Fortinet Document Library

Version:

Version:


Table of Contents

online help

Copy Link

Snort conversion wizard

Basic outline of a snort rule

[action][protocol][sourceIP][sourceport] -> [destIP][destport] ( [Rule options] )

| ---------------- Rule Header ------------------------------- |- Rule Options - |

 

SNORT rule example

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ActionScript virtual machine opcode verifying code execution attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|01 09 0A 2E D0 30 D0 5D 04 4A 04 00 68 01 D0 92 90 4E|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp; reference:cve,2012-5271; reference:url,adobe.com/support/security/bulletins/apsb12-22.html; classtype:attempted-user; sid:24874; rev:3;)

FGT custom IPS signature

config ips custom

edit "S24874R3"

set signature "F-SBID(--name \"S24874R3\"; --protocol tcp; --service FTP; --flow from_server; --tag test,file.swf; --pattern \"|01 09 0A 2E D0 30 D0 5D 04 4A 04 00 68 01 D0 92 90 4E|\";)"

set action block

set status enable

set log enable

set comment ''

next

end

 

"action" field

Supported keyword

alert

Unsupported keyword

log

"protocol" field

Supported keyword

tcp/udp/ip/icmp/HTTP/FTP/POP3/SMTP/TELNET/SSH/IMAP/SNMP/RADIUS

HTTP/FTP/POP3/SMTP/TELNET/SSH/IMAP ->; tcp

SNMP/RADIUS ->; udp

"sourceIP", "sourceport", "destIP" and "destport" fields

Supported keyword

Either "any" or "$xxxx" variable

"Rule options" field

Supported keywords

Option Test input Test output
byte_test byte_test:1,!&,0xF8,2; --byte_test 1,~,0xF8,2;
byte_jump byte_jump:4,-10,relative,little; --byte_jump 4,-10,little,relative;
threshold threshold:type limit, track by_src, count 1, seconds 60; --track SRC_IP; --rate 1,60;
nocase nocase; --no_case;
isdataat isdataat:50,relative; --data_at 50,relative;
http_raw_uri http_raw_uri; --context uri;
http_raw_cookie http_raw_cookie; --context header;
http_raw_header http_raw_header; --context header;
http_stat_code http_stat_code; --context banner;
http_stat_msg http_stat_msg; --context banner;
sip_header sip_header; --context header;
sip_body sip_body; --context body;
id id:123456; --ip_id 123456;
dsize dsize:<400; --data_size <400;
ipopts ipopts:lsrr; --ip_option lsrr;
flags flags:SF,CE; --tcp_flags SF,CE;
seq seq:0; --seq 0;
ack ack:0; --ack 0;
window window:55808; --window_size 55808;
itype itype:>30; --icmp_type >30;
icode icode:>30; --icmp_code >30;
icmp_id icmp_id:0; --icmp_id 0;
icmp_seq icmp_seq:0; --icmp_seq 0;
rpc rpc:100000, *, 3; --rpc_num 100000, *, 3;
sameip sameip; --same_ip;
ttl ttl:<3; --ip_ttl <3;
tos tos:!4; --ip_tos !4;
content content:"OK LOGIN"; --pattern \"OK LOGIN\";
flowbits flowbits:set,logged_in; flowbits:noalert; --tag set,logged_in; --tag quiet;
flow flow:to_server,established; --flow from_client;
pcre pcre:"/^User-Agent\x3A[^\r\n]*malware/miH"; --pcre \"/^User-Agent\x3A[^\r\n]*malware/mi\";
uricontent uricontent:"testurl"; --pattern "testurl"; --context uri;
ip_proto ip_proto:igmp; --protocol igmp;
depth depth:8; --within 8,packet;
offset offset:4; --distance 4,packet;
within within:10; --within 10;
distance distance:4; --distance 4;
http_client_body http_client_body; --context body;
http_cookie http_cookie; --context header;
http_method http_method; --context uri;
urilen urilen:5; --data_size 5,uri;
metadata metadata:impact_flag red, service dns; --service DNS;
sid sid:19644; --name \"S19644R4\";
rev rev:4; --name \"S19644R4\";
byte_extract byte_extract:1, 0, str_offset; --extract 1,0,$0;
rawbytes rawbytes; --context packet_origin;
msg msg:"Bad Stuff detected within field"; et comment "Bad Stuff detected within field"
file_data file_data; --context file;
pkt_data pkt_data; --context packet;
detection_filter detection_filter:track by_src, count 30, seconds 60; --rate 30,60; --track SRC_IP;

Unsupported keywords:

Option Test input
replace  
stream_reassemble  
stream_size  
cvs  
ftpbounce  
asn1  
fragbits  
fragoffset  
base64_decode  
base64_data  
sip_method  
sip_stat_code  
gtp_type  
gtp_info  
gtp_version  
ssl_state  
reference  
classtype  
priority  
gid  
fast_pattern  
logto  
session  
resp  
react  
tag  
activites  
activites_by  
http_encode  
count  
dce_iface  
dce_opnum  
dce_stub_data  
metadata  
protected_content  
hash  
length  
modbus_func  
dnp3_ind  

