search

quadrantsec / sagan

Sagan is a multi-threads, high performance log analysis engine. At it's core, Sagan similar to Suricata/Snort but with logs rather than network packets.
GNU General Public License v2.0
156 stars 26 forks source link

Documentation: Guidance around signature writing. #52

Open quadrantsec opened 1 year ago

quadrantsec commented 1 year ago

Add a section around proper signature writing for Sagan (William).

wrharding commented 1 year ago

For example:

The following rule may be written in a way that Sagan will understand properly, but having the classtype before "program" is not less readable:

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Auditing settings on object were changed"; event_id: 4907|; pcre: "/^((?!Account Name: (.*)\$ ).)*$/"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003424; sid: 5003424; rev: 4;)

Putting the classtype after all keywords that perform content checks would be a preferred method. This is also in line with how Emerging Threats writes their Suricata rules:

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Auditing settings on object were changed"; event_id: 4907|; pcre: "/^((?!Account Name: (.*)\$ ).)*$/"; program: *Security*; classtype: system-event; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003424; sid: 5003424; rev: 4;)

Now, considering this documentation on high-performance considerations with Sagan and Sagan rules, all rules should be written following those recommendations.

Continuing with the above rule:

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Auditing settings on object were changed"; event_id: 4907|; program: *Security*; pcre: "/^((?!Account Name: (.*)\$ ).)*$/"; classtype: system-event; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003424; sid: 5003424; rev: 4;)

I'm now wondering if the event_id keyword should come before or after the program keyword. EventID's are only unique per-channel for Windows Logs, so it would make sense to me that we would want the program keyword to be written before the even_id keyword in the rule. I'm unsure if Sagan respects this order. @bryant-smith has been doing a fantastic job creating rules similar to the above suggestions, but documentation explicitly outlining how to write rules efficiently would be incredibly helpful to us all! Let me know if I can help in any way!

bryant-smith commented 1 year ago

So far I've been writing rules based on the order of which the content will show up in the logs and which are the fastest matches. So in order I put program, event_id then a content match before I start using meta_content and pcre.