File Rules
Snort 3's new "file rules" allow rule writers to create rules to match a particular file regardless of the protocol, source IPs, destination IPs, ports, and service.
Snort is able to process files that are sent using any of the following application-layer protocols:
- HTTP
- SMTP
- POP3
- IMAP
- SMB
- FTP
Format:
These rules are created with a rule header containing just an action followed by the keyword file:
action fileWhen creating file rules, rule writers should make sure to do the following two things:
- Specify the
file_databuffer for all content matches that should be matched in the file - Omit any
serviceandflowrule options from the rule
Example:
To see the advantage of such a rule header, consider the two rules below that look for "secret_encryption_key" in a packet. The first rule looks for the string included in HTTP and IMAP packets sent to a client, while the second rule looks for the string included in SMTP packets sent to some SMTP server.
alert tcp $EXTERNAL_NET [80,143] -> $HOME_NET any
(
msg:"MALWARE-OTHER Win.Ransomware.Agent payload download attempt";
flow:to_client,established;
file_data; content:"secret_encryption_key",fast_pattern,nocase;
service:http, imap;
classtype:trojan-activity;
sid:1;
)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25
(
msg:"MALWARE-OTHER Win.Ransomware.Agent payload download attempt";
flow:to_server,established;
file_data; content:"secret_encryption_key",fast_pattern,nocase;
service:smtp;
classtype:trojan-activity;
sid:2;
)
However, this pair of rules can be written as a single alert file rule, which will tell Snort to look for "secret_encryption_key" in any file detected on the network, regardless of source, destination, or service.
alert file
(
msg:"MALWARE-OTHER Win.Ransomware.Agent payload download attempt";
file_data;
content:"secret_encryption_key",fast_pattern,nocase;
classtype:trojan-activity;
sid:3;
)