Next:
3.1 The Basics
Up:
SNORTUsers Manual 2.9.16
Previous:
2.11 Active Response
Contents
3
. Writing Snort Rules
Subsections
3
.
1
The Basics
3
.
2
Rules Headers
3
.
2
.
1
Rule Actions
3
.
2
.
2
Protocols
3
.
2
.
3
IP Addresses
3
.
2
.
4
Port Numbers
3
.
2
.
5
The Direction Operator
3
.
2
.
6
Activate/Dynamic Rules
3
.
3
Rule Options
3
.
4
General Rule Options
3
.
4
.
1
msg
3
.
4
.
2
reference
3
.
4
.
3
gid
3
.
4
.
4
sid
3
.
4
.
5
rev
3
.
4
.
6
classtype
3
.
4
.
7
priority
3
.
4
.
8
metadata
3
.
4
.
9
General Rule Quick Reference
3
.
5
Payload Detection Rule Options
3
.
5
.
1
content
3
.
5
.
2
protected_content
3
.
5
.
3
hash
3
.
5
.
4
length
3
.
5
.
5
nocase
3
.
5
.
6
rawbytes
3
.
5
.
7
depth
3
.
5
.
8
offset
3
.
5
.
9
distance
3
.
5
.
10
within
3
.
5
.
11
http_client_body
3
.
5
.
12
http_cookie
3
.
5
.
13
http_raw_cookie
3
.
5
.
14
http_header
3
.
5
.
15
http_raw_header
3
.
5
.
16
http_method
3
.
5
.
17
http_uri
3
.
5
.
18
http_raw_uri
3
.
5
.
19
http_stat_code
3
.
5
.
20
http_stat_msg
3
.
5
.
21
http_encode
3
.
5
.
22
fast_pattern
3
.
5
.
23
uricontent
3
.
5
.
24
urilen
3
.
5
.
25
isdataat
3
.
5
.
26
pcre
3
.
5
.
27
pkt_data
3
.
5
.
28
file_data
3
.
5
.
29
base64_decode
3
.
5
.
30
base64_data
3
.
5
.
31
byte_test
3
.
5
.
32
byte_jump
3
.
5
.
33
byte_extract
3
.
5
.
34
byte_math
3
.
5
.
35
ftpbounce
3
.
5
.
36
asn1
3
.
5
.
37
cvs
3
.
5
.
38
dce_iface
3
.
5
.
39
dce_opnum
3
.
5
.
40
dce_stub_data
3
.
5
.
41
sip_method
3
.
5
.
42
sip_stat_code
3
.
5
.
43
sip_header
3
.
5
.
44
sip_body
3
.
5
.
45
gtp_type
3
.
5
.
46
gtp_info
3
.
5
.
47
gtp_version
3
.
5
.
48
ssl_version
3
.
5
.
49
ssl_state
3
.
5
.
50
Payload Detection Quick Reference
3
.
6
Non-Payload Detection Rule Options
3
.
6
.
1
fragoffset
3
.
6
.
2
ttl
3
.
6
.
3
tos
3
.
6
.
4
id
3
.
6
.
5
ipopts
3
.
6
.
6
fragbits
3
.
6
.
7
dsize
3
.
6
.
8
flags
3
.
6
.
9
flow
3
.
6
.
10
flowbits
3
.
6
.
11
seq
3
.
6
.
12
ack
3
.
6
.
13
window
3
.
6
.
14
itype
3
.
6
.
15
icode
3
.
6
.
16
icmp_id
3
.
6
.
17
icmp_seq
3
.
6
.
18
rpc
3
.
6
.
19
ip_proto
3
.
6
.
20
sameip
3
.
6
.
21
stream_reassemble
3
.
6
.
22
stream_size
3
.
6
.
23
Non-Payload Detection Quick Reference
3
.
7
Post-Detection Rule Options
3
.
7
.
1
logto
3
.
7
.
2
session
3
.
7
.
3
resp
3
.
7
.
4
react
3
.
7
.
5
tag
3
.
7
.
6
replace
3
.
7
.
7
detection_filter
3
.
7
.
8
Post-Detection Quick Reference
3
.
8
Rule Thresholds
3
.
9
Writing Good Rules
3
.
9
.
1
Content Matching
3
.
9
.
2
Catch the Vulnerability, Not the Exploit
3
.
9
.
3
Catch the Oddities of the Protocol in the Rule
3
.
9
.
4
Optimizing Rules
3
.
9
.
5
Testing Numerical Values
