diff options
| author | Luke Boguslaw <lboguslaw91@gmail.com> | 2019-02-10 04:59:24 -0700 |
|---|---|---|
| committer | Luke Boguslaw <lboguslaw91@gmail.com> | 2019-02-10 04:59:24 -0700 |
| commit | bcccb747bab4b0890bb717ced622f816b37fc596 (patch) | |
| tree | 9b37cdb6ddccacba90f2f739538a3c903c79c081 | |
| parent | d7edf3825f34d2efe252fe8d27a18b72dfa05412 (diff) | |
| download | community-projects-bcccb747bab4b0890bb717ced622f816b37fc596.tar.gz community-projects-bcccb747bab4b0890bb717ced622f816b37fc596.tar.xz | |
Added the two Snort files that I mentioned I was having issues with. Please look in the script, in the definition, updateFile, where copyFile is commented out. When the temp file is copied to the snortRulesFileName, it seems that the text towards the end is cut off, but the text in output.txt is fine, and not cut off. It has to do with something with the copyFile function line.
| -rw-r--r-- | luke/protocol-dns.rules | 88 | ||||
| -rwxr-xr-x | luke/snort_rules_update.py | 96 |
2 files changed, 184 insertions, 0 deletions
diff --git a/luke/protocol-dns.rules b/luke/protocol-dns.rules new file mode 100644 index 0000000..93985eb --- /dev/null +++ b/luke/protocol-dns.rules @@ -0,0 +1,88 @@ +# Copyright 2001-2018 Sourcefire, Inc. All Rights Reserved. +# +# This file contains (i) proprietary rules that were created, tested and certified by +# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT +# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by +# Sourcefire and other third parties (the "GPL Rules") that are distributed under the +# GNU General Public License (GPL), v2. +# +# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created +# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are +# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by +# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a +# list of third party owners and their respective copyrights. +# +# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer +# to the VRT Certified Rules License Agreement (v2.0). +# +#-------------------- +# PROTOCOL-DNS RULES +#-------------------- + +# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS DNS root query traffic amplification attempt"; flow:to_server,no_stream; content:"|00 01|"; depth:2; offset:4; content:"|00 00 02 00 01|"; within:5; distance:6; detection_filter:track by_src, count 5, seconds 30; metadata:service dns; reference:url,isc.sans.org/diary.html?storyid=5713; classtype:misc-activity; sid:15259; rev:6;) +# alert udp $HOME_NET 53 -> $EXTERNAL_NET any (msg:"PROTOCOL-DNS DNS root query response traffic amplification attempt"; flow:to_client,no_stream; content:"|00 01|"; depth:2; offset:4; content:"|00 00 02 00 01|"; within:5; distance:6; detection_filter:track by_dst, count 5, seconds 30; metadata:service dns; reference:url,isc.sans.org/diary.html?storyid=5713; classtype:misc-activity; sid:15260; rev:6;) +# alert tcp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS ISC BIND DNSSEC authority response record overflow attempt"; flow:to_client, established; content:"|84 23|"; depth:2; offset:4; byte_test:2,>,40,4,relative; metadata:service dns; reference:cve,2011-1910; classtype:denial-of-service; sid:19125; rev:4;) +# alert tcp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS ISC BIND DNSSEC authority response record overflow attempt"; flow:established,to_client; byte_test:1,&,128,4; byte_test:1,&,4,4; byte_test:1,&,2,5; byte_test:1,&,1,5; content:"|00 2E 00 01|"; fast_pattern; byte_test:2,>,512,4,big,relative; content:"|00 06 05|"; within:3; distance:6; metadata:policy max-detect-ips drop, service dns; reference:cve,2011-1910; classtype:denial-of-service; sid:21421; rev:7;) +# alert tcp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS ISC BIND NAPTR record regular expression handling denial of service attempt"; flow:to_client,established; byte_test:2,&,0x8000,4; content:"|00 FC 00 01|"; fast_pattern; content:"|00 06 00 01|"; within:4; distance:2; content:"|00 23 00 01|"; distance:0; byte_jump:1,10,relative; byte_jump:1,0,relative,post_offset 1; pcre:"/\x21[^\x21]+?\x7b[^\x7d\x21]+?\x7d[\x28\x29]*?\x7b[^\x7d\x21]+?\x7d[\x28\x29]*?\x7b[^\x7d\x21]+?