[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-sigs
Subject: Re: [Snort-sigs] Request for CVE Number Information
From: "Russ Combs \(rucombs\) via Snort-sigs" <snort-sigs () lists ! snort ! org>
Date: 2024-03-12 14:19:47
Message-ID: MN2PR11MB4048A847BADF072D81F5F433B72B2 () MN2PR11MB4048 ! namprd11 ! prod ! outlook ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
You can do this with Snort 3 but only for raw packets by adding these lines to your \
config:
search_engine.detect_raw_tcp = true
alerts.log_references = true
and running with snort -A full. It will give output like this:
[**] [1:1:0] "message" [**]
[Priority: 0]
06/17-16:01:09.780413 10.1.2.3:10001 -> 10.9.8.7:80
TCP TTL:64 TOS:0x0 ID:3 IpLen:20 DgmLen:249
***A**** Seq: 0x2 Ack: 0x2 Win: 0x8000 TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=0000-9999]
All references in the alerting signature will be listed. (The example has a bugus CVE \
= 0000-9999.)
We'll fix it to work for all alerts using full, csv, and json.
Thanks
Russ
________________________________
From: Snort-sigs <snort-sigs-bounces@lists.snort.org> on behalf of Mohamed Sayed \
<mohamed.sayed@invictux.com>
Sent: Monday, March 11, 2024 8:31 AM
To: snort-sigs@lists.snort.org <snort-sigs@lists.snort.org>
Subject: [Snort-sigs] Request for CVE Number Information
Hello Snort Team,
I have an important question regarding whether Snort rules can provide the CVE number \
if an alert is raised from detecting malicious patterns or activities. Additionally, \
I'm curious if there are any settings or features available to display related CVEs \
for these malicious activities, as I will be running this on PCAP files.
Best Regards,
Mohamed Sayed
OT/ICS Cybersecurity Engineer
OT/ICS Services | Invictux
Your Security Is Our Responsibility
[mobilePhone]
+2 01119588936
[emailAddress]
Mohamed.Sayed@Invictux.com<mailto:Mohamed.Sayed@Invictux.com>
[website]
www.Invictux.com<https://www.invictux.com/>
[address]
Ashgar Darna Compound, Ring Rd, El-Basatin, Cairo .
[Attachment #5 (text/html)]
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} \
</style> </head>
<body dir="ltr">
<div class="elementToProof" style="font-family: Arial, Helvetica, sans-serif; \
font-size: 12pt; color: rgb(0, 0, 0);"> You can do this with Snort 3 but only for raw \
packets by adding these lines to your config:</div> <div class="elementToProof" \
style="font-family: Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, \
0);"> <br>
</div>
<div class="elementToProof"><span style="font-family: "Courier New", \
monospace; font-size: 12pt; color: rgb(0, 0, 0);"> \
search_engine.detect_raw_tcp = true</span></div> <div class="elementToProof"><span \
style="font-family: "Courier New", monospace; font-size: 12pt; color: \
rgb(0, 0, 0);"> alerts.log_references = true</span></div> <div \
class="elementToProof"><span style="font-family: Arial, Helvetica, sans-serif; \
font-size: 12pt; color: rgb(0, 0, 0);"><br> </span></div>
<div class="elementToProof"><span style="font-family: Arial, Helvetica, sans-serif; \
font-size: 12pt; color: rgb(0, 0, 0);">and running with snort -A full. It will give \
output like this:</span></div> <div class="elementToProof"><span style="font-family: \
Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"><br> \
</span></div> <div class="elementToProof"><span style="font-family: "Courier \
New", monospace; font-size: 12pt; color: rgb(0, 0, 0);">[**] [1:1:0] \
"message" [**]</span></div> <div><span style="font-family: "Courier \
New", monospace; font-size: 12pt; color: rgb(0, 0, 0);">[Priority: \
0]</span></div> <div><span style="font-family: "Courier New", monospace; \
font-size: 12pt; color: rgb(0, 0, 0);">06/17-16:01:09.780413 10.1.2.3:10001 -> \
10.9.8.7:80</span></div> <div><span style="font-family: "Courier New", \
monospace; font-size: 12pt; color: rgb(0, 0, 0);">TCP TTL:64 TOS:0x0 ID:3 IpLen:20 \
DgmLen:249</span></div> <div><span style="font-family: "Courier New", \
monospace; font-size: 12pt; color: rgb(0, 0, 0);">***A**** Seq: 0x2 Ack: 0x2 \
Win: 0x8000 TcpLen: 20</span></div> <div class="elementToProof"><span \
style="font-family: "Courier New", monospace; font-size: 12pt; color: \
rgb(0, 0, 0);">[Xref => <a \
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=0000-9999" id="LPlnk947118" \
class="OWAAutoLink"> \
http://cve.mitre.org/cgi-bin/cvename.cgi?name=0000-9999</a>]</span></div> <div \
