cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 21 of 24

Re: Snort Rule creation

Hi Ahmed,

From the UDS Guide:

Severity: An attack definition can have a severity of low, medium, or high.

In case of McAfee Custom Attacks, you can specify the severity. You can also modify  the severity of an existing custom attack.

In case of Snort, it is based on the priority value of the rule. For a rule, this priority could be derived on its classtype or the priority option.

If you add Priority:1 to the rule - it will show with a 'high severity' (not as mentioned on my last reply), while priority:3 (or maybe 4 - I can't remember) would be the lowest severity.

Regards

David

Highlighted

Re: Snort Rule creation

Hi Thanks for you continuous support ,

also i would like to ask you that the creation attributes for the snort rules are very limited and there is  no option for the severity .

SA
Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 23 of 24

Re: Snort Rule creation

You will need to modify the snort rule to add the priority attribute, i.e:

alert udp any any -> any 53 (msg:"High NULL requests - Potential DNS Tunneling"; content:"|01 00|"; offset:2; within :4; content:"|00 00 0a 00 01|"; offset:12; within:255; threshold: type threshold, track by_src, count 10, seconds 5; sid: 5700001; priority:1; rev: 1)

This will show the SNORT rule on the master policy with a severity high (7 or above).

Also, another couple of points on the above rule and similar rules you want to use:

  • threshold: type threshold, track by_src, count 10, seconds 5; --> This will not be computed by the manager when importing the rule, they aren't supported attributes.
  • If you want a reconn type rule, then what you should do is add this snort rule:
    • alert udp any any -> any 53 (msg:"High NULL requests - Potential DNS Tunneling"; content:"|01 00|"; offset:2; within :4; content:"|00 00 0a 00 01|"; offset:12; within:255; sid: 5700001; priority:1; rev: 1)  --> this will be the *base* component attack.
    • Once you save this on the Custom Attack Editor, you can go and create a new McAfee UDS Reconnaissance signature, using the above rule as the base component attack, and setting the thresholds on the custom reconn rule.
    • Track by_src is not a supported attribute either, but reconn rules should trigger when the same src, dst, dst port, alert are the same, so the sensor will be tracking the src ip anyway.

The custom attack editor guide has more details on what attributes are and are not supported when importing snort rules.

https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/26000/PD26347/en_US/...

Regards

David

Highlighted

Re: Snort Rule creation

Dear David ,

i really appreciate your efforts , and thank you so much .

SA
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community