Rule options follow the rule header and are enclosed inside a pair of parentheses.
PCRE The pcre keyword allows rules to be written using perl compatible regular expressions which allows for more complex matches than simple content matches.īyte test The byte_test options allows a rule to test a number of bytes against a specific value in binary.Intrusion Detection with SNORT: Advanced IDS Techniques Using SNORT, Apache, MySQL, PHP, and ACID Within/depth These keywords allow the rule write to specify how far forward to search relative to the end of a previous content match and, once that content match is found, how far to search for it. The option data can contain mixed text and binary data.ĭistance/offset These keywords allow the rule writer to specify where to start searching relative to the beginning of the payload or the beginning of a content match. The example below shows use of mixed text and binary data in a Snort rule.Ĭharacters that must be escaped inside content rules: \ “Īlert tcp any any -> any 139 (content:"|5c 00|P|00|I|00|P|00|E|00 5c|" )Īlert tcp any any -> any 80 (content:!"GET" )Īnd trigger response based on that data. Bytecode represents binary data as hexadecimal. The binary data is generally enclosed within the pipe (|) character and represented as bytecode. metadata:key1 value1, key2 value2 Ĭontent This important feature allows the user to set rules that search for specific content in the packet payload Metadata: The metadata keyword allows a rule writer to embed additional information about the rule, typically in a key-value format. Priority: The priority keyword assigns a severity level to rules. >=3,000,000 Used for local rulesīinary content starts with | and ends with | and has hex values in between for example | 14 B3 4D | This information allows output plugins to identify rules easily and should be used with the rev (revision) keyword. Sid/rev used to uniquely identify Snort rules. For example gid:1 is associated with the rules subsystem and is the default. Gid: The gid keyword (generator id) is used to identify what part of Snort generates the event when a particular rule fires. Reference The reference keyword allows rules to include links to external sources of information.Ĭlasstype The classtype keyword is how Snort shares what the effect of a successful attack would be.Ĭlasstype:attempted-recon See table below of Class types It allows rules to only apply to certain directions of the traffic flow. The flow keyword is used in conjunction with TCP stream reassembly. Message A meaningful message typically includes what the rule is detecting.įlow For the rule to fire, specifies which direction the network traffic is going. = bidirectional operator Rule Options GENERAL RULE OPTIONS The range operator may be apDirection or Flow operator Port numbers may be specified: any, static port 22, ranges 1:1000, and by negation ! 80. $EXTERNAL_NET = defaults to any, should be set to !$HOME_NET Port Numbers $HOME_NET = default is any, can be set to home networks operator tells Snort to match any IP address except the one indicated by the listed IP address. The addresses are formed by a straight numeric IP address and a address/CIDR combination 192.168.1.0/24 would signify the block of addresses from 192.168.1.1 to 192.168.1.255. There are four protocols that Snort currently analyzes for suspicious behavior
sdrop - block the packet but do not log it. reject - block packet, log it, and then send a TCP reset if the protocol is TCP or on UDP send ICMP port unreachable.Ħ. If you are running Snort in inline mode, you have additional options which include drop, reject, and sdrop.ĥ. alert - generate an alert using the selected alert method, and then log the packet The rule action tells Snort what to do when it finds a packet that matches the rule criteria. The header defines the who, where, and what of a packet, as well as what to do in the event that a packet with all the attributes indicated in the rule should show up. (content:"|00 01 86 a5|" msg:"mountd access" ) Rule Actions