Converting Snort Rules to TrafficScript

Snort is a popular open source intrusion detection system that analyzes network traffic in order to detect patterns (stored as a set of rules) that could possibly be malicious. ZXTM's TrafficScript™ has the ability to read and manipulate HTTP traffic, so we can use the Snort's well tested rules library and TrafficScript to turn ZXTM into a lightweight intrusion detection system for the HTTP servers behind it.

This Perl script is able to convert the Snort rules for these patterns into TrafficScript code, and optionally upload them automatically to ZXTM via the SOAP control interface.

How to use it

1. Download the Perl script and make sure it's set as executable.
2. This script uses the Perl SOAP control API which requires the SOAP::Lite and IO::Socket::SSL Perl modules.
   • On Debian-based systems, install the packages libsoap-lite-perl and libio-
     socket-ssl-perl.
   • On RedHat based systems, you’ll need the perl-SOAP-Lite and perl-IO-Socket-SSL
     rpms
   • You can obtain the modules from CPAN at http://search.cpan.org/~byrne/SOAP-Lite-0.67/lib/OldDocs/SOAP/Lite.pm and http://search.cpan.org/~behroozi/IO-Socket-SSL-0.97/SSL.pm
3. Get the latest Snort rule set from the Snort website, and extract it into the same directory as the snort2ts.pl Perl script. It should create a directory called rules containing lots of files with the .rules extension.
4. The simplest way to use the script is to pass the rules as a parameter.

   $ ./snort2ts.pl ./rules/*.rules

5. The script will the prompt you to choose how you will save the resulting TrafficScript:

   No destination for rules specified...
   Output to files (2 files will be generated, one for
   request rules and one for response)? [y/n/q]: 
   
   Enter prefix for the files: 
   

   Entering y here will cause the script to prompt you to enter a prefix for the outputted files. The Perl script generates 2 files, one for the response rules and one for the request rules, prefixed with the string you specify. E.g. A prefix of 'snort' would cause the script to output to the files 'snort-response' and 'snort-request'.

6. You are also given the option to upload the generated TrafficScript directly to a ZXTM system.

   Upload to ZXTM server? [y/n/q]: 
   
   Enter server address
      Format: prot://user:pw@addr:port
      E.g: https://admin:mypass@zxtmserv:9090
   : 
          
   Enter rule name prefix: 
   
   Get http ports from ZXTM? [y/n]: 
   

   Again, entering y here will prompt you to enter the ZXTM server details, which are specified as a single string in the format protocol://user:password@address:port.

   After specifying the server you will be asked what prefix you want to put on the name of the TrafficScript rules you create. As with the output files, the response and request code will be split into 2 separate rules.

   Finally the system asks if you would like it to retrieve a list of HTTP ports from the ZXTM's HTTP servers. This information is used to filter out snort rules that don't use these ports, so it's a good idea to say yes to this.

7. The script will now ask you to enter the local network mask:
   

   No local network mask set, please enter one.
   The home network is the range of ip addresses on your internal
   network, and attacks from this range are usually ignored by snort
   rules.
   e.g. 10.100.1.0/16
   : 
   

   This mask specifies the internal IP addresses on your network and is not checked by most snort rules so it's important to enter this correctly, otherwise you might get lots of false positives. Ranges are specified as CIDR Masks or single IP addresses.

8. The system should now process the rules, giving you an output similar to this:
   

   Parsing Rules...
   Reading snort rule file /rules/attack-responses.rules.
    Parsed 6/17 rules in the file.
   Reading snort rule file /rules/backdoor.rules.
    Parsed 3/78 rules in the file.
   ...
   Reading snort rule file /rules/x11.rules.
    Parsed 0/2 rules in the file.
   Parsing Complete. (Rules Parsed: 1066/3334)
   

   It will then say what files it has outputted to (if any) and connect to ZXTM (if specified).

9. If the script connects to ZXTM, it will try uploading the TrafficScript as rules, checking if they already exist. If they do exist the script will ask you if you want to overwrite them.

   Finally the system asks if you want to activate the rules on each of the HTTP servers on ZXTM, and if so adds them to the top of the rules list (so they'll be checked first).

Command line options

The script has several command line options that allow you to automate most of this process, and a full listing can be viewed using --help.

Testing it works

By default most of the snort rules will add a warning message to ZXTM's log when a snort rule is matched and we can test to see if this works by trying to match one of the snort rule patterns. In this example we will try and simulate an intrusion attempt on snort rule SID:870, which checks to see if the string 'snorkerz.cmd' is in the requested URL. Therefore to test it's working we simple access a URL like http://myserver/snorkerz.cmd from an external system (i.e. a system not in the home network, alternatively you can temporarily set the home network to something like 127.0.0.1). This should cause the TrafficScript rule to write a log entry like this:

About Snort

Snort was written by Marty Roesch and is available from Snort.org. It is covered by their license terms.

Matt H [Zeus Dev Team] 20 December 2007   2 comments