\x7d/R"; metadata:service dns; reference:cve,2013-2266; reference:url,www.isc.org/software/bind/advisories/cve-2013-2266; classtype:attempted-dos; sid:26324; rev:5;) +# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS ISC libdns client NAPTR record regular expression handling denial of service attempt"; flow:to_client; byte_test:2,&,0x8000,2; content:"|00 23 00 01|"; fast_pattern; content:"|00 23 00 01|"; within:4; distance:2; byte_jump:1,10,relative; byte_jump:1,0,relative,post_offset 1; pcre:"/\x21[^\x21]+?\x7b[^\x7d\x21]+?\x7d[\x28\x29]*?\x7b[^\x7d\x21]+?\x7d[\x28\x29]*?\x7b[^\x7d\x21]+?\x7d/R"; metadata:service dns; reference:cve,2013-2266; reference:url,www.isc.org/software/bind/advisories/cve-2013-2266; classtype:attempted-dos; sid:26427; rev:3;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS dns zone transfer via TCP detected"; flow:to_server,established; content:"|00 01 00 00 00 00 00|"; depth:8; offset:6; byte_test:1,!&,0xF8,4; content:"|00 00 FC 00 01|"; fast_pattern; isdataat:!1,relative; metadata:ruleset community, service dns; reference:cve,1999-0532; reference:nessus,10595; classtype:attempted-recon; sid:255; rev:23;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS dns zone transfer via UDP detected"; flow:to_server; content:"|00 01 00 00 00 00 00|"; depth:8; offset:4; byte_test:1,!&,0xF8,2; content:"|00 00 FC 00 01|"; fast_pattern; isdataat:!1,relative; metadata:ruleset community, service dns; reference:cve,1999-0532; reference:nessus,10595; classtype:attempted-recon; sid:1948; rev:19;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS named authors attempt"; flow:to_server,established; content:"|07|authors"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; metadata:ruleset community, service dns; reference:nessus,10728; classtype:attempted-recon; sid:1435; rev:15;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS named authors attempt"; flow:to_server; content:"|07|authors"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; metadata:ruleset community, service dns; reference:nessus,10728; classtype:attempted-recon; sid:256; rev:15;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS named version attempt"; flow:to_server,established; content:"|07|version"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; metadata:ruleset community, service dns; reference:nessus,10028; classtype:attempted-recon; sid:257; rev:17;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS named version attempt"; flow:to_server; content:"|07|version"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; metadata:ruleset community, service dns; reference:nessus,10028; classtype:attempted-recon; sid:1616; rev:16;) +# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS SPOOF query response PTR with TTL of 1 min. and no authority"; flow:to_client; content:"|85 80 00 01 00 01 00 00 00 00|"; content:"|C0 0C 00 0C 00 01 00 00 00|<|00 0F|"; fast_pattern:only; metadata:ruleset community, service dns; classtype:bad-unknown; sid:253; rev:14;) +# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS SPOOF query response with TTL of 1 min. and no authority"; flow:to_client; content:"|81 80|"; depth:4; offset:2; fast_pattern; byte_test:2,>,0,0,relative,big; byte_test:2,>,0,2,relative,big; content:"|00 00 00 00|"; within:4; distance:4; content:"|C0 0C 00 01 00 01|"; distance:0; byte_test:4,<,61,0,relative,big; byte_test:4,>,0,0,relative,big; metadata:ruleset community, service dns; classtype:bad-unknown; sid:254; rev:15;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS UDP inverse query"; flow:to_server; byte_test:1,<,16,2; byte_test:1,&,8,2; metadata:ruleset community, service dns; reference:bugtraq,2321; reference:cve,2001-0012; reference:nessus,10605; classtype:attempted-recon; sid:2921; rev:11;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS TCP inverse query"; flow:to_server,established; byte_test:1,<,16,4; byte_test:1,&,8,4; metadata:ruleset community, service dns; reference:bugtraq,2321; reference:cve,2001-0012; reference:nessus,10605; classtype:attempted-recon; sid:2922; rev:11;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS TCP inverse query overflow"; flow:to_server,established; byte_test:1,<,16,4; byte_test:1,&,8,4; isdataat:400; metadata:ruleset community, service dns; reference:bugtraq,134; reference:cve,1999-0009; classtype:attempted-admin; sid:3153; rev:9;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS UDP inverse query overflow"; flow:to_server; isdataat:400; byte_test:1,<,16,2; byte_test:1,&,8,2; metadata:ruleset community, service dns; reference:bugtraq,134; reference:cve,1999-0009; classtype:attempted-admin; sid:3154; rev:11;) +# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS large number of NXDOMAIN replies - possible DNS cache poisoning"; flow:to_client,no_stream; byte_test:1,&,2,3; byte_test:1,&,1,3; byte_test:1,&,128,2; detection_filter:track by_src, count 1000, seconds 5; metadata:policy max-detect-ips drop, service dns; reference:cve,2008-1447; reference:cve,2009-0233; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-008; reference:url,www.kb.cert.org/vuls/id/800113; classtype:misc-attack; sid:13948; rev:13;) +# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS single byte encoded name response"; byte_test:1, &, 128, 2; byte_test:2, >, 0, 4; byte_test:2, >, 0, 6; pcre:"/^.