SNORT – content matching

I have been playing around with SNORT lately. One of the key features of SNORT is to detect specific pattern encapsulated within payload of a packet. Content keyword is used to perform pattern matching within the payload. The pattern to be matched is specified as a parameter of the keyword, either in string format or hex. There are other “helper” keywords that can be used as modifiers to change the behaviour of content keyword. I wanted to write some simple rules to verify the functionality of payload detection. since I don’t have access to any PCAPs containing malicious traffic, I decided to test out the functionality using legit traffic.

The goal of the rule is to detect DNS query to youtube.com; simple enough. I will be matching on hex value of the content. It’s crucial to understand how the payload is encapsulated within the packet before writing any rules. A quick packet capture while browsing youtube and looking for any DNS query will show the target packet we are looking for.


As per the packet capture, the hex value for the DNS query is “77 77 77 07 79 6f 75 74 75 62 65 03 63 6f 6d”. Hex value is identified by a pair of “| |” (pipes) surrounding the actual hex content that is being matched. Based on the hex value, the rule will be as follows.

alert udp any any -> any 53 (msg:”Youtube - DNS Query” ; content:"|77 77 77 07 79 6f 75 74 75 62 65 03 63 6f 6d|"; sid:1000002)

Output in the console when youtube.com is browsed.

02/04-11:36:55.226182 [**] [1:1000002:0] ”Youtube - DNS Query” [**] [Priority: 0] {UDP} X.X.X.X:8120 -> 8.8.8.8:53

 

Mihir

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.