notes2

Description of Current snort -> bro rule conversion

This is the current prototype for what I have running. None of the feedback received yesterday (06/03/2004) is included. I will try to begin modifying this as soon as possible.

Snort rule tarballs contain a collection of files which are roughly grouped by function. Examples are icmp.rules, web-iis.rules and imap.rules. These delineations will be called rule classes.

An individual processed snort signature will be called a bro signature.

Scripts/Files:

create_new_s2b_augment : script to create or modify the s2b_augment file. If a sid is new it will be appended, otherwise it will be skipped.

create_new_s2b_augment.bulkconfig : config file mapping a rule class to a collection of additional signatures or functions that are added to any signature in the rule class. An example of this would be adding "requires-reverse-signature ! http_error" to *all* signatures found in web-iis.rules by:

web-iis.rules, nrs-http_error

see below for more details on the syntax.

snort2bro : default (unmodified) python script that comes with bro

s2b_table : a config file that mapps the snort signature "classtype" to a bro action. This is the default value that a bro signature will get in the s2b_augment file. A sample few lines look like:

suspicious-login                        SIG_LOG
system-call-detect                      SIG_LOG
unusual-client-port-connection          SIG_LOG
web-application-activity                SIG_LOG
icmp-event                              SIG_FILE
misc-activity                           SIG_LOG
network-scan                            SIG_FILE
not-suspicious                          SIG_QUIET
protocol-command-decode                 SIG_FILE

wrapper_script : this is the wrapper script for the snort2bro python script. It is run any time the s2b_augment file (see below) is changed, and creates three files:

<completed bro rule file>
s2b_logmod : a file consisting of the mapping of *any* bro signature that does not have the default action of SIG_LOG (ie logging to log.name...). This file is @load'ed into the bro at startup.
s2b.config : a config file fed to the snort2bro python script which provides a list of individual rules that should not be fed to bro. This is determined by reading the s2b_augment file and extracting the sid of any rule with a 'F' in the run field. This file is created in the initial stages of wrapper_script before snort2bro is actually run.

There is a internal variable in wrapper_script which allows you to skip whole signature classes - RULE_TYPE_SKIP is set at the top of wrapper_script. Clearly this should be in some other format.

s2b_augment - master control file for the creation of bro signatures. It contains the following fields:

SID#;
RUN_FIELD; SIG_ACTION; ADDL_SIG_OR_FN; EVENT_DATA

for example:

244;T;SIG_FILE;s-one s-two f-one ;"DDOS mstream handler to agent"

The SID# is unique and can be used as an index. The current snort design on this number is :

<100 Reserved for future use
100-1,000,000 Rules included with the Snort distribution
>1,000,000 Used for local rules

so any new signatures or modifications ought to be named accordingly.

The RUN_FIELD is either T/F which describes if the rule ought to be run or not.

The SIG_ACTION is defined by :

type SigAction: enum {
        SIG_IGNORE,     # ignore this sig. completely (even for scan detection)
        SIG_QUIET,      # process, but don't report individually
        SIG_FILE,       # write into the signatures.log file
        SIG_FILE_BUT_NO_SCAN,   # as SIG_FILE, but ignore for scan processing
        SIG_LOG,        # log it and write into the signatures.log file
        SIG_LOG_PER_ORIG,       # log once per originator
        SIG_LOG_ONCE,   # log once and then never again
        SIG_LOG_NO_WORM,        # log if not originated by a known worm-source
        SIG_COUNT_PER_RESP,     # count per dest. and log if threshold reached
        SIG_SUMMARY,    # don't log, but generate per-orig summary
};

The ADDL_SIG_OR_FN field describes any additional signatures or functions that should be added to the raw snort signature. For signatures you can provide definitions in the forward and reverse directions, or the negation of the same. For a given function, it is evaluated after all other conditions have matched and should be of the form:

function cond(state: signature_state): bool

For the field in s2b-augment, the following has been defined:

1)The individual sigs and functions are space delineated.

2)Defining the type and direction of signature is done by:

s-name : requires-signature name
rs-name : requires-reverse-signature name
ns-name : requires-signature ! name
nrs-name : requires-reverse-signature ! name
f-name : eval name

The EVENT_DATA field was put there so that a person looking at the config file would not make a mistake by looking at the wrong SID#.

Usage

For the current scripts, the following defines more or less how I would go about implementing a new rule set that uses the default behavior as described by the scripts and config files.

run create_new_s2b_augment to build a new s2b_augment which has the additional signatures and functions based on what is found in create_new_s2b_augment.bulkconfig
edit s2b_augment to remove individual signatures, add internal sigs and functions not already in place, and modify the non-default SIG_ACTION values
run wrapper_script which will do the following:

create and feed to snort2bro the config script of skipped signatures
create bro signature set
create a list of action values to be @load'ed into bro at run time