Attack Signatures: A Practical Guide

TL;DR

This guide shows you how to find and use attack signatures (rules) to improve your cyber security. We’ll cover where to get them, how to understand them, and how to put them into common tools like Suricata or Snort.

Understanding Attack Signatures

Attack signatures are essentially patterns that identify malicious activity. They can look for specific strings in network traffic, unusual file changes, or suspicious behaviour on a system. Think of them like antivirus definitions, but often more flexible and customisable.

1. Finding Signature Sources

1. Emerging Threats: A free, regularly updated signature set. https://rules.emergingthreats.net/
2. Snort Rules: The official Snort rule database. https://www.snort.org/rules
3. Suricata Compatible Rules: Many rules written for Snort also work with Suricata.
4. Vendor Specific Feeds: Your firewall or intrusion detection system (IDS) vendor may provide signature updates.
5. Threat Intelligence Platforms: Some platforms offer curated signatures, often based on the latest threats.

2. Downloading and Preparing Rules

Most rules are distributed as text files. You’ll need to download them and potentially unpack them.

wget https://rules.emergingthreats.net/open/suricata/rules/emerging-all.rules.tar.gz
tar -xvzf emerging-all.rules.tar.gz

3. Understanding Rule Syntax (Suricata Example)

Rules typically have a header followed by options.

Example Rule:

alert tcp any any -> any 80 (msg:"HTTP GET request with suspicious User-Agent", content:"User-Agent: BadBot/1.0", sid:1234567, rev:1)

• alert: The action to take (e.g., alert, drop, pass).
• tcp: The protocol.
• any any -> any 80: Source and destination IP addresses/ports. ‘any’ means all.
• msg: A description of the rule.
• content: The pattern to search for in the traffic.
• sid: A unique signature ID (required).
• rev: Rule revision number (required).

4. Loading Rules into Your IDS

1. Suricata: Edit your suricata.yaml configuration file and specify the rule files in the rule-files section.

   rule-files:
    - emerging-all.rules
    - /path/to/your/custom/rules.rules

2. Snort: Edit your snort.conf file and include the rule files using the `include` directive.

   include $RULE_PATH/emerging-all.rules
   include /path/to/your/custom/rules.rules

3. Restart Your IDS: After making changes, restart your Suricata or Snort service to load the new rules.

   sudo systemctl restart suricata

5. Testing and Tuning

• Generate Test Traffic: Use tools like curl or hping3 to create traffic that matches your rules.
• Check Logs: Verify that the alerts are being generated as expected.
• Reduce False Positives: If you get too many false positives (alerts for legitimate traffic), refine your rules by adding more specific criteria or disabling problematic rules.