summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEddie Arrage <eddie.arrage@huawei.com>2018-04-16 19:00:34 +0000
committerEddie Arrage <eddie.arrage@huawei.com>2018-04-16 19:07:37 +0000
commit4bd515a7cc42815514b4464c87a5d743bf92ec9f (patch)
treeaf575b361926185de1fb90e74f38527ec33134c2
parent66cc1be27b7fbb27c01a726663e42608eb411672 (diff)
Extended snort rule add to allow content field
- Exposed the 'content' field in the GRPC server AddRules method - Allows the 'MALWARE-CNC User-Agent ASafaWeb Scan' signature in the community rules to be copied to local rules - Above ensures more deterministic alerts by snort each time the signature is hit - Added here to support the SDC configuration guide, which details how to add this scan rule via GRPC client script Change-Id: I6945c1e500075444134543bb9eb6003a03f1d5cc Signed-off-by: Eddie Arrage <eddie.arrage@huawei.com>
-rw-r--r--samples/services/snort_ids/docker/grpc/snort.proto5
-rw-r--r--samples/services/snort_ids/docker/grpc/snort_client.py16
-rw-r--r--samples/services/snort_ids/docker/grpc/snort_pb2.py23
-rw-r--r--samples/services/snort_ids/docker/grpc/snort_server.py3
4 files changed, 36 insertions, 11 deletions
diff --git a/samples/services/snort_ids/docker/grpc/snort.proto b/samples/services/snort_ids/docker/grpc/snort.proto
index 8d69baa..f524bb4 100644
--- a/samples/services/snort_ids/docker/grpc/snort.proto
+++ b/samples/services/snort_ids/docker/grpc/snort.proto
@@ -27,8 +27,9 @@ message AddRule {
string src_port = 4;
string src_ip = 5;
string msg = 6;
- string sid = 7;
- string rev = 8;
+ string content = 7;
+ string sid = 8;
+ string rev = 9;
}
message SnortReply {
diff --git a/samples/services/snort_ids/docker/grpc/snort_client.py b/samples/services/snort_ids/docker/grpc/snort_client.py
index d59b4ee..ca71af8 100644
--- a/samples/services/snort_ids/docker/grpc/snort_client.py
+++ b/samples/services/snort_ids/docker/grpc/snort_client.py
@@ -30,6 +30,8 @@ def run(args, grpc_port='50052'):
return add_tcprule(stub)
elif args['cmd'] == 'addicmp':
return add_icmprule(stub)
+ elif args['cmd'] == 'addscan':
+ return add_scanrule(stub)
elif args['cmd'] == 'start':
return start_snort(stub)
elif args['cmd'] == 'stop':
@@ -78,6 +80,20 @@ def add_icmprule(stub):
return response.message
+def add_scanrule(stub):
+ try:
+ response = stub.AddRules(snort_pb2.AddRule(
+ protocol='tcp', dest_port='any', dest_ip='$HOME_NET',
+ src_port='any', src_ip='any',
+ msg='MALWARE-CNC User-Agent ASafaWeb Scan', sid='10000003',
+ rev='001', content='"asafaweb.com"'))
+ print(stop_snort(stub))
+ print(start_snort(stub))
+ except Exception as e:
+ return e
+ return response.message
+
+
def start_snort(stub):
try:
response = stub.StartSnort(snort_pb2.ControlSnort(pid='0'))
diff --git a/samples/services/snort_ids/docker/grpc/snort_pb2.py b/samples/services/snort_ids/docker/grpc/snort_pb2.py
index 93641ef..8828b78 100644
--- a/samples/services/snort_ids/docker/grpc/snort_pb2.py
+++ b/samples/services/snort_ids/docker/grpc/snort_pb2.py
@@ -19,7 +19,7 @@ DESCRIPTOR = _descriptor.FileDescriptor(
name='snort.proto',
package='snort',
syntax='proto3',
- serialized_pb=_b('\n\x0bsnort.proto\x12\x05snort\"\x1b\n\x0c\x43ontrolSnort\x12\x0b\n\x03pid\x18\x01 \x01(\t\"\x88\x01\n\x07\x41\x64\x64Rule\x12\x10\n\x08protocol\x18\x01 \x01(\t\x12\x11\n\tdest_port\x18\x02 \x01(\t\x12\x0f\n\x07\x64\x65st_ip\x18\x03 \x01(\t\x12\x10\n\x08src_port\x18\x04 \x01(\t\x12\x0e\n\x06src_ip\x18\x05 \x01(\t\x12\x0b\n\x03msg\x18\x06 \x01(\t\x12\x0b\n\x03sid\x18\x07 \x01(\t\x12\x0b\n\x03rev\x18\x08 \x01(\t\"\x1d\n\nSnortReply\x12\x0f\n\x07message\x18\x01 \x01(\t2\xac\x01\n\nController\x12/\n\x08\x41\x64\x64Rules\x12\x0e.snort.AddRule\x1a\x11.snort.SnortReply\"\x00\x12\x36\n\nStartSnort\x12\x13.snort.ControlSnort\x1a\x11.snort.SnortReply\"\x00\x12\x35\n\tStopSnort\x12\x13.snort.ControlSnort\x1a\x11.snort.SnortReply\"\x00\x62\x06proto3')
