Snort rules

Snort is a commonly used format for writing IPS signatures that is very poplar in the industry.

CloudGuard WAF provides the option for an administrator to provide a set of Snort signatures and have them enforced in the same way that CloudGuard WAF enforces the regular IPS signatures update from Check Point. Enforcement of IPS and Snort signatures (if configured) happens in parallel on all HTTP/S traffic.

Why import Snort rules to IPS?

• It allows a security administrator to write their own signatures:

  • To block specific unique traffic that they see in their network and wish to prevent it.

  • As part of the testing of the product without running actual malicious attacks inside their environments.

• A security administrator might want to deploy rules from 3rd party sources such as National/Governmental CERTs.

How to import Snort Signatures and configure a CloudGuard WAF practice to use them

Step 1: Browse to Policy->Assets and edit the Web API or Web Application asset

• Once the asset edit window opens, select the Threat Prevention tab

• Scroll down to the Snort Signatures Sub-practice:

Step 2: Make sure the Mode of the Snort Signatures sub-practice is as desired

Setting the Mode to As Top Level means inheriting the primary mode of the practice.

Otherwise you can override it only for this specific sub-practice to Detect/Prevent/Disable.

When making the first change to the default Web Application/API Best Practice's configuration such as uploading your unique Snort signatures file, you will be prompted to change the name of the Practice to your own custom practice name.

Step 3: Upload a Snort signature file

Press the Upload button to add a new Snort signatures file and the file selection window will appear:

• Click the "Add File" icon to add a new file.

• Optionally - you can click the "Download" icon to verify an existing file's content.

• Select the file containing the SNORT signatures you wish to enforce.

• Click OK.

Step 4: Enforce Policy

Click Enforce on the top banner of the Infinity Portal.

How to PoC the Snort Signatures feature?

Step 1: Create an example Signature file

Create a test file with a simple Snort rule. For example:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"Testing CloudGuard WAF Snort"; flow:to_server,established; http_header; content:"Testing: CloudGuard WAF Snort"; service:http; sid: 99999; rev: 1; )

Step 2: Import the signature file into your policy

Save the file and use the above instructions to enforce policy using this file

Step 3: Trigger the signature

Trigger the signature that you have just written. For example by using a curl command:

curl -H "Testing: CloudGuard WAF Snort" <your asset's URL>

Browse to Monitor -> All Events and make sure you see a log issued for this traffic

FAQ

Can you help me get started with a few signatures?

Of course, here are a couple of them:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Strictor variant outbound connection"; flow:to_server,established; http_uri; bufferlen:>19; content:"/mod/lookfashon.jpg",fast_pattern,nocase; http_header; content:!"Accept-Language:"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/0fe413704c85751b060546ebfd428d57726d8fd002ca95ec8deb76f5f37ed9c4/analysis/1389125202/; classtype:trojan-activity; sid:29220; rev:1; )

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Styx exploit kit plugin detection connection jlnp"; flow:to_server,established; http_uri; content:"/jlnp.html",fast_pattern,nocase; pcre:"/\/jlnp\.html$/"; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:27041; rev:4; )

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Styx exploit kit plugin detection connection jovf"; flow:to_server,established; http_uri; content:"/jovf.html",fast_pattern,nocase; pcre:"/\/jovf\.html$/"; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:27042; rev:5; )

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Bancos variant outbound connection SQL query POST data"; flow:to_server,established; http_client_body; content:"a=select CAMPO from PAGINA where CODIGO = ",fast_pattern,nocase; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/88efcb549a52e3fb6359a3888e72726aac00c730edcd5280e0248d11306a645d/analysis/; classtype:trojan-activity; sid:26075; rev:2; )

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Rovnix variant outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/vbulletin/post.php?qu=",fast_pattern,nocase; http_header; content:!"User-Agent:"; content:!"Accept"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/a184775757cf30f9593977ee0344cd6c54deb4b14a012a7af8e3a2cdbb85a749/analysis/; classtype:trojan-activity; sid:34868; rev:1; )

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Prok variant outbound connection"; flow:to_server,established; http_uri; content:"/prok/"; http_header; content:"Content-Type: multipart/form-data, boundary=7DF051D",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/ada4a63abae42266f9d472f1d4ebd0bd22702270f8b38ad7a824a16ce449ea2b/analysis/; classtype:trojan-activity; sid:34950; rev:1; )

Can I use any available Snort Signatures?

You can use version 3 Snort signatures from any source, however please be mindful of the list known limitations below. If you load a file containing unsupported signatures, then the unsupported signatures will be ignored (with warnings) but they will not stop the loading of those signatures that are valid.

How can I write my own signatures?

See our links and guide here:

What will be the performance impact if I add many Snort signatures?

Enforcing Snort signatures uses the same mechanisms as other CloudGuard WAF security apps, so just adding the Snort security app doesn't have any performance impact.

There is also the performance impact that each additional signature generates. This differs from one signature to the next, but as a rule-of-thumb Snort signatures typically have a performance rating equivalent to IPS "Medium" performance.

Is there a maximum number of Snort signatures that can be added?

In the this EA version, we support up to 1500 active signatures.

Is there an API available?

Will be published soon.

Would any type of existing Snort signatures be compatible?

Unfortunately, no. Snort version 3 has made some significant changes from previous versions. This means that Snort signatures from older versions may not work as intended.

What are the known limitations?

1. Explicit context must be provided

2. The following keywords are not fully supported:

   1. "flow" - only supports "to_server" (see above).

   2. Low level keywords ("flags", "ack", etc.) - not supported (see above).

   3. "file_data" - not supported.

   4. "flowbits" - not supported.

   5. "byte_test" - not supported.

   6. "dsize" - not supported.

   7. "isdataat" - not supported.

   8. "byte_jump" - not supported.

   9. "base64_data" - not supported.

   10. "base64_encode" - not supported.

   11. "detection_filter" - not supported.