{12}(\x01.){20}/"; metadata:service dns; reference:cve,2004-0444; classtype:misc-attack; sid:14777; rev:4;) +# alert udp $HOME_NET 53 -> $EXTERNAL_NET any (msg:"PROTOCOL-DNS dns response for rfc1918 192.168/16 address detected"; flow:to_client; content:"|00 01 00 01|"; content:"|00 04 C0 A8|"; within:4; distance:4; fast_pattern; metadata:service dns; reference:url,www.faqs.org/rfcs/rfc1918.html; classtype:policy-violation; sid:15935; rev:6;) +# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS Oracle Secure Backup observice.exe dns response overflow attempt"; flow:to_client; byte_test:1,&,0x80,2; byte_test:2,!&,0x7a0f,2; content:"|00|"; offset:12; content:"|00 0C 00 01|"; within:4; content:"|00 0C 00 01|"; distance:2; byte_test:2,>,98,4,relative,big; metadata:service dns; reference:bugtraq,37733; reference:cve,2010-0072; reference:cve,2017-14491; classtype:attempted-admin; sid:20242; rev:9;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS excessive queries of type ANY - potential DoS"; flow:stateless,no_stream; content:"|00 01|"; depth:2; offset:4; byte_test:1,!&,0xF8,2; content:"|00 00 FF 00 01|"; fast_pattern:only; detection_filter:track by_src, count 30, seconds 30; metadata:service dns; reference:url,foxpa.ws/2010/07/21/thwarting-the-isc-org-dns-ddos/; classtype:attempted-dos; sid:21817; rev:6;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS dead alive6 DNS attempt"; content:"|DE AD|"; depth:2; metadata:service dns; reference:url,thc.org/thc-ipv6/; classtype:misc-activity; sid:24304; rev:2;) +# alert udp $HOME_NET any -> any 53 (msg:"PROTOCOL-DNS IPv6 host name enumeration"; flow:to_server,no_stream; byte_test:1,!&,0xF8,2; content:"|00 00 1C 00 01|"; offset:12; detection_filter:track by_src, count 40, seconds 1; metadata:service dns; reference:url,thc.org/thc-ipv6/; classtype:attempted-recon; sid:27938; rev:2;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS Malformed DNS query with HTTP content"; flow:to_server; content:"|54 20|"; fast_pattern:only; content:"GET |2F| HTTP"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,www.ietf.org/rfc/rfc2616.txt; classtype:misc-activity; sid:28557; rev:3;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS DNS query amplification attempt"; flow:to_server; content:"|00 01|"; depth:2; offset:4; content:"|00 01|"; within:2; distance:4; byte_test:1,!&,0xF8,2; content:"|00 00 FF 00 01 00 00 29|"; byte_test:2,>,0x7FFF,0,relative; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,www.us-cert.gov/ncas/alerts/TA13-088A; classtype:attempted-dos; sid:28556; rev:3;) +# alert udp $HOME_NET any -> any 53 (msg:"PROTOCOL-DNS ISC libdns client NAPTR record regular expression handling denial of service attempt"; flow:stateless; byte_test:2,&,0x8000,2; content:"|00 23 00 01|"; fast_pattern; content:"|00 23 00 01|"; within:4; distance:2; byte_jump:1,10,relative; byte_jump:1,0,relative,post_offset 1; pcre:"/\x21[^\x21]+?\x7b[^\x7d\x21]+?\x7d[\x28\x29]*?\x7b[^\x7d\x21]+?\x7d[\x28\x29]*?\x7b[^\x7d\x21]+?\x7d/R"; metadata:service dns; reference:cve,2013-2266; reference:url,www.isc.org/software/bind/advisories/cve-2013-2266; classtype:attempted-dos; sid:29935; rev:1;) +# alert tcp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS Microsoft SMTP excessive answer records buffer overflow attempt"; flow:to_client,established; byte_test:1,&,0x01,4; byte_test:2,>=,100,8; content:"|00 01 00 01|"; fast_pattern:only; metadata:service dns; reference:cve,2004-0840; classtype:attempted-user; sid:32959; rev:1;) +# alert udp $HOME_NET 53 -> any any (msg:"PROTOCOL-DNS ISC BIND recursive resolver resource consumption denial of service attempt"; flow:to_client,no_stream; byte_test:2,&,0x8080,2; content:"|00 01 C0 0C 00 02 00 01|"; offset:20; detection_filter:track