Use snort rules to detect exploits/malware in HTTP response body

[andresriancho]

Contributor wanted

This issue is easy and looking for a contributor, just add a comment saying you'll do it's yours!

Not sure where to start from? Take a look at our First steps as a contributor and Contributing 101 wiki pages.

Other interesting tasks which can be completed by new w3af contributors can be found here.

Task description

Use snort rules to detect exploits/malware in HTTP response body http://www.snort.org/snort-rules/

[andresriancho]

A quick grep shows these rules:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT redirection to driveby download"; flow:to_client,established; file_data; content:"/Home/index.php|22| width=1 height=1 scrolling=no>"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:25948; rev:3;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE config.inc.php in iframe"; flow:to_client,established; file_data; content:"<iframe"; content:"config.inc.php"; within:100; content:""; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.sucuri.net/2013/05/auto-generated-iframes-to-blackhole-exploit-kit-following-the-cookie-trail.html; classtype:trojan-activity; sid:26585; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Mac OSX FBI ransomware"; flow:to_client,established; file_data; content:"<iframe src=|22|YOUR|25|20BROWSER|25|20HAS|25|20BEEN|25|20LOCKED"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.malwarebytes.org/intelligence/2013/07/fbi-ransomware-now-targeting-apples-mac-os-x-users/; classtype:trojan-activity; sid:27246; rev:1;)

The first challenge is to parse the rule format. Quick google search shows:

• https://code.google.com/p/rule2alert/source/browse/#svn%2Ftrunk%2FParser

[andresriancho]

Sent email to the mailing lists to see what they think about the idea.

[andresriancho]

Also sent an email to the snort mailing list

[andresriancho]

https://github.com/pevma/rule2alert is an improvement over the previous parser I linked.

Rules will come out of:

• http://www.emergingthreats.net/
• http://www.snort.org/vrt

[andresriancho]

Suricata rules are not GPL: http://rules.emergingthreats.net/open-nogpl/suricata-1.3/rules/LICENSE , they seem to be BSD. This means that we can't really include them into our repository.

The trick here will be to download them before enabling the plugin. This should be well documented and performed by the user, not an automated script. Oinkmaster seems to be a great option for downloading and keeping the rulesets updated for both suricata and snort. Maybe we can document a way for the users to use that?

[andresriancho]

Well, licensing of the rules is complex, take a look at this [0]. Summary:

• Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
• Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License
• Rules with sids 2800000 through 2900000 are provided by EmergingThreats Pro and are covered by the license provided in this distribution titled ETPRO-License.txt

The GPLv2 rules I'll be able to use/bundle/distribute with my software without worrying because my software is GPLv2

The BSD rules seem to be under the original BSD license [1] which is incompatible with GPLv2. This won't allow me to bundle them with my software.

The ETPRO-License is completely incompatible with GPLv2.

[0] http://rules.emergingthreats.net/open-nogpl/suricata-1.3/rules/LICENSE [1] http://www.gnu.org/licenses/license-list.html#OriginalBSD

[andresriancho]

The rule parser code is GPLv2. Wiii !