Snort general rule options

From Notes_Wiki
Revision as of 07:31, 22 January 2019 by Saurabh (talk | contribs)

<yambe:breadcrumb self="Snort general rule options">Snort configuration|Snort configuration</yambe:breadcrumb>

Snort general rule options

msg

The msg rule option tells the logging and alerting engine the message to print along with a packet dump or to an alert. It is a simple text string that utilizes the \ as an escape character to indicate a discrete character that might otherwise confuse Snort’s rules parser (such as the semi-colon ; character).

Format:

      msg:"<message text>";


reference

The reference keyword allows rules to include references to external attack identification systems. The plugin currently supports several specific systems as well as unique URLs. This plugin is to be used by output plugins to provide a link to additional information about the alert produced.

Few common used systems for writing references are:

bugtraq http://www.securityfocus.com/bid/
cve http://cve.mitre.org/cgi-bin/cvename.cgi?name=
nessus http://cgi.nessus.org/plugins/dump.php3?id=
arachnids http://www.whitehats.com/info/IDS
mcafee http://vil.nai.com/vil/content/v
osvdb http://osvdb.org/show/osvdb/
url http://


Example:

alert tcp any any -> any 7070 (msg:"IDS411/dos-realaudio"; \
	flags:AP; content:"|fff4 fffd 06|"; reference:arachnids,IDS411;)
alert tcp any any -> any 21 (msg:"IDS287/ftp-wuftp260-venglin-linux"; \
	flags:AP; content:"|31c031db 31c9b046 cd80 31c031db|"; \
	reference:arachnids,IDS287; reference:bugtraq,1387; \
	reference:cve,CAN-2000-1574;)



gid

We can combine various related rules under common gid (generator ID) so that they can be grouped together. It is recommended that when used we should try to use gid over 1,000,000 for self written rules.

Format:

gid:<generator id>;

Example:

alert tcp any any -> any 80 (content:"BOB"; gid:1000001; sid:1; rev:1;)



sid

The sid keyword is used to uniquely identify Snort rules. This information allows output plugins to identify rules easily. This option should be used with the rev keyword.

The sid ranges are distributed as follows:

  • <100 Reserved for future use
  • 100-999,999 Rules included with the Snort distribution
  • >=1,000,000 Used for local rules

Various mappings from sid or gid to alert messages are present in various '*-msg.map' files like 'sid-msg.map', 'gen-msg.map', etc.

Format:

sid:<snort rules id>;

Example:

alert tcp any any -> any 80 (content:"BOB"; sid:1000983; rev:1;)



rev

The rev keyword is used to uniquely identify revisions of Snort rules. Revisions, along with Snort rule id’s, allow signatures and descriptions to be refined and replaced with updated information. This option should be used with the sid keyword.


Format:

rev:<revision integer>;

Example:

alert tcp any any -> any 80 (content:"BOB"; sid:1000983; rev:1;)



classtype

The classtype keyword is used to categorize a rule as detecting an attack that is part of a more general type of attack class. Snort provides a default set of attack classes that are used by the default set of rules it provides. Defining classifications for rules provides a way to better organize the event data Snort produces.

Format:

classtype:<class name>;

Example:

alert tcp any any -> any 25 (msg:"SMTP expn root"; flags:A+; \
	content:"expn root"; nocase; classtype:attempted-recon;)


Attack classifications defined by Snort reside in the classification.config file. The file uses the following syntax:

     config classification:       <class name>,<class description>,<default priority>

Classtypes are currently ordered with 4 default priorities. A priority of 1 (high) is the most severe and 4 (very low) is the least severe.



priority

The priority tag assigns a severity level to rules. A classtype rule assigns a default priority (defined by the config classification option) that may be overridden with a priority rule.

priority:<priority integer>;
alert tcp any any -> any 80 (msg:"WEB-MISC phf attempt"; flags:A+; \
	content:"/cgi-bin/phf"; priority:10;)
alert tcp any any -> any 80 (msg:"EXPLOIT ntpdx overflow"; \
	dsize:>128; classtype:attempted-admin; priority:10 );


Most of the rule option types have been learned from snort manual.


<yambe:breadcrumb self="Snort general rule options">Snort configuration|Snort configuration</yambe:breadcrumb>