by_dst, count 75, seconds 20; metadata:service dns; reference:cve,2014-8500; reference:url,www.kb.cert.org/vuls/id/264212; classtype:attempted-dos; sid:33583; rev:5;) +# alert tcp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS Exim DKIM decoding buffer overflow attempt"; flow:to_client,established; byte_test:1,>,0x80,4; content:"|00 01 00 01|"; depth:4; offset:6; content:"_domainkey"; distance:4; content:"|00 00 10 00 01|"; distance:0; content:"|00 10 00 01|"; within:4; distance:2; byte_test:2,>,4096,4,relative; metadata:policy max-detect-ips drop, service dns; reference:cve,2012-5671; classtype:attempted-admin; sid:25333; rev:7;) +# alert udp $EXTERNAL_NET any -> $DNS_SERVERS 53 (msg:"PROTOCOL-DNS Tftpd32 DNS server denial of service attempt"; flow:to_server; content:"|00 00 00 00 00 00|"; depth:12; offset:6; byte_test:1,>,0x7f,12; byte_test:1,<,0xc0,12; metadata:policy max-detect-ips drop, service dns; classtype:denial-of-service; sid:23368; rev:7;) +# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS Symantec Gateway products DNS cache poisoning attempt"; flow:to_client; content:"|C8 C8 C8 C8|"; fast_pattern; content:"|00 02 00 01|"; within:10; distance:2; content:"fake"; within:20; distance:7; metadata:policy max-detect-ips drop, service dns; reference:cve,2004-1754; reference:cve,2005-0817; classtype:misc-attack; sid:17485; rev:9;) +# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS squid proxy dns PTR record response denial of service attempt"; flow:to_client; content:"|00 0C 00 01|"; content:"|00 0C 00 01|"; within:4; distance:2; content:"|00 01 00|"; within:3; distance:4; metadata:policy max-detect-ips drop, service dns; reference:bugtraq,12551; reference:cve,2005-0446; classtype:attempted-dos; sid:17484; rev:10;) +# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS squid proxy dns A record response denial of service attempt"; flow:to_client; content:"|00 01 00 01|"; content:"|00 01 00 01|"; within:4; distance:2; isdataat:6,relative; content:!"|00 04|"; within:2; distance:4; metadata:policy max-detect-ips drop, service dns; reference:bugtraq,12551; reference:cve,2005-0446; classtype:attempted-dos; sid:17483; rev:9;) +# alert udp $HOME_NET 53 -> $EXTERNAL_NET any (msg:"PROTOCOL-DNS dns response for rfc1918 172.16/12 address detected"; flow:to_client; content:"|00 01 00 01|"; content:"|00 04 AC|"; within:3; distance:4; fast_pattern; byte_test:1,>,15,0,relative; byte_test:1,<,32,0,relative; metadata:service dns; reference:url,www.faqs.org/rfcs/rfc1918.html; classtype:policy-violation; sid:15934; rev:11;) +# alert udp $HOME_NET 53 -> $EXTERNAL_NET any (msg:"PROTOCOL-DNS excessive outbound NXDOMAIN replies - possible spoof of domain run by local DNS servers"; flow:to_client,no_stream; byte_test:1,&,2,3; byte_test:1,&,1,3; byte_test:1,&,128,2; detection_filter:track by_dst, count 1000, seconds 5; metadata:policy max-detect-ips drop, service dns; reference:cve,2008-1447; reference:cve,2009-0233; reference:cve,2012-0006; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-008; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-017; reference:url,www.kb.cert.org/vuls/id/800113; classtype:misc-attack; sid:13949; rev:17;) +# alert udp $HOME_NET 53 -> $EXTERNAL_NET any (msg:"PROTOCOL-DNS dns response for rfc1918 10/8 address detected"; flow:to_client; content:"|00 01 00 01|"; content:"|00 04 0A|"; within:3; distance:4; fast_pattern; metadata:policy max-detect-ips drop, service dns; reference:url,www.faqs.org/rfcs/rfc1918.html; classtype:policy-violation; sid:13249; rev:14;) +# alert udp $DNS_SERVERS 53 -> $EXTERNAL_NET any (msg:"PROTOCOL-DNS Microsoft Windows DNS Server ANY query cache weakness"; flow:to_client,no_stream; content:"|03|www|03|exa|03|dpn"; byte_test:1,&,2,3; byte_test:1,&,1,3; detection_filter:track by_src, count 20, seconds 20; metadata:policy max-detect-ips drop, service dns; reference:cve,2009-0234; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-008; classtype:misc-activity; sid:17696; rev:9;) +# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS ISC BIND DNSSEC response unsupported DNSKEY cryptographic algorithm attempt"; flow:to_client; byte_test:1, &, 0x80,2; content:"|C0 0C 00 30 00 01|"; content:"|02|"; within:1; distance:9; metadata:policy max-detect-ips drop, service dns; reference:cve,2015-5722; reference:url,www.isc.org/blogs/cve-2015-5722-parsing-malformed-keys-may-cause-bind-to-exit-due-to-a-failed-assertion-in-buffer-c/; classtype:attempted-dos; sid:36055; rev:3;) +# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS ISC BIND zero length OPENPGPKEY rdata response attempt"; flow:to_client; byte_test:1, &, 0x80,2; content:"|00 3D 00 01|"; content:"|00 00|"; within:2; distance:4; metadata:policy max-detect-ips drop, service dns; reference:cve,2015-5986; reference:url,www.isc.org/blogs/cve-2015-5986-an-incorrect-boundary-check-can-trigger-a-require-assertion-failure-in-openpgpkey_61-c/; classtype:attempted-dos; sid:36130; rev:4;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS DNS DNAME query detected - possible attack attempt"; flow:to_server; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|00 00 27 00 01|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; reference:cve,2015-6125; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-127; classtype:attempted-admin; sid:37015; rev:2;) +# alert udp any 53 -> $HOME_NET any (msg:"PROTOCOL-DNS glibc getaddrinfo AAAA record stack buffer overflow attempt"; flow:to_client; dsize:>2000; byte_test:1,&,2,2; byte_test:1,&,0x80,2; byte_test:1,!&,0x78,2; content:"|00 01|"; depth:2; offset:4; content:"|00 00 1C 00 01|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service dns; reference:cve,2015-7547; reference:url,googleonlinesecurity.blogspot.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html; classtype:attempted-user; sid:37731; rev:5;) +# alert udp any 53 -> $HOME_NET any (msg:"PROTOCOL-DNS glibc getaddrinfo A record stack buffer overflow attempt"; flow:to_client; dsize:>2000; byte_test:1,&,2,2; byte_test:1,&,0x80,2; byte_test:1,!&,0x78,2; content:"|00 01|"; depth:2; offset:4; content:"|00 00 01 00 01|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service dns; reference:cve,2015-7547; reference:url,googleonlinesecurity.blogspot.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html; classtype:attempted-user; sid:37730; rev:5;) +# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS ISC BIND totext_in_apl denial of service attempt"; flow:to_client; byte_test:1,&,0x80,2; content:"|00 01 00 01 00 00 00 00|"; depth:8; offset:4; content:"|00 2A 00 01|"; content:"|90|"; within:1; distance:9; byte_test:2,>,0x270F,-4,relative; metadata:policy max-detect-ips drop, service dns; reference:bugtraq,81329; reference:cve,2015-8704; reference:url,kb.isc.org/article/AA-01335; classtype:attempted-dos; sid:38284; rev:1;) +# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS ISC BIND totext_in_apl denial of service attempt"; flow:to_client; byte_test:1,&,0x80,2; content:"|00 01 00 01 00 00 00 00|"; depth:8; offset:4; content:"|00 2A 00 01|"; content:"|84|"; within:1; distance:9; byte_test:2,>,0x270F,-4,relative; metadata:policy max-detect-ips drop, service dns; reference:bugtraq,81329; reference:cve,2015-8704; reference:url,kb.isc.org/article/AA-01335; classtype:attempted-dos; sid:38283; rev:1;) +# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS ISC BIND totext_in_apl denial of service attempt"; flow:to_client; byte_test:1,&,0x80,2; content:"|00 01 00 01 00 00 00 00|"; depth:8; offset:4; content:"|00 2A 00 01|"; content:"|00 02|"; within:2; distance:6; content:"|90|"; within:1; distance:1; byte_test:2,>,0x270F,16,relative; metadata:policy max-detect-ips drop, service dns; reference:bugtraq,81329; reference:cve,2015-8704; reference:url,kb.isc.org/article/AA-01335; classtype:attempted-dos; sid:38282; rev:1;) +# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS ISC BIND totext_in_apl denial of service attempt"; flow:to_client; byte_test:1,&,0x80,2; content:"|00 01 00 01 00 00 00 00|"; depth:8; offset:4; content:"|00 2A 00 01|"; content:"|00 01|"; within:2; distance:6; content:"|84|"; within:1; distance:1; byte_test:2,>,0x270F,4,relative; metadata:policy max-detect-ips drop, service dns; reference:bugtraq,81329; reference:cve,2015-8704; reference:url,kb.isc.org/article/AA-01335; classtype:attempted-dos; sid:38281; rev:1;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS PowerDNS TSIG query denial of service attempt"; flow:to_server; byte_test:1,!&,0x80,2; content:!"|00 00|"; depth:2; offset:10; content:"|C0 0C 00 FA|"; distance:0; content:!"|00|"; within:1; byte_jump:2,6,relative,big,post_offset -1; isdataat:!1,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; reference:bugtraq,77522; reference:cve,2015-5311; reference:url,doc.powerdns.com/md/security/powerdns-advisory-2015-03/; classtype:attempted-dos; sid:39953; rev:2;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS PowerDNS TSIG query denial of service attempt"; flow:to_server; byte_test:1,!&,0x80,2; content:!"|00 00|"; depth:2; offset:10; content:"|00 00 FA|"; distance:0; content:!"|00|"; within:1; byte_jump:2,6,relative,big,post_offset -1; isdataat:!1,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; reference:bugtraq,77522; reference:cve,2015-5311; reference:url,doc.powerdns.com/md/security/powerdns-advisory-2015-03/; classtype:attempted-dos; sid:39952; rev:2;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 5353 (msg:"PROTOCOL-DNS PowerDNS TCP TSIG query denial of service attempt"; flow:to_server,established; byte_test:1,!&,0x80,3; content:!"|00 00|"; depth:2; offset:11; content:"|C0 0C 00 FA|"; distance:0; content:!"|00|"; within:1; byte_jump:2,6,relative,big,post_offset -1; isdataat:!1,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; reference:bugtraq,77522; reference:cve,2015-5311; reference:url,doc.powerdns.com/md/security/powerdns-advisory-2015-03/; classtype:attempted-dos; sid:39951; rev:2;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 5353 (msg:"PROTOCOL-DNS PowerDNS TCP TSIG query denial of service attempt"; flow:to_server,established; byte_test:1,!&,0x80,3; content:!"|00 00|"; depth:2; offset:11; content:"|00 00 FA|"; distance:0; content:!"|00|"; within:1; byte_jump:2,6,relative,big,post_offset -1; isdataat:!1,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; reference:bugtraq,77522; reference:cve,2015-5311; reference:url,doc.powerdns.com/md/security/powerdns-advisory-2015-03/; classtype:attempted-dos; sid:39950; rev:2;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 5353 (msg:"PROTOCOL-DNS PowerDNS TCP TKEY query denial of service attempt"; flow:to_server,established; byte_test:1,!&,0x80,3; content:!"|00 00|"; depth:2; offset:11; content:"|00 00 F9|"; distance:0; content:!"|00|"; within:1; byte_jump:2,6,relative,big,post_offset -1; isdataat:!1,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; reference:bugtraq,77522; reference:cve,2015-5311; reference:url,doc.powerdns.com/md/security/powerdns-advisory-2015-03/; classtype:attempted-dos; sid:39949; rev:2;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 5353 (msg:"PROTOCOL-DNS PowerDNS TCP TKEY query denial of service attempt"; flow:to_server,established; byte_test:1,!&,0x80,3; content:!"|00 00|"; depth:2; offset:11; content:"|C0 0C 00 F9|"; distance:0; content:!"|00|"; within:1; byte_jump:2,6,relative,big,post_offset -1; isdataat:!1,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; reference:bugtraq,77522; reference:cve,2015-5311; reference:url,doc.powerdns.com/md/security/powerdns-advisory-2015-03/; classtype:attempted-dos; sid:39948; rev:2;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS PowerDNS TKEY query denial of service attempt"; flow:to_server; byte_test:1,!&,0x80,2; content:!"|00 00|"; depth:2; offset:10; content:"|C0 0C 00 F9|"; distance:0; content:!"|00|"; within:1; byte_jump:2,6,relative,big,post_offset -1; isdataat:!1,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; reference:bugtraq,77522; reference:cve,2015-5311; reference:url,doc.powerdns.com/md/security/powerdns-advisory-2015-03/; classtype:attempted-dos; sid:39947; rev:2;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS PowerDNS TKEY query denial of service attempt"; flow:to_server; byte_test:1,!&,0x80,2; content:!"|00 00|"; depth:2; offset:10; content:"|00 00 F9|"; distance:0; content:!"|00|"; within:1; byte_jump:2,6,relative,big,post_offset -1; isdataat:!1,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; reference:bugtraq,77522; reference:cve,2015-5311; reference:url,doc.powerdns.com/md/security/powerdns-advisory-2015-03/; classtype:attempted-dos; sid:39946; rev:2;) +alert udp any any -> $HOME_NET 53 (msg:"PROTOCOL-DNS ISC BIND isc__buffer_add assertion failure denial of service attempt"; flow:to_server; dsize:>512; byte_test:1,!&,0xFE,2; content:!"