RULE WRITING
when creating snort rules, keep the snort operating mode (ids/ips) in mind as it will determine the rule's purpose. user created rules are stored in /etc/snort/rules/local.rules
identify where the rule action is for IDS / IPS
identify the 5-tuple requirements: protocol, source/destination ip, source/destionation port
determine the rule options combination to use "general, payload, and/or non-payload option"
apply format syntax
test rule
RULE WRITING GUIDELINES
BASIC SYNTAX
<action> <protocol> <sourceIP> <sourcePort> <direction> <destinationIP> <destinationPort> (options {general rule options | payload rule options | non-payload rule options}; sid:uniqueID; rev:revisionNumber;)
DEFINITIONS
* Action: Specifies what Snort should do when the rule matches. Examples: alert, log, drop.
- alert: Generate an alert.
- log: Log the packet.
- pass: Ignore the packet.
- drop: Drop the packet (IPS mode).
- reject: Drop the packet and send a TCP RST or ICMP unreachable.
- sdrop: Silent drop, no logging.
* Protocol: Network protocol to match: tcp, udp, icmp, or ip.
* Source IP: Source IP or range. Use any for all IPs, negate with !. Example: 192.168.1.0/24.
* Source Port: Source port or range. Use any for all ports. Example: 80, 1:1024, !443.
* Direction: Packet flow direction: -> (unidirectional), <-> (bidirectional).
* Destination IP: Destination IP or range. Use any for all IPs, negate with !.
* Destination Port: Destination port or range. Use any for all ports.
* Options: Detection and alert options enclosed in parentheses ( ).
- Rule Options Syntax
- (option1:value1; option2:value2; ...)
- General Rule Options: Fundamental rule options for Snort.
- msg: summarizes the triggered event
- sid (aka Snort rule ID): unique rule identifier
- scope:
- <100: Reserved rules
100-999,999: Rules came with the build.
>=1,000,000: Rules created by user (mandatory).
- reference: additional information explaining the purpose of the rule or threat pattern
- assists analysts during the alert and incident investigation
- rev: an indicator of how many times the rule had revisions; used for performance and efficiency issues
Payload Rule Options: Rule options that help to investigate the payload data. These options are helpful to detect specific payload patterns.
- content: matches specific payload data by ASCII, HEX or both (case sensitive)
- ASCII mode
- alert tcp any any <> any 80 (msg: "GET Request Found"; content:"GET"; sid: 100001; rev:1;)
- HEX mode
- alert tcp any any <> any 80 (msg: "GET Request Found"; content:"|47 45 54|"; sid: 100001; rev:1;)
- nocase: disables case sensitivity. Used for enhancing the content searches.
- alert tcp any any <> any 80 (msg: "GET Request Found"; content:"GET"; nocase; sid: 100001; rev:1;)
- fast_pattern:
- prioritizes content search (case insensitive) to speed up the payload search operation; usage is mandatory when using multiple "content" options
- alert tcp any any <> any 80 (msg: "GET Request Found"; content:"GET"; fast_pattern; content:"www"; sid:100001; rev:1;)
- tells snort to use the first content option ("GET") for the initial packet match.
Non-Payload Rule Options: Rule options that focus on non-payload data. These options will help create specific patterns and identify network issues.
- id: Filtering the IP id field
- alert tcp any any <> any any (msg: "ID TEST"; id:123456; sid: 100001; rev:1;)
- flag: Filtering the TCP flags (F - FIN, S - SYN, R - RST, P - PSH, A - ACK, U - URG)
- alert tcp any any <> any any (msg: "FLAG TEST"; flags:S; sid: 100001; rev:1;)
- dsize: Filtering the packet payload size (dsize:min<>max; dsize:>100 dsize:<100)
- alert ip any any <> any any (msg: "SEQ TEST"; dsize:100<>300; sid: 100001; rev:1;)
- sameip: Filtering the source and destination IP addresses for duplication.
- alert ip any any <> any any (msg: "SAME-IP TEST"; sameip; sid: 100001; rev:1;)
Last updated