Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Documentation: Guidance around signature writing. #52

Open
quadrantsec opened this issue Dec 14, 2022 · 2 comments
Open

Documentation: Guidance around signature writing. #52

quadrantsec opened this issue Dec 14, 2022 · 2 comments

Comments

@quadrantsec
Copy link
Collaborator

Add a section around proper signature writing for Sagan (William).
@wrharding
Copy link
Contributor

For example:

The following rule may be written in a way that Sagan will understand properly, but having the classtype before "program" is not less readable:

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Auditing settings on object were changed"; event_id: 4907|; pcre: "/^((?!Account Name: (.*)\$ ).)*$/"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003424; sid: 5003424; rev: 4;)

Putting the classtype after all keywords that perform content checks would be a preferred method. This is also in line with how Emerging Threats writes their Suricata rules:

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Auditing settings on object were changed"; event_id: 4907|; pcre: "/^((?!Account Name: (.*)\$ ).)*$/"; program: *Security*; classtype: system-event; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003424; sid: 5003424; rev: 4;)

Now, considering this documentation on high-performance considerations with Sagan and Sagan rules, all rules should be written following those recommendations.

Continuing with the above rule:

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] Auditing settings on object were changed"; event_id: 4907|; program: *Security*; pcre: "/^((?!Account Name: (.*)\$ ).)*$/"; classtype: system-event; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003424; sid: 5003424; rev: 4;)

I'm now wondering if the event_id keyword should come before or after the program keyword. EventID's are only unique per-channel for Windows Logs, so it would make sense to me that we would want the program keyword to be written before the even_id keyword in the rule. I'm unsure if Sagan respects this order. @bryant-smith has been doing a fantastic job creating rules similar to the above suggestions, but documentation explicitly outlining how to write rules efficiently would be incredibly helpful to us all! Let me know if I can help in any way!

@bryant-smith
Copy link
Contributor

So far I've been writing rules based on the order of which the content will show up in the logs and which are the fastest matches. So in order I put program, event_id then a content match before I start using meta_content and pcre.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@wrharding @bryant-smith