├── README.md
├── license.md
└── snort-rule-generator.pl


/README.md:
--------------------------------------------------------------------------------
 1 | snort-rule-generator
 2 | ====================
 3 | 
 4 | This script can quickly generate Snort rules for common network behaviors from IOCs. Best effort is made to make the rules efficient. 
 5 | 
 6 | ######Usage:
 7 | 
 8 | ```
 9 | ./snort_rule_generator.pl -h
10 | 
11 | Valid Options:
12 | --type => required parameter, specify type of signature you want to generate.
13 |         dns-query | dns query for a domain
14 |         dns-reply | match a dns reply containing a specified IP/CIDR
15 |         http-req-domain | http request for a specific domain
16 |         http-file-name | http request for a specific file name
17 | --value => required parameter, contains the key value you want to generate the signature for.
18 | --help => print usage information
19 | ```
20 | 
21 | ######DNS queries:
22 | 
23 | ```
24 | ./snort_rule_generator.pl --type dns-query --value google.com
25 | alert udp $HOME_NET any -> any 53 (msg:""; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|google|03|com|00|"; fast_pattern; nocase; distance:0; classtype:trojan-activity; sid:xxxx; rev:1;)
26 | ```
27 | 
28 | ######DNS replies:
29 | 
30 | ```
31 | #ip address
32 |  ./snort_rule_generator.pl --type dns-reply --value 12.3.4.56
33 | alert udp any 53 -> $HOME_NET any (msg:"DNS Reply - IP - 12.3.4.56"; content:"|00 01 00 01|"; content:"|00 04 0C 03 04 38|"; distance:4; within:6; classtype:trojan-activity; sid:xxxx; rev:1;)
34 | 
35 | #class c cidr
36 | ./snort_rule_generator.pl --type dns-reply --value 1.2.3
37 | alert udp any 53 -> $HOME_NET any (msg:"DNS Reply - IP - 1.2.3."; content:"|00 01 00 01|"; content:"|00 04 01 02 03|"; distance:4; within:5; classtype:trojan-activity; sid:xxxx; rev:1;)
38 | ```
39 | 
40 | ######HTTP domains:
41 | 
42 | ```
43 | ./snort_rule_generator.pl --type http-req-domain --value google.com
44 | alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"HTTP Request to domain - google.com"; flow:established,to_server; content:"Host|3a 20|google.com|0d 0a|"; http_header; fast_pattern:only; classtype:trojan-activity; sid:xxxx; rev:1;)
45 | ```
46 | 
47 | ######HTTP requests containing a file name:
48 | 
49 | ```
50 | ./snort_rule_generator.pl --type http-file-name --value malware.exe
51 | alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"HTTP Request with filename - malware.exe"; flow:established,to_server; content:"malware.exe"; http_uri; fast_pattern:only; pcre:"/malware\.exe$/U"; classtype:trojan-activity; sid:xxxx; rev:1;)
52 | ```
53 | 