 

 

 

Snort conversion wizard

Basic outline of a snort rule

[action][protocol][sourceIP][sourceport] -> [destIP][destport] ( [Rule options] )

| ---------------- Rule Header ------------------------------- |- Rule Options - |

 

SNORT rule example

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ActionScript virtual machine opcode verifying code execution attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|01 09 0A 2E D0 30 D0 5D 04 4A 04 00 68 01 D0 92 90 4E|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp; reference:cve,2012-5271; reference:url,adobe.com/support/security/bulletins/apsb12-22.html; classtype:attempted-user; sid:24874; rev:3;)

FGT custom IPS signature

config ips custom

edit "S24874R3"

set signature "F-SBID(--name \"S24874R3\"; --protocol tcp; --service FTP; --flow from_server; --tag test,file.swf; --pattern \"|01 09 0A 2E D0 30 D0 5D 04 4A 04 00 68 01 D0 92 90 4E|\";)"

set action block

set status enable

set log enable

set comment ''

next

end

 

"action" field

Supported keyword

alert

Unsupported keyword

log

"protocol" field

Supported keyword

tcp/udp/ip/icmp/HTTP/FTP/POP3/SMTP/TELNET/SSH/IMAP/SNMP/RADIUS

HTTP/FTP/POP3/SMTP/TELNET/SSH/IMAP ->; tcp

SNMP/RADIUS ->; udp

"sourceIP", "sourceport", "destIP" and "destport" fields

Supported keyword

Either "any" or "$xxxx" variable

"Rule options" field

Supported keywords

Option Test input Test output
byte_test byte_test:1,!&,0xF8,2; --byte_test 1,~,0xF8,2;
byte_jump byte_jump:4,-10,relative,little; --byte_jump 4,-10,little,relative;
threshold threshold:type limit, track by_src, count 1, seconds 60; --track SRC_IP; --rate 1,60;
nocase nocase; --no_case;
isdataat isdataat:50,relative; --data_at 50,relative;
http_raw_uri http_raw_uri; --context uri;
http_raw_cookie http_raw_cookie; --context header;
http_raw_header http_raw_header; --context header;
http_stat_code http_stat_code; --context banner;
http_stat_msg http_stat_msg; --context banner;
sip_header sip_header; --context header;
sip_body sip_body; --context body;
id id:123456; --ip_id 123456;
dsize dsize:<400; --data_size <400;
ipopts ipopts:lsrr; --ip_option lsrr;
flags flags:SF,CE; --tcp_flags SF,CE;
seq seq:0; --seq 0;
ack ack:0; --ack 0;
window window:55808; --window_size 55808;
itype itype:>30; --icmp_type >30;
icode icode:>30; --icmp_code >30;
icmp_id icmp_id:0; --icmp_id 0;
icmp_seq icmp_seq:0; --icmp_seq 0;
rpc rpc:100000, *, 3; --rpc_num 100000, *, 3;
sameip sameip; --same_ip;
ttl ttl:<3; --ip_ttl <3;
tos tos:!4; --ip_tos !4;
content content:"OK LOGIN"; --pattern \"OK LOGIN\";
flowbits flowbits:set,logged_in; flowbits:noalert; --tag set,logged_in; --tag quiet;
flow flow:to_server,established; --flow from_client;
pcre pcre:"/^User-Agent\x3A[^\r\n]*malware/miH"; --pcre \"/^User-Agent\x3A[^\r\n]*malware/mi\";
uricontent uricontent:"testurl"; --pattern "testurl"; --context uri;
ip_proto ip_proto:igmp; --protocol igmp;
depth depth:8; --within 8,packet;
offset offset:4; --distance 4,packet;
within within:10; --within 10;
distance distance:4; --distance 4;
http_client_body http_client_body; --context body;
http_cookie http_cookie; --context header;
http_method http_method; --context uri;
urilen urilen:5; --data_size 5,uri;
metadata metadata:impact_flag red, service dns; --service DNS;
sid sid:19644; --name \"S19644R4\";
rev rev:4; --name \"S19644R4\";
byte_extract byte_extract:1, 0, str_offset; --extract 1,0,$0;
rawbytes rawbytes; --context packet_origin;
msg msg:"Bad Stuff detected within field"; et comment "Bad Stuff detected within field"
file_data file_data; --context file;
pkt_data pkt_data; --context packet;
detection_filter detection_filter:track by_src, count 30, seconds 60; --rate 30,60; --track SRC_IP;

Unsupported keywords:

Option Test input
replace  
stream_reassemble  
stream_size  
cvs  
ftpbounce  
asn1  
fragbits  
fragoffset  
base64_decode  
base64_data  
sip_method  
sip_stat_code  
gtp_type  
gtp_info  
gtp_version  
ssl_state  
reference  
classtype  
priority  
gid  
fast_pattern  
logto  
session  
resp  
react  
tag  
activites  
activites_by  
http_encode  
count  
dce_iface  
dce_opnum  
dce_stub_data  
metadata  
protected_content  
hash  
length  
modbus_func  
dnp3_ind