snort_plugin_api.h"
#include "sf_snort_packet.h"
#include "detection_lib_meta.h"

/*
 * C-language example for SID 109
 *
 * alert tcp $HOME_NET 12345:12346 -> $EXTERNAL_NET any  * (msg:"BACKDOOR netbus active"; 
 * flow:from_server,established;  * content:"NetBus"; reference:arachnids,401; 
 * classtype:misc-activity;  * sid:109; rev:5;)
 *
 */

/* flow:established, from_server; */
static FlowFlags sid109flow = 
{
    FLOW_ESTABLISHED|FLOW_TO_CLIENT
};

static RuleOption sid109option1 =
{
    OPTION_TYPE_FLOWFLAGS,
    {
        &sid109flow
    }
};

/* content:"NetBus";  */
static ContentInfo sid109content = 
{
    "NetBus",               /* pattern to search for */
    0,                      /* depth */
    0,                      /* offset */
    CONTENT_BUF_NORMALIZED, /* flags */
    NULL,                   /* holder for boyer/moore info */
    NULL,                   /* holder for byte representation of "NetBus" */
    0,                      /* holder for length of byte representation */
    0                       /* holder of increment length */
};

static RuleOption sid109option2 = 
{
    OPTION_TYPE_CONTENT,
    {
        &sid109content
    }
};

/* references for sid 109 */
static RuleReference sid109ref_arachnids =
{
    "arachnids",    /* Type */
    "401"           /* value */
};

static RuleReference *sid109refs[] =
{
    &sid109ref_arachnids,
    NULL
};

RuleOption *sid109options[] =
{
    &sid109option1,
    &sid109option2,
    NULL
};

Rule sid109 =
{
    /* protocol header, akin to => tcp any any -> any any */
    {
        IPPROTO_TCP,        /* proto */
        HOME_NET,           /* source IP */
        "12345:12346",      /* source port(s) */
        0,                  /* direction, uni-directional */
        EXTERNAL_NET,       /* destination IP */
        ANY_PORT            /* destination port(s) */
    },
    /* metadata */
    { 
        3,                  /* genid -- use 3 to distinguish a C rule */
        109,                /* sigid */
        5,                  /* revision */
        "misc-activity",    /* classification */
        0,                  /* priority */
       "BACKDOOR netbus active",    /* message */
       sid109refs           /* ptr to references */
    },
    sid109options, /* ptr to rule options */
    NULL,                   /* Use internal eval func */
    0,                      /* Holder, not yet initialized, used internally */
    0,                      /* Holder, option count, used internally */
    0,                      /* Holder, no alert used internally for flowbits */
    NULL                    /* Holder, rule data, used internally */
};

For an explanation of this rule, please see the snort_manual.pdf packaged with Snort 2.6.0RC1. It is not yet online.

For a simple rule like sid 109, the new structure looks very "heavy." However, consider a rule like the following, sid 2258:

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC Messenger Service
 buffer overflow attempt"; flow:to_server,established;  content:"|FF|SMB%"; depth:5; offset:4;
 nocase; content:"&|00|"; within:2; distance:56;  content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; 
 within:12; distance:5; nocase;  content:"|04 00|"; within:2; byte_test:1,>,15,2,relative; 
 byte_jump:4,86,little,align,relative;  byte_jump:4,8,little,align,relative; 
 byte_test:4,>,1024,0,little,relative;  reference:bugtraq,8826; reference:cve,2003-0717; 
 reference:nessus,11888;  reference:nessus,11890; 
 reference:url,www.microsoft.com/technet/security/bulletin/MS03-043.mspx;  
 classtype:attempted-admin; sid:2258; rev:9;)

That rule demonstrates the difficulty of writing more complex rules. The new rules structure should make writing rules like sid 2258 easier.

The sid109.c example shown above, and the material in the snort_manual.pdf packaged with Snort 2.6.0RC1,, may not exactly be what is shipped with Snort 2.6.0 or even Snort 3.0.0. Sourcefire has not determined if it will completely replace the old style rule format in favor of the new format. I expect to see Snort 3.0.0 ship with rules in the new format.