Snort rule integration

With malicious attacks on web applications, it is important to protect your internal network. Malicious data not only affect your web applications at the interface level but malicious packets also reach the application layer. To overcome such attacks, it is important to configure an intrusion detection and prevention system that examines your internal network.

Snort rules are integrated into the appliance for examine malicious attacks in data packets at the application layer. You can download the snort rules and convert it into WAF signatures rules. The signatures have rule-based configuration that can detect malicious activities such as DOS attacks, buffer overflows, stealth port scans, CGI attacks, SMB probes, and OS fingerprinting attempts. By integrating Snort rules, you can strengthen your security solution at the interface and at the application level.

Configure snort rules

The configuration begins by first downloading the Snort rules and then importing it into WAF signature rules. Once you have converted the rules into WAF signatures, the rules can be used as WAF security checks. The snort based signature rules examine the incoming data packet to detect if there are malicious attacks on your network.

A new parameter, “VendorType” is added to the import command to convert Snort rules to WAF signatures.

The parameter “VendorType” is set on SNORT only for Snort rules.

Download snort rules by using the command interface

You can download the Snort rules as a text file from the below URL:

https://www.snort.org/downloads/community/snort3-community-rules.tar.gz

Import snort rules by using the command interface

After you download, you can import the Snort rules into your appliance.

At the command prompt, type:

import appfw signatures <src> <name> [-xslt <string>] [-comment <string>] [-overwrite] [-merge [-preservedefactions]] [-sha1 <string>] [-VendorType Snort]

Example:

import appfw signatures http://www.example.com/ns/signatures.xml sig-snort –comment “signatures from snort rules” –VendorType snort

Arguments:

Src. URL (protocol, host, path, and file name) for the location at which to store the imported signatures object.

Note:

The import fails if the object to be imported is on an HTTPS server that requires client certificate authentication for access. Mandatory argument of maximum length: 2047

Name. Name to assign to the signatures object on the Citrix ADC. Mandatory argument of maximum length: 31

Comment. Description of how to preserve information about the signatures object. Maximum Length: 255 overwrite. Overwrite any existing signatures object of the same name.

Merge. Merges existing Signature with new signature rules.

Preservedefactions. Preserves def actions of signature rules.

VendorType. Third-party vendor to generate the WAF signatures. Possible values: Snort.

Configure snort rules by using the Citrix ADC GUI

The GUI configuration for Snort rules is similar to configuring other external web application scanners like Cenzic, Qualys, Whitehat.

Follow the steps below to configure Snort:

  1. Navigate to Configuration > Security > Citrix Web App Firewall > Signatures.
  2. In the Signatures page, click Add.
  3. In the Add Signatures page, set the following parameters to configure Snort rules.

    1. File format. Select the file format as external.
    2. Import from. Select the import option as a snort file or URL to enter the URL.
    3. Snort V3 Vendor. Select the check box to import Snort rules from a file or from a URL.
  4. Click Open.

    Add signatures

    The appliance imports the Snort rules as snort-based WAF signature rules.

    Add signatures

    As a best practice, you must use filter actions to enable snort rules that you prefer to import as WAF signature rules on the appliance.

    Imports snort based signatures

  5. To confirm, click Yes.

    Confirmation dialog box

  6. The selected rules are enabled on the appliance.

    Enabled snort-based signature rules

  7. Click OK.

Snort rule integration