Giter VIP home page Giter VIP logo

snort-rule-generator's Introduction

snort-rule-generator

This script can quickly generate Snort rules for common network behaviors from IOCs. Best effort is made to make the rules efficient.

######Usage:

./snort_rule_generator.pl -h

Valid Options:
--type => required parameter, specify type of signature you want to generate.
        dns-query | dns query for a domain
        dns-reply | match a dns reply containing a specified IP/CIDR
        http-req-domain | http request for a specific domain
        http-file-name | http request for a specific file name
--value => required parameter, contains the key value you want to generate the signature for.
--help => print usage information

######DNS queries:

./snort_rule_generator.pl --type dns-query --value google.com
alert udp $HOME_NET any -> any 53 (msg:""; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|google|03|com|00|"; fast_pattern; nocase; distance:0; classtype:trojan-activity; sid:xxxx; rev:1;)

######DNS replies:

#ip address
 ./snort_rule_generator.pl --type dns-reply --value 12.3.4.56
alert udp any 53 -> $HOME_NET any (msg:"DNS Reply - IP - 12.3.4.56"; content:"|00 01 00 01|"; content:"|00 04 0C 03 04 38|"; distance:4; within:6; classtype:trojan-activity; sid:xxxx; rev:1;)

#class c cidr
./snort_rule_generator.pl --type dns-reply --value 1.2.3
alert udp any 53 -> $HOME_NET any (msg:"DNS Reply - IP - 1.2.3."; content:"|00 01 00 01|"; content:"|00 04 01 02 03|"; distance:4; within:5; classtype:trojan-activity; sid:xxxx; rev:1;)

######HTTP domains:

./snort_rule_generator.pl --type http-req-domain --value google.com
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"HTTP Request to domain - google.com"; flow:established,to_server; content:"Host|3a 20|google.com|0d 0a|"; http_header; fast_pattern:only; classtype:trojan-activity; sid:xxxx; rev:1;)

######HTTP requests containing a file name:

./snort_rule_generator.pl --type http-file-name --value malware.exe
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"HTTP Request with filename - malware.exe"; flow:established,to_server; content:"malware.exe"; http_uri; fast_pattern:only; pcre:"/malware\.exe$/U"; classtype:trojan-activity; sid:xxxx; rev:1;)

snort-rule-generator's People

Contributors

jakewarren avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.