alert tcp any any -> any any (msg:”PRIVMSG from an IRC channel suspecious act”; content:”PRIVMSG”; offset:0; depth:7; nocase; dsize:<64; flow:to_server,established; tag:session,300,seconds; classtype:bad-unknown; sid:2000346; rev:4;)
The above rule is written to monitor bots responding messages to the botmaster. The rule is working fine, but only when one bot making the respond and there is no alert or even one alert for one host when more than one host responding simultaneously. I have changed the session time to 30 or 150 but no luck.
Any tips or tricks to make it efficient?
Thanks.
-Aymen
I don’t think I am fully-grasping what you are trying to do with this rule. Could you clarify the specifics on why you’re looking for just a PRIVMSG without a channel name (or even a bot’s nick name, for that matter)?
That said, some quick suggestions on making the rule more efficient. Adapt as necessary:
dsizeandfloware considered “discrete” options and should be specified before any payload options (such ascontentand its modifiers, etc). Discrete options are generally checking protocol-specific fields and never touch the payload, so they are extremely fast (second only to the fast-pattern matcher). I.e., you should makeflowcome aftermsg, and thendsizeafterflow.Next, you’re probably setting the timer for
tagtoo high. There’s a built-in cutoff fortag, called thetagged_packet_limit, and it defaults to 256 packets. So your rule would cease tagging on one of three possible conditions (whichever happens first):The
secondsmetric can fluctuate a bit based on other factors on your sensor, such as link speed, system load, etc. Thus, the rule might stop tagging packets after 297 seconds or 303 seconds. It’s probably better to use thepacketsmetric and set it to a really high value, such as1000. This has the added benefit of overridingtagged_packet_limit. You can even specify multiple metrics simultaneously:You should consider using a pair of
flowbitsto control when the tagging operation begins and ends:This prevents the tagging operation from being interrupted when another packet matching the rule comes across the wire, because the flowbits will enforce that the rule has already alerted once, and is currently tagging the traffic of interest.
You should define a variable for common IRC ports and use it in the destination ports field. Snort uses the destination port field in conjunction with the fast-pattern matcher to optimize which rules a packet is checked against (i.e., HTTP traffic shouldn’t be checked by a rule targeting IRC). In lieu of a destination port, it will try to use a source port (the specifics of this are available in comments at the top of
src/pcrm.cin the source code). If the target IRC server only uses a single port, then use that instead. A single port is better than a group of ports, but a group of ports is WAY better than justany:Lastly, You need to use a unique string to truly take advantage of the fast-pattern matcher.
PRIVMSGis extremely common in the IRC protocol, so if you’re trying to restrict the rule to a very specific channel, consider something like:The
fast_pattern:only;bit, available in snort-2.9.0 and up, only uses the content match within the fast-pattern matcher and will not re-use it in the actual payload search. Side-effect: you can’t use additional content matches relative to this content match. and this match is performed in a case-insensitive manner!It’s hard to wrap one’s head around this little change when coming off of 2.8.6, but a quick way to know if it works for you is, “Do I only care if this string is found SOMEWHERE in the packet?”, if yes, then
fast_pattern:only;will do exactly that and save you a few processor cycles. Otherwise, if you need to ensure that the string not only exists in a packet, but at a very specific depth or offset, then you can omit that line completely. Snort will still use the longest content match in a rule as the fast-pattern match (but this can be overridden by just usingfast_pattern;with no arguments on acontentthat you know to be the most unique string in a packet).Bringing all of this together: