From 4bd515a7cc42815514b4464c87a5d743bf92ec9f Mon Sep 17 00:00:00 2001 From: Eddie Arrage Date: Mon, 16 Apr 2018 19:00:34 +0000 Subject: Extended snort rule add to allow content field - Exposed the 'content' field in the GRPC server AddRules method - Allows the 'MALWARE-CNC User-Agent ASafaWeb Scan' signature in the community rules to be copied to local rules - Above ensures more deterministic alerts by snort each time the signature is hit - Added here to support the SDC configuration guide, which details how to add this scan rule via GRPC client script Change-Id: I6945c1e500075444134543bb9eb6003a03f1d5cc Signed-off-by: Eddie Arrage --- samples/services/snort_ids/docker/grpc/snort.proto | 5 +++-- .../services/snort_ids/docker/grpc/snort_client.py | 16 +++++++++++++++ .../services/snort_ids/docker/grpc/snort_pb2.py | 23 ++++++++++++++-------- .../services/snort_ids/docker/grpc/snort_server.py | 3 ++- 4 files changed, 36 insertions(+), 11 deletions(-) (limited to 'samples/services/snort_ids/docker') diff --git a/samples/services/snort_ids/docker/grpc/snort.proto b/samples/services/snort_ids/docker/grpc/snort.proto index 8d69baa..f524bb4 100644 --- a/samples/services/snort_ids/docker/grpc/snort.proto +++ b/samples/services/snort_ids/docker/grpc/snort.proto @@ -27,8 +27,9 @@ message AddRule { string src_port = 4; string src_ip = 5; string msg = 6; - string sid = 7; - string rev = 8; + string content = 7; + string sid = 8; + string rev = 9; } message SnortReply { diff --git a/samples/services/snort_ids/docker/grpc/snort_client.py b/samples/services/snort_ids/docker/grpc/snort_client.py index d59b4ee..ca71af8 100644 --- a/samples/services/snort_ids/docker/grpc/snort_client.py +++ b/samples/services/snort_ids/docker/grpc/snort_client.py @@ -30,6 +30,8 @@ def run(args, grpc_port='50052'): return add_tcprule(stub) elif args['cmd'] == 'addicmp': return add_icmprule(stub) + elif args['cmd'] == 'addscan': + return add_scanrule(stub) elif args['cmd'] == 'start': return start_snort(stub) elif args['cmd'] == 'stop': @@ -78,6 +80,20 @@ def add_icmprule(stub): return response.message +def add_scanrule(stub): + try: + response = stub.AddRules(snort_pb2.AddRule( + protocol='tcp', dest_port='any', dest_ip='$HOME_NET', + src_port='any', src_ip='any', + msg='MALWARE-CNC User-Agent ASafaWeb Scan', sid='10000003', + rev='001', content='"asafaweb.com"')) + print(stop_snort(stub)) + print(start_snort(stub)) + except Exception as e: + return e + return response.message + + def start_snort(stub): try: response = stub.StartSnort(snort_pb2.ControlSnort(pid='0')) diff --git a/samples/services/snort_ids/docker/grpc/snort_pb2.py b/samples/services/snort_ids/docker/grpc/snort_pb2.py index 93641ef..8828b78 100644 --- a/samples/services/snort_ids/docker/grpc/snort_pb2.py +++ b/samples/services/snort_ids/docker/grpc/snort_pb2.py @@ -19,7 +19,7 @@ DESCRIPTOR = _descriptor.FileDescriptor( name='snort.proto', package='snort', syntax='proto3', - serialized_pb=_b('\n\x0bsnort.proto\x12\x05snort\"\x1b\n\x0c\x43ontrolSnort\x12\x0b\n\x03pid\x18\x01 \x01(\t\"\x88\x01\n\x07\x41\x64\x64Rule\x12\x10\n\x08protocol\x18\x01 \x01(\t\x12\x11\n\tdest_port\x18\x02 \x01(\t\x12\x0f\n\x07\x64\x65st_ip\x18\x03 \x01(\t\x12\x10\n\x08src_port\x18\x04 \x01(\t\x12\x0e\n\x06src_ip\x18\x05 \x01(\t\x12\x0b\n\x03msg\x18\x06 \x01(\t\x12\x0b\n\x03sid\x18\x07 \x01(\t\x12\x0b\n\x03rev\x18\x08 \x01(\t\"\x1d\n\nSnortReply\x12\x0f\n\x07message\x18\x01 \x01(\t2\xac\x01\n\nController\x12/\n\x08\x41\x64\x64Rules\x12\x0e.snort.AddRule\x1a\x11.snort.SnortReply\"\x00\x12\x36\n\nStartSnort\x12\x13.snort.ControlSnort\x1a\x11.snort.SnortReply\"\x00\x12\x35\n\tStopSnort\x12\x13.snort.ControlSnort\x1a\x11.snort.SnortReply\"\x00\x62\x06proto3') + serialized_pb=_b('\n\x0bsnort.proto\x12\x05snort\"\x1b\n\x0c\x43ontrolSnort\x12\x0b\n\x03pid\x18\x01 \x01(\t\"\x99\x01\n\x07\x41\x64\x64Rule\x12\x10\n\x08protocol\x18\x01 \x01(\t\x12\x11\n\tdest_port\x18\x02 \x01(\t\x12\x0f\n\x07\x64\x65st_ip\x18\x03 \x01(\t\x12\x10\n\x08src_port\x18\x04 \x01(\t\x12\x0e\n\x06src_ip\x18\x05 \x01(\t\x12\x0b\n\x03msg\x18\x06 \x01(\t\x12\x0f\n\x07\x63ontent\x18\x07 \x01(\t\x12\x0b\n\x03sid\x18\x08 \x01(\t\x12\x0b\n\x03rev\x18\t \x01(\t\"\x1d\n\nSnortReply\x12\x0f\n\x07message\x18\x01 \x01(\t2\xac\x01\n\nController\x12/\n\x08\x41\x64\x64Rules\x12\x0e.snort.AddRule\x1a\x11.snort.SnortReply\"\x00\x12\x36\n\nStartSnort\x12\x13.snort.ControlSnort\x1a\x11.snort.SnortReply\"\x00\x12\x35\n\tStopSnort\x12\x13.snort.ControlSnort\x1a\x11.snort.SnortReply\"\x00\x62\x06proto3') ) @@ -106,19 +106,26 @@ _ADDRULE = _descriptor.Descriptor( is_extension=False, extension_scope=None, options=None, file=DESCRIPTOR), _descriptor.FieldDescriptor( - name='sid', full_name='snort.AddRule.sid', index=6, + name='content', full_name='snort.AddRule.content', index=6, number=7, type=9, cpp_type=9, label=1, has_default_value=False, default_value=_b("").decode('utf-8'), message_type=None, enum_type=None, containing_type=None, is_extension=False, extension_scope=None, options=None, file=DESCRIPTOR), _descriptor.FieldDescriptor( - name='rev', full_name='snort.AddRule.rev', index=7, + name='sid', full_name='snort.AddRule.sid', index=7, number=8, type=9, cpp_type=9, label=1, has_default_value=False, default_value=_b("").decode('utf-8'), message_type=None, enum_type=None, containing_type=None, is_extension=False, extension_scope=None, options=None, file=DESCRIPTOR), + _descriptor.FieldDescriptor( + name='rev', full_name='snort.AddRule.rev', index=8, + number=9, type=9, cpp_type=9, label=1, + has_default_value=False, default_value=_b("").decode('utf-8'), + message_type=None, enum_type=None, containing_type=None, + is_extension=False, extension_scope=None, + options=None, file=DESCRIPTOR), ], extensions=[ ], @@ -132,7 +139,7 @@ _ADDRULE = _descriptor.Descriptor( oneofs=[ ], serialized_start=52, - serialized_end=188, + serialized_end=205, ) @@ -162,8 +169,8 @@ _SNORTREPLY = _descriptor.Descriptor( extension_ranges=[], oneofs=[ ], - serialized_start=190, - serialized_end=219, + serialized_start=207, + serialized_end=236, ) DESCRIPTOR.message_types_by_name['ControlSnort'] = _CONTROLSNORT @@ -200,8 +207,8 @@ _CONTROLLER = _descriptor.ServiceDescriptor( file=DESCRIPTOR, index=0, options=None, - serialized_start=222, - serialized_end=394, + serialized_start=239, + serialized_end=411, methods=[ _descriptor.MethodDescriptor( name='AddRules', diff --git a/samples/services/snort_ids/docker/grpc/snort_server.py b/samples/services/snort_ids/docker/grpc/snort_server.py index 3c2fdb1..9ece832 100644 --- a/samples/services/snort_ids/docker/grpc/snort_server.py +++ b/samples/services/snort_ids/docker/grpc/snort_server.py @@ -35,7 +35,8 @@ class Controller(snort_pb2_grpc.ControllerServicer): f = open(file_local, 'a') rule = 'alert {} {} {} -> {} {} '.format( r.protocol, r.src_ip, r.src_port, r.dest_ip, r.dest_port) \ - + '(msg:"{}"; sid:{}; rev:{};)\n'.format(r.msg, r.sid, r.rev) + + '(msg:"{}"; content:{}; sid:{}; rev:{};)\n'.format( + r.msg, r.content, r.sid, r.rev) f.write(rule) f.close msg = "Added to local rules" -- cgit 1.2.3-korg