class="elementToProof"><span style="font-family: Arial, Helvetica, sans-serif; \
font-size: 12pt; color: rgb(0, 0, 0);"><br> </span></div>
<div class="elementToProof"><span style="font-family: Arial, Helvetica, sans-serif; \
font-size: 12pt; color: rgb(0, 0, 0);">All references in the alerting signature will \
be listed. (The example has a bugus CVE = 0000-9999.)</span></div> <div \
class="elementToProof"><span style="font-family: Arial, Helvetica, sans-serif; \
font-size: 12pt; color: rgb(0, 0, 0);"><br> </span></div>
<div class="elementToProof"><span style="font-family: Arial, Helvetica, sans-serif; \
font-size: 12pt; color: rgb(0, 0, 0);">We'll fix it to work for all alerts using \
full, csv, and json.</span></div> <div class="elementToProof"><span \
style="font-family: Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, \
0);"><br> </span></div>
<div class="elementToProof"><span style="font-family: Arial, Helvetica, sans-serif; \
font-size: 12pt; color: rgb(0, 0, 0);">Thanks</span></div> <div \
class="elementToProof"><span style="font-family: Arial, Helvetica, sans-serif; \
font-size: 12pt; color: rgb(0, 0, 0);">Russ</span></div> <div \
class="elementToProof"><span style="font-family: Arial, Helvetica, sans-serif; \
font-size: 12pt; color: rgb(0, 0, 0);"><br> </span></div>
<div id="appendonsend"></div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" \
style="font-size:11pt" color="#000000"><b>From:</b> Snort-sigs \
<snort-sigs-bounces@lists.snort.org> on behalf of Mohamed Sayed \
<mohamed.sayed@invictux.com><br> <b>Sent:</b> Monday, March 11, 2024 8:31 \
AM<br> <b>To:</b> snort-sigs@lists.snort.org <snort-sigs@lists.snort.org><br>
<b>Subject:</b> [Snort-sigs] Request for CVE Number Information</font>
<div> </div>
</div>
<style>
<!--
@font-face
{font-family:"Cambria Math"}
@font-face
{font-family:Calibri}
@font-face
{font-family:Aptos}
p.x_MsoNormal, li.x_MsoNormal, div.x_MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif}
a:link, span.x_MsoHyperlink
{color:blue;
text-decoration:underline}
.x_MsoChpDefault
{}
@page WordSection1
{margin:1.0in 1.0in 1.0in 1.0in}
div.x_WordSection1
{}
-->
</style>
<div lang="EN-US" link="blue" vlink="#954F72" style="word-wrap:break-word">
<div class="x_WordSection1">
<p class="x_MsoNormal">Hello Snort Team,</p>
<p class="x_MsoNormal"> </p>
<p class="x_MsoNormal">I have an important question regarding whether Snort rules can \
provide the CVE number if an alert is raised from detecting malicious patterns or \
activities. Additionally, I'm curious if there are any settings or features available \
to display related CVEs for these malicious activities, as I will be running this on \
PCAP files.</p> <p class="x_MsoNormal"> </p>
<p class="x_MsoNormal">Best Regards,<span style="font-size:12.0pt; \
font-family:"Aptos",sans-serif; color:black"></span></p> <table \
class="x_MsoNormalTable" border="0" cellspacing="0" cellpadding="0" width="560" \
style="width:420.2pt; background:white; border-collapse:collapse"> <tbody>
<tr style="height:104.9pt">
<td width="240" style="width:179.95pt; border:solid windowtext 1.0pt; padding:0in 0in \
0in 0in; height:104.9pt"> <p><b><span style="font-size:13.5pt; \
font-family:"Aptos",sans-serif; color:black">Mohamed Sayed</span></b></p> \
<p style="line-height:16.5pt"><span style="font-size:10.5pt; \
font-family:"Aptos",sans-serif; color:black">OT/ICS Cybersecurity \
Engineer</span></p> <p style="line-height:16.5pt"><span style="font-size:10.5pt; \
font-family:"Aptos",sans-serif; color:black">OT/ICS Services | \
<b>Invictux</b></span></p> <p style="line-height:16.5pt"><span \
style="font-size:10.5pt; font-family:"Aptos",sans-serif; \
color:black"> </span></p> <p style="line-height:16.5pt"><span \
style="font-size:10.5pt; font-family:"Aptos",sans-serif; color:red">Your \
Security Is Our Responsibility</span></p> </td>
<td style="border:solid windowtext 1.0pt; border-left:none; padding:0in 0in 0in 0in; \
height:104.9pt"> <table class="x_MsoNormalTable" border="0" cellspacing="0" \
cellpadding="0" width="312" style="width:233.7pt; border-collapse:collapse"> <tbody>
<tr style="height:24.05pt">
<td width="29" style="width:21.95pt; padding:0in 0in 0in 0in; height:24.05pt">
<table class="x_MsoNormalTable" border="0" cellspacing="0" cellpadding="0" width="29" \
style="width:21.95pt; border-collapse:collapse"> <tbody>
