search

jasonish / py-idstools

idstools: Snort and Suricata Rule and Event Utilities in Python (Including a Rule Update Tool)
Other
276 stars 85 forks source link

Rules where msg contains ":" don't appear correctly #51

Closed DigiAngel closed 7 years ago

DigiAngel commented 7 years ago

Rule:

alert tcp 93.174.88.0/21 any -> $HOME_NET any (msg:"SN: Inbound TCP traffic from suspect network (AS29073 - NL)"; flags:S; reference:url,https://suspect-networks.io/networks/cidr/13/; threshold: type limit, track by_dst, seconds 30, count 1; classtype:misc-attack; sid:71918985; rev:1;)

fast hit:

05/02-16:18:54.125546  [**] [1:71918985:1] SN: Inbound TCP traffic from suspect network (AS29073 - NL) [**] [Classification: Misc Attack] [Priority: 2] {TCP} 93.174.95.106:40082 -> x.x.x.x:2222

json hit from the unified file:

{"timestamp": "2017-05-02T16:18:54.125546+0000", "sensor_id": 0, "event_id": 1738, "event_second": 1493741934, "event_type": "alert", "src_ip": "93.174.95.106", "src_port": 40082, "dest_ip": "x.x.x.x", "dest_port": 2222, "proto": "TCP", "flow_id": 5007401709, "alert": {"action": "allowed", "gid": 1, "signature_id": 71918985, "rev": 1, "signature": null, "category": "Misc Attack", "severity": 2}, "packet": "fA7<snip>AAAAAAAAAAA==", "packet_printable": "|...H.0.\r\n........E(.(.v..q.2.]._j...C....;.......P.............", "packet_info": {"linktype": 1}}

It appears that the ids_alert field is missing when these hit.

DigiAngel commented 7 years ago

Correction, that's the signature field..I have it named as ids_alert :)

jasonish commented 7 years ago

Are you pointing the script at the full rules, or just the sig-msg.map?

DigiAngel commented 7 years ago

Oh...I'm point it everywhere :)

/usr/bin/python /opt/py-idstools/bin/idstools-u2eve -C /opt/etc/snort/classification.config -S /opt/etc/snort/sid-msg.map -G /opt/etc/snort/gen-msg.map --bookmark --follow --directory /opt/var/log/bleh --prefix bleh --packet-printable --output /tmp/blehunified.json

Every other rule shows up fine, but just not the SN: ones.

jasonish commented 7 years ago

Can you check your sid-msg.map and make sure the rule message is correct there? I've added unit tests to the rule, and sid-msg.map parser and am not able to replicate this.

DigiAngel commented 7 years ago

As it appears in the sid-msg.map:

71918985 || SN || url,https

Sparse, to be sure ;) Thanks Jason.

jasonish commented 7 years ago

What created your sid-msg.map?

DigiAngel commented 7 years ago

Pulled pork...latest I think..0.7.3?

On 2017-05-25 08:28, Jason Ish wrote:

What created your sid-msg.map?

-- You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub [1], or mute the thread [2].

Links:

[1] https://github.com/jasonish/py-idstools/issues/51#issuecomment-304023924 [2] https://github.com/notifications/unsubscribe-auth/AA5z9654gruKvF7L5fkLDQSqgomDcb2Wks5r9Y_1gaJpZM4NOY6l

jasonish commented 7 years ago

Ok, might want to raise a bug over there. In the mean time you could use idstools-gensidmsgmap to regenerate your sid-msg.map file. Something like:

idstools-gensidmsgmap ./rules ./so_rules ./preproc_rules > sid-msg.map
jasonish commented 7 years ago

Closing as note an idstools issue, but I did add tests for these cases.

DigiAngel commented 7 years ago

Ok cool thanks Jason.