Ever want to use a Snort-like rule with SiLK or Analysis Pipeline to find text within packets? Timur Snoke and I were recently discussing how we could do this and realized that while neither SiLK nor Analysis Pipeline themselves do packet inspection, YAF can be used to create an application label that can be used in analyses in both SiLK and Pipeline (field 29, application). This post outlines the steps required and provides an example.

The Steps

Use the following steps to find text in packets:

1. 1. Find the Snort rule or rules you would like to apply for SiLK or Analysis Pipeline.
      
   2. Make sure YAF is available and configured for application labeling. To check if application labeling is available, run yaf --version in a terminal window and make sure the "Application Labeling" line says "YES." If application labeling is not available, follow the documentation to rebuild YAF with --enable-applabel option to ./configure.
      
   3. Find the yafApplabelRules.conf file. The standard location for this file is /usr/local/etc.
      
   4. Determine the label number you would like to assign to flows that match the rule. Make sure this label is not already used in the yafApplabelRules.conf file. It is a good idea to choose numbers above the well-known port range for signature labels.
      
   5. For each Snort rule, determine the string that the rule should match and translate the string into PCRE compliant regular expressions. Make sure to escape all special characters (e.g. \, ^, ., $, |, (, ), [, ], {, }, *, +, ?) with the backslash character (\).
      
   6. Edit the yafApplabelRules.conf file, adding a line with the format shown below, where <number> is the number from step 3, and <regex> is the regular expression from step 4:
      label <number> signature <regex>

For Snort-like rules, use "signature" rules and not "regex" or "plugin." Since YAF stops processing application labels as soon as the first match is found, be sure that these type of rules are checked before more generic rules, such as label 80 for web traffic. Signature rules are evaluated before all other regex and plugin rules.

1. Start YAF with the options that are normally used. If you're not already using application label, add
   --applabel --applabel-rules=/usr/local/etc/yafApplabelRules.conf \
   --max-payload=384
   to the command when running YAF. If the yafApplicationRules.conf file is not in the standard location, update the path for the --applabel-rules option.

An Example

I recently came across this blog post from Didier Stevens and decided to implement a few of the rules he provided as YAF labels. I decided that I wanted one label for Metasploit web clients and chose the number 34566. (There are several rules he based on Metasploit User Agent strings in the post.) I'll show the implementation of the first two.

Looking at the first rule, we can identify the text that the rule expects to match:
Mozilla/4.0 (compatible\; MSIE 6.0\; Windows NT 5.1)

Translating this into a regular expression, we get:
Mozilla\/4.0 \(compatible; MSIE 6\.0; Windows NT 5\.1\)

In the Snort rule, the semicolons are escaped, but they do not need to be in the regular expression. Conversely, the Snort rule does not escape periods, but they must be in the regular expression. If I want to make this case insensitive, I add a grouping and prepend (?i):
(?i)(Mozilla\/4.0 \(compatible; MSIE 6\.0; Windows NT 5\.1\))

So, the line in my YAF configuration file is:
label 34566 signature (?i)(Mozilla\/4.0 \(compatible; MSIE 6\.0; Windows NT 5\.1\))

To implement the second rule, my line is:
label 34566 signature (?i)(Mozilla\/4.0 \(compatible; MSIE 6\.1; Windows NT\))

I can use the same label for both and if a network flow has a packet that passes either, it will get the 34566 label. To make the signature more efficient, I can combine the two lines into one:
label 34566 signature (?i)( Mozilla\/4\.0 (\(compatible; MSIE 6\.0; Windows NT \(5\.1\))|(\(compatible; MSIE 6\.1; Windows NT\)))

Once I have my labels working, I can use SiLK or Analysis Pipeline to work more with the related flows. For instance, I can filter on type "out" traffic with the application label to match the "$HOME_NET any -> $EXTERNAL_NET" portion of the Snort rules. I can further filter on protocol "6" to match the "tcp" portion of the Snort rules.

In my next blog post, I will discuss ways to use the application label in Analysis Pipeline to provide signature context.