--------------------------------------------------------------------------------
/license.md:
--------------------------------------------------------------------------------
 1 | The MIT License (MIT)
 2 | 
 3 | Copyright (c) 2014 Jake Warren
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/snort-rule-generator.pl:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/perl
  2 | #todo add ssl cert
  3 | 
  4 | 
  5 | use Getopt::Long;
  6 | 
  7 | my $type = -1;
  8 | my $value = -1;
  9 | 
 10 | 
 11 | usage(),exit if (@ARGV <1 or !GetOptions ("type=s" => \$type,
 12 |     "value=s" => \$value,
 13 |     "help"=>\$help) or defined $help);
 14 | 
 15 | 
 16 | #validate command line arguments
 17 | usage("Error: Missing required parameters."),exit() if $type==-1;
 18 | 
 19 | usage("Error: Rule value was not provided"),exit() if($type!=-1 && $value==-1);
 20 | 
 21 | generateDNSQueryRule($value) if $type eq "dns-query";
 22 | generateDNSReplyIPRule($value) if $type eq "dns-reply";
 23 | generateHTTPReqRule($value) if $type eq "http-req-domain";
 24 | generateHTTPFileNameRule($value) if $type eq "http-file-name";
 25 | generateSSLCertCommonNameRule($value) if $type eq "ssl-cert-common-name";
 26 | 
 27 | sub generateHTTPReqRule()
 28 | {
 29 |     my $domain = shift;
 30 |     my $domainLength = length($domain);
 31 | 
 32 |     print 'alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"HTTP Request to domain - '.$domain.'"; flow:established,to_server; content:"Host|3a 20|'.$domain.'|0d 0a|"; http_header; ';
 33 | 
 34 |     if ($domainLength <= 12)
 35 |     {
 36 |         print "fast_pattern:only;";
 37 |     }
 38 |     elsif ($domainLength <=20)
 39 |     {
 40 |         print "fast_pattern:6,$domainLength;";
 41 |     }
 42 |     elsif ($domainLength > 20)
 43 |     {
 44 |         print "fast_pattern:6,20;";
 45 |     }
 46 | 
 47 |     print ' classtype:trojan-activity; sid:xxxx; rev:1;)';
 48 |     print "\n";
 49 | }
 50 | 
 51 | 
 52 | sub generateHTTPFileNameRule()
 53 | {
 54 |     my $fileName = shift;
 55 |     my $fileRegex = quotemeta $fileName;
 56 |     my $fileNameLength = length($fileName);
 57 | 
 58 |     print 'alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"HTTP Request with filename - '.$fileName.'"; flow:established,to_server; content:"'.$fileName.'"; http_uri; ';
 59 | 
 60 |     if($fileNameLength <= 20)
 61 |     {
 62 |         print "fast_pattern:only;";
 63 |     }
 64 |     else
 65 |     {
 66 |         print "fast_pattern:0,20;";
 67 |     }
 68 | 
 69 |     print ' pcre:"/'.$fileRegex.'$/U"; classtype:trojan-activity; sid:xxxx; rev:1;)';
 70 |     print "\n";
 71 | }
 72 | 
 73 | sub generateDNSQueryRule()
 74 | {
 75 |     my @domain = split(/\./,shift);
 76 | 
 77 |     print 'alert udp $HOME_NET any -> any 53 (msg:""; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"';
 78 |     foreach $token (@domain)
 79 |     {
 80 |         my $length = length($token);
 81 |         print "|". sprintf("%02x",$length). "|$token";
 82 | 
 83 |     }
 84 | 
 85 |     print '|00|"; fast_pattern; nocase; distance:0; classtype:trojan-activity; sid:xxxx; rev:1;)';
 86 |     print "\n";
 87 | }
 88 | 
 89 | sub generateDNSReplyIPRule
 90 | {
 91 |     my $ip = shift;
 92 | 
 93 |     print 'alert udp any 53 -> $HOME_NET any (msg:"DNS Reply - IP - '.$ip.'"; content:"|00 01 00 01|"; content:"|00 04 ';
 94 | 
 95 |     my @octets = split(/\./,$ip);
 96 |     my $index = $#octets;
 97 |     foreach (@octets)
 98 |     {
 99 |         print uc sprintf("%02x",$_);
100 |         print " " unless !$index--;
101 |     }
102 | 
103 |     print '|"; distance:4; within:'.($#octets+3).'; classtype:trojan-activity; sid:xxxx; rev:1;)';
104 |     print "\n";
105 | 
106 | }
107 | 
108 | sub generateSSLCertCommonNameRule
109 | {
110 |     my $field = shift;
111 | 
112 |     print 'alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"SSL Cert - '.$field.'"; content:"|16|"; content:"|0b|"; distance:2; within:8; content:"|55 04 03|"; distance:0; content:"';
113 |     my $length = length($field);
114 |     print "|". sprintf("%02x",$length). "|$field";
115 | 
116 | 
117 |     print '"; distance:1; within:'.($length+1).'; classtype:trojan-activity; sid:xxxx; rev:1;)';
118 |     print "\n";
119 | 
120 |     
121 | }
122 | 
123 | 
124 | sub usage()
125 | {
126 |     my $msg = shift;
127 | 
128 |     if(defined($msg))
129 |     {
130 |         print "$msg\n";
131 |     }
132 | 
133 |     print "\nValid Options:\n";
134 |     print "--type => required parameter, specify type of signature you want to generate.\n";
135 |     print "\tdns-query | dns query for a domain\n";
136 |     print "\tdns-reply | match a dns reply containing a specified IP/CIDR\n";
137 |     print "\thttp-req-domain | http request for a specific domain\n";
138 |     print "\thttp-file-name | http request for a specific file name\n";
139 |     print "\tssl-cert-common-name | download of SSL cert with specific CN (common name) field value\n";
140 |     print "--value => required parameter, contains the key value you want to generate the signature for.\n";
141 |     print "--help => print usage information\n";
142 | }
143 | 


--------------------------------------------------------------------------------