<tr style="height:19.9pt">
<td valign="bottom" style="padding:0in 0in 0in 0in; height:19.9pt">
<p><span style="font-size:13.5pt; font-family:"Arial",sans-serif; \
color:black; background:#21586F"><img width="10" height="10" id="x_Picture_x0020_4" \
alt="mobilePhone" style="width:.1041in; height:.1041in" data-outlook-trace="F:1|T:1" \
src="cid:image001.png@01DA5E0E.128E26F0"></span></p> </td>
</tr>
</tbody>
</table>
</td>
<td valign="bottom" style="padding:0in 0in 0in 0in; height:24.05pt">
<p><u><span style="font-size:9.0pt; font-family:"Aptos",sans-serif; \
color:black">+2 01119588936</span></u></p> </td>
</tr>
<tr style="height:24.05pt">
<td width="29" style="width:21.95pt; padding:0in 0in 0in 0in; height:24.05pt">
<table class="x_MsoNormalTable" border="0" cellspacing="0" cellpadding="0" width="29" \
style="width:21.95pt; border-collapse:collapse"> <tbody>
<tr style="height:19.9pt">
<td valign="bottom" style="padding:0in 0in 0in 0in; height:19.9pt">
<p><span style="font-size:13.5pt; font-family:"Arial",sans-serif; \
color:black; background:#21586F"><img width="10" height="10" id="x_Picture_x0020_3" \
alt="emailAddress" style="width:.1041in; height:.1041in" data-outlook-trace="F:1|T:1" \
src="cid:image002.png@01DA5E0E.128E26F0"></span></p> </td>
</tr>
</tbody>
</table>
</td>
<td valign="bottom" style="padding:0in 0in 0in 0in; height:24.05pt">
<p><u><span style="font-size:9.0pt; font-family:"Aptos",sans-serif; \
color:black"><a href="mailto:Mohamed.Sayed@Invictux.com" \
title="mailto:Mohamed.Sayed@Invictux.com">Mohamed.Sayed@Invictux.com</a></span></u></p>
</td>
</tr>
<tr style="height:24.05pt">
<td width="29" style="width:21.95pt; padding:0in 0in 0in 0in; height:24.05pt">
<table class="x_MsoNormalTable" border="0" cellspacing="0" cellpadding="0" width="29" \
style="width:21.95pt; border-collapse:collapse"> <tbody>
<tr style="height:19.9pt">
<td valign="bottom" style="padding:0in 0in 0in 0in; height:19.9pt">
<p><span style="font-size:13.5pt; font-family:"Arial",sans-serif; \
color:black; background:#21586F"><img border="0" width="19" height="19" \
id="x_Picture_x0020_5" alt="website" style="width:.1979in; height:.1979in" \
data-outlook-trace="F:1|T:1" src="cid:image003.png@01DA5E0E.128E26F0"></span></p> \
</td> </tr>
</tbody>
</table>
</td>
<td valign="bottom" style="padding:0in 0in 0in 0in; height:24.05pt">
<p><u><span style="font-size:9.0pt; font-family:"Aptos",sans-serif; \
color:black"><a href="https://www.invictux.com/"><span \
style="color:black">www.Invictux.com</span></a></span></u></p> </td>
</tr>
<tr style="height:24.05pt">
<td width="29" style="width:21.95pt; padding:0in 0in 0in 0in; height:24.05pt">
<table class="x_MsoNormalTable" border="0" cellspacing="0" cellpadding="0" width="29" \
style="width:21.95pt; border-collapse:collapse"> <tbody>
<tr style="height:19.9pt">
<td valign="bottom" style="padding:0in 0in 0in 0in; height:19.9pt">
<p><span style="font-size:13.5pt; font-family:"Arial",sans-serif; \
color:black; background:#21586F"><img border="0" width="19" height="19" \
id="x_Picture_x0020_6" alt="address" style="width:.1979in; height:.1979in" \
data-outlook-trace="F:1|T:1" src="cid:image004.png@01DA5E0E.128E26F0"></span></p> \
</td> </tr>
</tbody>
</table>
</td>
<td valign="bottom" style="padding:0in 0in 0in 0in; height:24.05pt">
<p><span style="font-size:9.0pt; font-family:"Aptos",sans-serif; \
color:black">Ashgar Darna Compound, Ring Rd, El-Basatin, Cairo .</span></p> </td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
<p><span style="font-size:12.0pt; font-family:"Aptos",sans-serif; \
color:black"> </span></p> <p class="x_MsoNormal"> </p>
</div>
</div>
</body>
</html>
["4770962E88254EE487DE8F91822DB17D[138165].png" (image/png)]
["EFDDEFCE1AFF4EDDA20C9B8804CCE3FB[138166].png" (image/png)]
["08029B9A9F21426EBEBC9D2B8F031A02[138167].png" (image/png)]
["B5F0CC9AC73D441CB3EA03BA7E268243[138168].png" (image/png)]
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.snort.org
https://lists.snort.org/mailman/listinfo/snort-sigs
Please visit http://blog.snort.org for the latest news about Snort!
Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up \
to date to catch the most <a href=" \
https://snort.org/downloads/#rule-downloads">emerging threats</a>!
--===============5164548636403848679==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic