Posted on by Toolsin
Ever want to use a Snort-like rule with SiLK or Analysis Pipeline to find text within packets? Timur Snoke and I were recently discussing how we could do this and realized that while neither SiLK nor Analysis Pipeline themselves do packet inspection, YAF can be used to create an application label that can be used in analyses in both SiLK and Pipeline (field 29, application). This post outlines the steps required and provides an example.
Use the following steps to find text in packets:
For Snort-like rules, use "signature" rules and not "regex" or "plugin." Since YAF stops processing application labels as soon as the first match is found, be sure that these type of rules are checked before more generic rules, such as label 80 for web traffic. Signature rules are evaluated before all other regex and plugin rules.
I recently came across this blog post from Didier Stevens and decided to implement a few of the rules he provided as YAF labels. I decided that I wanted one label for Metasploit web clients and chose the number 34566. (There are several rules he based on Metasploit User Agent strings in the post.) I'll show the implementation of the first two.
Looking at the first rule, we can identify the text that the rule expects to match:
Mozilla/4.0 (compatible\; MSIE 6.0\; Windows NT 5.1)
Translating this into a regular expression, we get:
Mozilla\/4.0 \(compatible; MSIE 6\.0; Windows NT 5\.1\)
In the Snort rule, the semicolons are escaped, but they do not need to be in the regular expression. Conversely, the Snort rule does not escape periods, but they must be in the regular expression. If I want to make this case insensitive, I add a grouping and prepend (?i):
(?i)(Mozilla\/4.0 \(compatible; MSIE 6\.0; Windows NT 5\.1\))
So, the line in my YAF configuration file is:
label 34566 signature (?i)(Mozilla\/4.0 \(compatible; MSIE 6\.0; Windows NT 5\.1\))
To implement the second rule, my line is:
label 34566 signature (?i)(Mozilla\/4.0 \(compatible; MSIE 6\.1; Windows NT\))
I can use the same label for both and if a network flow has a packet that passes either, it will get the 34566 label. To make the signature more efficient, I can combine the two lines into one:
label 34566 signature (?i)( Mozilla\/4\.0 (\(compatible; MSIE 6\.0; Windows NT \(5\.1\))|(\(compatible; MSIE 6\.1; Windows NT\)))
Once I have my labels working, I can use SiLK or Analysis Pipeline to work more with the related flows. For instance, I can filter on type "out" traffic with the application label to match the "$HOME_NET any -> $EXTERNAL_NET" portion of the Snort rules. I can further filter on protocol "6" to match the "tcp" portion of the Snort rules.
In my next blog post, I will discuss ways to use the application label in Analysis Pipeline to provide signature context.