+ serialized_pb=_b('\n\x0bsnort.proto\x12\x05snort\"\x1b\n\x0c\x43ontrolSnort\x12\x0b\n\x03pid\x18\x01 \x01(\t\"\x99\x01\n\x07\x41\x64\x64Rule\x12\x10\n\x08protocol\x18\x01 \x01(\t\x12\x11\n\tdest_port\x18\x02 \x01(\t\x12\x0f\n\x07\x64\x65st_ip\x18\x03 \x01(\t\x12\x10\n\x08src_port\x18\x04 \x01(\t\x12\x0e\n\x06src_ip\x18\x05 \x01(\t\x12\x0b\n\x03msg\x18\x06 \x01(\t\x12\x0f\n\x07\x63ontent\x18\x07 \x01(\t\x12\x0b\n\x03sid\x18\x08 \x01(\t\x12\x0b\n\x03rev\x18\t \x01(\t\"\x1d\n\nSnortReply\x12\x0f\n\x07message\x18\x01 \x01(\t2\xac\x01\n\nController\x12/\n\x08\x41\x64\x64Rules\x12\x0e.snort.AddRule\x1a\x11.snort.SnortReply\"\x00\x12\x36\n\nStartSnort\x12\x13.snort.ControlSnort\x1a\x11.snort.SnortReply\"\x00\x12\x35\n\tStopSnort\x12\x13.snort.ControlSnort\x1a\x11.snort.SnortReply\"\x00\x62\x06proto3')
)
@@ -106,19 +106,26 @@ _ADDRULE = _descriptor.Descriptor(
is_extension=False, extension_scope=None,
options=None, file=DESCRIPTOR),
_descriptor.FieldDescriptor(
- name='sid', full_name='snort.AddRule.sid', index=6,
+ name='content', full_name='snort.AddRule.content', index=6,
number=7, type=9, cpp_type=9, label=1,
has_default_value=False, default_value=_b("").decode('utf-8'),
message_type=None, enum_type=None, containing_type=None,
is_extension=False, extension_scope=None,
options=None, file=DESCRIPTOR),
_descriptor.FieldDescriptor(
- name='rev', full_name='snort.AddRule.rev', index=7,
+ name='sid', full_name='snort.AddRule.sid', index=7,
number=8, type=9, cpp_type=9, label=1,
has_default_value=False, default_value=_b("").decode('utf-8'),
message_type=None, enum_type=None, containing_type=None,
is_extension=False, extension_scope=None,
options=None, file=DESCRIPTOR),
+ _descriptor.FieldDescriptor(
+ name='rev', full_name='snort.AddRule.rev', index=8,
+ number=9, type=9, cpp_type=9, label=1,
+ has_default_value=False, default_value=_b("").decode('utf-8'),
+ message_type=None, enum_type=None, containing_type=None,
+ is_extension=False, extension_scope=None,
+ options=None, file=DESCRIPTOR),
],
extensions=[
],
@@ -132,7 +139,7 @@ _ADDRULE = _descriptor.Descriptor(
oneofs=[
],
serialized_start=52,
- serialized_end=188,
+ serialized_end=205,
)
@@ -162,8 +169,8 @@ _SNORTREPLY = _descriptor.Descriptor(
extension_ranges=[],
oneofs=[
],
- serialized_start=190,
- serialized_end=219,
+ serialized_start=207,
+ serialized_end=236,
)
DESCRIPTOR.message_types_by_name['ControlSnort'] = _CONTROLSNORT
@@ -200,8 +207,8 @@ _CONTROLLER = _descriptor.ServiceDescriptor(
file=DESCRIPTOR,
index=0,
options=None,
- serialized_start=222,
- serialized_end=394,
+ serialized_start=239,
+ serialized_end=411,
methods=[
_descriptor.MethodDescriptor(
name='AddRules',
diff --git a/samples/services/snort_ids/docker/grpc/snort_server.py b/samples/services/snort_ids/docker/grpc/snort_server.py
index 3c2fdb1..9ece832 100644
--- a/samples/services/snort_ids/docker/grpc/snort_server.py
+++ b/samples/services/snort_ids/docker/grpc/snort_server.py
@@ -35,7 +35,8 @@ class Controller(snort_pb2_grpc.ControllerServicer):
f = open(file_local, 'a')
rule = 'alert {} {} {} -> {} {} '.format(
r.protocol, r.src_ip, r.src_port, r.dest_ip, r.dest_port) \
- + '(msg:"{}"; sid:{}; rev:{};)\n'.format(r.msg, r.sid, r.rev)
+ + '(msg:"{}"; content:{}; sid:{}; rev:{};)\n'.format(
+ r.msg, r.content, r.sid, r.rev)
f.write(rule)
f.close
msg = "Added to local rules"