My web/FTP/SMTP server(s) are logging attack attempts that look like they should be detected by the Snort rules, but Snort isn't seeing them. What is happening?
This is especially common when detecting HTTP traffic. With the liberal use of utf-8, Unicode, and even FrontPage HTTP extensions, it is child's play to avoid detection by some rules. For example, the evasion attack in the previous recipe would never have been detected by the default Snort rule without the http_inspect preprocessor.
The preprocessors play an important role in allowing the rules engine to correctly identify attack traffic. Another suggestion, especially for encoded traffic, is to detect variations on an attack using the new rule keyword pcre (Perl-compatible regular expressions). For more information on creating and using regular expressions, check out Mastering Regular Expressions (O'Reilly). This will not only give you several good reference examples, but also devotes several chapters to the use of regular expressions in Perl. The following rule from Bleedingsnort.com detects most variants of Windows shell access:
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Attempt to access SHELL:"; pcre:"/ (((URL|SRC|HREF|LOWSRC)[s]*=)|(url[s]*[(]))[s]*['"]*shell [:]/i"; classtype:web-application-attack; sid:2001100; rev:1;)
Even using regular expressions, an attacker could still send a packet with %115%104%101%108%108 instead of shell to get past this rule. You can work around this by tuning the Snort sensor beyond the default http_inspect parameters to convert hex to ASCII normalization.
H.D. Moore's metasploit framework (http://www.metasploit.org) for some tools to test evasion techniques
Koziol, Jack, et al. The Shellcoder's Handbook. New York: Wiley, 2004.
Snort-sigs mailing list
Friedl, Jeffrey E. F. Mastering Regular Expressions. Sebastopol, CA: O'Reilly, 2002.
Installing Snort from Source on Unix
Logging to a File Quickly
How to Build Rules
Detecting Stateless Attacks and Stream Reassembly
Managing Snort Sensors
Generating Statistical Output from Snort Logs
Monitoring Network Performance