legal contact
 

analysing "INDICATOR-COMPROMISE .com- potentially malicious hostname"

Having received above alert from my snort system, I thought of showing how to analyse these kind of alert.

Final rule entry for snort:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"A INDICATOR-COMPROMISE .com- potentially malicious hostname" group="500"; flow:to_server,established; content:"Host:"; http_header; content:".com-"; within:70; fast_pattern; http_header; content:!"www"; within:3; distance:-8; http_header; pcre:"/Host: [^\x0d\x0a]*?\.com-/Hi"; metadata:policy security-ips drop, service http; classtype:bad-unknown; sid:32488;)

Let’s take this rule into bits and pieces and check each individual command and option:

flow:to_server, established;

http://manual.snort.org/node33.html#SECTION00469000000000000000

flow:  to_server

Trigger on client requests from A to B

established

Trigger only on established TCP connections

content:"Host:";

http://manual.snort.org/node32.html#SECTION00451000000000000000

The content keyword is one of the more important features of Snort. It allows the user to set rules that search for specific content in the packet payload and trigger response based on that data. Whenever a content option pattern match is performed, the Boyer-Moore pattern match function is called and the (rather computationally expensive) test is performed against the packet contents. If data exactly matching the argument data string is contained anywhere within the packet's payload, the test is successful and the remainder of the rule option tests are performed. Be aware that this test is case sensitive.

Looking for the word Host: within the payload

http_header;

The http_header keyword is a content modifier that restricts the search to the extracted Header fields of a HTTP client request or a HTTP server response (per the configuration of HttpInspect).

As this keyword is a modifier to the previous content (content:"Host:";) keyword, there must be a content in the rule before http_header is specified.

The extracted Header fields may be NORMALIZED, per the configuration of HttpInspect

content:".com-";

http://manual.snort.org/node32.html#SECTION00451000000000000000

content: “Host:”

Looking for the word .com-: within the payload

within:70;

http://manual.snort.org/node32.html#SECTION004510000000000000000

The within keyword is a content modifier that makes sure that at most N bytes are between pattern matches using the content keyword ( See Section). It's designed to be used in conjunction with the distance (Section) rule option. This keyword allows values greater than or equal to pattern length being searched. The maximum allowed value for this keyword is 65535. The value can also be set to a string value referencing a variable extracted by the byte_extract keyword in the same rule.

The payload must be at least 70 bytes

fast_pattern;

http://manual.snort.org/node32.html#SECTION004522000000000000000

The fast_pattern keyword is a content modifier that sets the content within a rule to be used with the fast pattern matcher. Since the default behavior of fast pattern determination is to use the longest content in the rule, it is useful if a shorter content is more "unique" than the longer content, meaning the shorter content is less likely to be found in a packet than the longer content.

The fast pattern matcher is used to select only those rules that have a chance of matching by using a content in the rule for selection and only evaluating that rule if the content is found in the payload. Though this may seem to be overhead, it can significantly reduce the number of rules that need to be evaluated and thus increases performance. The better the content used for the fast pattern matcher, the less likely the rule will needlessly be evaluated.

Searching for a short pattern, thus a more performant search is possible.

http_header;

The http_header keyword is a content modifier that restricts the search to the extracted Header fields of a HTTP client request or a HTTP server response (per the configuration of HttpInspect).

As this keyword is a modifier to the previous content (content:"Host:";) keyword, there must be a content in the rule before http_header is specified.

The extracted Header fields may be NORMALIZED, per the configuration of HttpInspect

content:!"www";

http://manual.snort.org/node32.html#SECTION00451000000000000000

content: “Host:”

Looking for the word .com-: within the http_header

within:3;

http://manual.snort.org/node32.html#SECTION004510000000000000000

The within keyword is a content modifier that makes sure that at most N bytes are between pattern matches using the content keyword ( See Section). It's designed to be used in conjunction with the distance (Section) rule option. This keyword allows values greater than or equal to pattern length being searched. The maximum allowed value for this keyword is 65535. The value can also be set to a string value referencing a variable extracted by the byte_extract keyword in the same rule.

The http_header must be at least 3 bytes long

distance:-8;

http://manual.snort.org/node32.html#SECTION00459000000000000000

The distance keyword allows the rule writer to specify how far into a packet Snort should ignore before starting to search for the specified pattern relative to the end of the previous pattern match.

This can be thought of as exactly the same thing as offset except it is relative to the end of the last pattern match instead of the beginning of the packet.

This keyword allows values from -65535 to 65535.

The value can also be set to a string value referencing a variable extracted by the byte_extract keyword in the same rule.

???

http_header;

The http_header keyword is a content modifier that restricts the search to the extracted Header fields of a HTTP client request or a HTTP server response (per the configuration of HttpInspect).

As this keyword is a modifier to the previous content (content:"Host:";) keyword, there must be a content in the rule before http_header is specified.

The extracted Header fields may be NORMALIZED, per the configuration of HttpInspect

pcre:"/Host: [^\x0d\x0a]*?\.com-/Hi";

http://manual.snort.org/node32.html#SECTION004526000000000000000

The pcre keyword allows rules to be written using perl compatible regular expressions. check out the PCRE web site http://www.pcre.org

grep for “beginning with HEX 0D0A, followed by something, followed by .com/Hi

metadata:policy security-ips drop, service http;

http://manual.snort.org/node31.html#SECTION00448000000000000000

The metadata tag allows a rule writer to embed additional information about the rule, typically in a key-value format. Certain metadata keys and values have meaning to Snort and are listed in Table. Keys other than those listed in the table are effectively ignored by Snort and can be free-form, with a key and a value. Multiple keys are separated by a comma, while keys and values are separated by a space. The service Metadata Key is only meaningful when a Host Attribute Table is provided. When the value exactly matches the service ID as specified in the table, the rule is applied to that packet, otherwise, the rule is not applied (even if the ports specified in the rule match).

Key

Description

Value Format

engine

Indicate a Shared Library Rule

"shared"

soid

Shared Library Rule Generator and SID

gidsid

service

Target-Based Service Identifier

"http"

Reference to the drop rule of security-ips

classtype:bad-unknown;

http://manual.snort.org/node31.html#SECTION00446000000000000000

The classtype keyword is used to categorize a rule as detecting an attack that is part of a more general type of attack class. Snort provides a default set of attack classes that are used by the default set of rules it provides. Defining classifications for rules provides a way to better organize the event data Snort produces.

Categorizing to “bad-unknown”