|00 00|"; depth:2; offset:10; content:"|00 FA 00 FF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service dns; reference:cve,2016-2776; reference:url,kb.isc.org/article/AA-01419/74/CVE-2016-2776; classtype:attempted-dos; sid:40344; rev:2;) +# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS ISC BIND DNS duplicate cookie denial of service attempt"; flow:to_client; byte_test:1,&,0x80,2; content:"|00 00 29|"; content:"|00 00|"; within:2; distance:2; content:"|00 0A|"; within:2; distance:4; byte_jump:2,0,relative; content:"|00 0A|"; within:2; metadata:policy max-detect-ips drop, service dns; reference:cve,2016-2088; reference:url,kb.isc.org/article/AA-01351/0/CVE-2016-2088%3A-A-response-containing-multiple-DNS-cookies-causes-servers-with-cookie-support-enabled-to-exit-with-an-assertion-failure.html; classtype:attempted-dos; sid:40362; rev:1;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS PowerDNS name compression pointer loop denial of service attempt"; flow:to_server; content:"|01 00|"; depth:2; offset:2; content:"|00 00 00 00 00 00|"; within:6; distance:2; content:"|00 05 00 01|"; fast_pattern; content:"|C0|"; within:1; distance:-6; byte_jump:1,0,relative,from_beginning; content:"|01 C0|"; within:2; metadata:policy max-detect-ips drop, service dns; reference:bugtraq,74306; reference:cve,2015-1868; reference:url,doc.powerdns.com/md/security/powerdns-advisory-2015-01/; classtype:attempted-dos; sid:41905; rev:1;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS PowerDNS name compression pointer loop denial of service attempt"; flow:to_server; content:"|01 00|"; depth:2; offset:2; content:"|00 00 00 00 00 00|"; within:6; distance:2; content:"|00 05 00 01|"; fast_pattern; content:"|C0|"; within:1; distance:-6; byte_jump:1,0,relative,from_beginning; content:"|01 01|"; within:2; metadata:policy max-detect-ips drop, service dns; reference:bugtraq,74306; reference:cve,2015-1868; reference:url,doc.powerdns.com/md/security/powerdns-advisory-2015-01/; classtype:attempted-dos; sid:41904; rev:1;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS PowerDNS name compression pointer loop denial of service attempt"; flow:to_server,established; content:"|01 00|"; depth:2; offset:4; content:"|00 00 00 00 00 00|"; within:6; distance:2; content:"|00 05 00 01|"; fast_pattern; content:"|C0|"; within:1; distance:-6; byte_jump:1,0,relative,from_beginning,post_offset 2; content:"|01 01|"; within:2; metadata:policy max-detect-ips drop, service dns; reference:bugtraq,74306; reference:cve,2015-1868; reference:url,doc.powerdns.com/md/security/powerdns-advisory-2015-01/; classtype:attempted-dos; sid:41903; rev:1;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS PowerDNS name compression pointer loop denial of service attempt"; flow:to_server,established; content:"|01 00|"; depth:2; offset:4; content:"|00 00 00 00 00 00|"; within:6; distance:2; content:"|00 05 00 01|"; fast_pattern; content:"|C0|"; within:1; distance:-6; byte_jump:1,0,relative,from_beginning,post_offset 2; content:"|01 C0|"; within:2; metadata:policy max-detect-ips drop, service dns; reference:bugtraq,74306; reference:cve,2015-1868; reference:url,doc.powerdns.com/md/security/powerdns-advisory-2015-01/; classtype:attempted-dos; sid:41852; rev:2;) +# alert udp any 53 -> $HOME_NET any (msg:"PROTOCOL-DNS ISC BIND unexpected DNAME CNAME ordering denial of service attempt"; flow:to_client; content:"|85 00 00 01 00 03|"; depth:6; offset:2; content:"|00 00 01 00 01|"; within:100; content:"|00 27 00 01|"; within:4; distance:2; content:"|00 C0 0C 00 05 00 01|"; within:100; content:"|00 01 00 01|"; within:100; content:"|C0|"; within:1; distance:-6; metadata:service dns; reference:cve,2017-3137; reference:url,kb.isc.org/article/AA-01466; classtype:attempted-dos; sid:42458; rev:1;) +# alert udp any any -> $HOME_NET 53 (msg:"PROTOCOL-DNS dnsmasq add_pseudoheader integer underflow attempt"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|00 00 00 00 00 00|"; depth:6; offset:4; content:"|00 00 29|"; within:3; distance:2; content:"|FE|"; within:1; distance:8; byte_test:2,>,4,-3,relative; byte_math:bytes 2,offset -3,oper -,rvalue 4,result rdlen_minus_four,relative; byte_test:2,>,rdlen_minus_four,1,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; reference:cve,2017-14496; reference:url,security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html; classtype:attempted-admin; sid:44482; rev:2;) +# alert udp any any -> $HOME_NET 53 (msg:"PROTOCOL-DNS dnsmasq overly large DNS query denial of service attempt"; flow:to_server; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; dsize:>512; metadata:service dns; reference:cve,2017-13704; reference:url,security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html; classtype:attempted-dos; sid:44479; rev:2;) +# alert udp any any -> $HOME_NET 53 (msg:"PROTOCOL-DNS dnsmasq add_pseudoheader memory leak attempt"; flow:to_server,no_stream; content:"|08 1B|"; depth:2; offset:2; fast_pattern; content:"|00 00 29|"; within:3; distance:8; detection_filter:track by_dst, count 50, seconds 1; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; reference:cve,2017-14495; reference:url,security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html; classtype:attempted-dos; sid:44478; rev:3;) +# alert udp any any -> $HOME_NET 53 (msg:"PROTOCOL-DNS dnsmasq add_pseudoheader memory leak attempt"; flow:to_server; content:"|20 00 01|"; depth:3; offset:3; content:"|01 00 00 29 10|"; depth:5; offset:11; detection_filter:track by_dst, count 10, seconds 1; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; reference:cve,2017-14495; reference:url,security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html; classtype:attempted-dos; sid:47881; rev:1;) diff --git a/luke/snort_rules_update.py b/luke/snort_rules_update.py new file mode 100755 index 0000000..50ec91d --- /dev/null +++ b/luke/snort_rules_update.py @@ -0,0 +1,96 @@ +#!/usr/bin/python + +import sys +from shutil import copyfile +import filecmp +import os +import subprocess + +def updateFile (status, snortRulesFileName): + print "working with file " + snortRulesFileName + ruleFile = open(snortRulesFileName, 'r') + w = open('output.txt', 'w') + + if status.lower() == "enable": + for line in ruleFile: + # Get the first 7 characters + chars = line[:7] + if chars == "# alert": + line = line[2:] # Remove first two beginning characters + # Write the rule to another file + w.write(line) + + if status.lower() == "disable": + for line in ruleFile: + # Add the comment chars + # Get the first five characters of the line + chars = line[:5] + if chars == "alert": + line = '# ' + line + # print line + w.write(line) + ruleFile.close() + # Copy the output file to the original file + #copyfile('output.txt', snortRulesFileName) + w.close() + res = subprocess.check_output(["cp", "output.txt", snortRulesFileName]) + for line in res.splitlines(): + print line + #subprocess.Popen("cp output.txt " + snortRulesFileName) + # Then delete the output file + os.remove('output.txt') + +try: + n, status, snortRulesFileName = sys.argv +except ValueError: + print "Description: This script (un)comments rules in Snort rule files. " \ + "Modifying of rule lines starts at line 30, and goes till the end of the rule file. " \ + "Note: To uncomment rules, the rules must start in the following format: \"# \". " \ + "To comment rules, there must not be any text before the rule, nor spaces.\n" \ + "Arguments: Status[enable/disable] Name of Rule File" + sys.exit(1) + +isaDirectory = os.path.isdir(snortRulesFileName) +isaFile = os.path.isfile(snortRulesFileName) + +if(isaDirectory): + print "I notice this is a directory. Going to recursively modify the files" + files = os.listdir(snortRulesFileName) + for filename in files: + print "CHecking file: " + "/etc/snort/rules/"+filename + if os.path.isfile("/etc/snort/rules/"+filename): + print "this is a file!!!" + updateFile(status, snortRulesFileName + filename) +else: + print "File detected." + snortRulesFileName + updateFile(status, snortRulesFileName) + +# Default input is to generate backup file +user_response = raw_input("Would you first like to make a backup of the snort rules? [Y/n]: ") +while user_response != "y" and user_response != "" and user_response != "n": + user_response = raw_input("Invalid user input. Please try again.\n" + "Would you first like to make a backup of the snort rules? [Y/n]: ") + +if user_response == "y" or user_response == "": + # Name of the new backup file we are going to generate + backupFilename = snortRulesFileName + ".orig" + # Make a backup of the file with the extension of ".backup" + print "Making backup file..." + # Make a copy of the file + copyfile(snortRulesFileName, backupFilename) + print "Checking if backup file is identical to original..." + # Check to see if identical file matches contents of new backup file before proceeding + result = cmp(snortRulesFileName, backupFilename) + if result: + print "Success! Continuing..." + else: + print "[!] Failure. Exiting." + sys.exit(1) +else: + # Don't make a backup of the file + print "OK, don't say I didn't ask! Skipping backup of file" + + +#modifiedLines = "{:,}".format(modifiedLines) +#print "Script done executing. " + status + " " + str(modifiedLines) + " rules." + |