Subsections

3.4 General Rule Options

3.4.1 msg

The msg rule option tells the logging and alerting engine the message to print along with a packet dump or to an alert. It is a simple text string that utilizes the \ as an escape character to indicate a discrete character that might otherwise confuse Snort's rules parser (such as the semi-colon ; character).

3.4.1.1 Format

    msg:"<message text>";

3.4.2 reference

The reference keyword allows rules to include references to external attack identification systems. The plugin currently supports several specific systems as well as unique URLs. This plugin is to be used by output plugins to provide a link to additional information about the alert produced.

Make sure to also take a look at http://www.snort.org/pub-bin/sigs-search.cgi/ for a system that is indexing descriptions of alerts based on of the sid (See Section [*]).


Table: Supported Systems
System URL Prefix
bugtraq http://www.securityfocus.com/bid/
cve http://cve.mitre.org/cgi-bin/cvename.cgi?name=
nessus http://cgi.nessus.org/plugins/dump.php3?id=
arachnids (currently down) http://www.whitehats.com/info/IDS
mcafee http://vil.nai.com/vil/content/v_
osvdb http://osvdb.org/show/osvdb/
msb http://technet.microsoft.com/en-us/security/bulletin/
url http://

3.4.2.1 Format

    reference:<id system>, <id>; [reference:<id system>, <id>;]

3.4.2.2 Examples

    alert tcp any any -> any 7070 (msg:"IDS411/dos-realaudio"; \
        flags:AP; content:"|fff4 fffd 06|"; reference:arachnids,IDS411;)
    
    alert tcp any any -> any 21 (msg:"IDS287/ftp-wuftp260-venglin-linux"; \
        flags:AP; content:"|31c031db 31c9b046 cd80 31c031db|"; \
        reference:arachnids,IDS287; reference:bugtraq,1387; \
        reference:cve,CAN-2000-1574;)


3.4.3 gid

The gid keyword (generator id) is used to identify what part of Snort generates the event when a particular rule fires. For example gid 1 is associated with the rules subsystem and various gids over 100 are designated for specific preprocessors and the decoder. See etc/generators in the source tree for the current generator ids in use. Note that the gid keyword is optional and if it is not specified in a rule, it will default to 1 and the rule will be part of the general rule subsystem. To avoid potential conflict with gids defined in Snort (that for some reason aren't noted it etc/generators), it is recommended that values starting at 1,000,000 be used. For general rule writing, it is not recommended that the gid keyword be used. This option should be used with the sid keyword. (See section [*])

The file etc/gen-msg.map contains contains more information on preprocessor and decoder gids.

3.4.3.1 Format

    gid:<generator id>;

3.4.3.2 Example

This example is a rule with a generator id of 1000001.

    alert tcp any any -> any 80 (content:"BOB"; gid:1000001; sid:1; rev:1;)


3.4.4 sid

The sid keyword is used to uniquely identify Snort rules. This information allows output plugins to identify rules easily. This option should be used with the rev keyword. (See section [*])

The file sid-msg.map contains a mapping of alert messages to Snort rule IDs. This information is useful when post-processing alert to map an ID to an alert message.

3.4.4.1 Format

    sid:<snort rules id>;

3.4.4.2 Example

This example is a rule with the Snort Rule ID of 1000983.

    alert tcp any any -> any 80 (content:"BOB"; sid:1000983; rev:1;)


3.4.5 rev

The rev keyword is used to uniquely identify revisions of Snort rules. Revisions, along with Snort rule id's, allow signatures and descriptions to be refined and replaced with updated information. This option should be used with the sid keyword. (See section [*])

3.4.5.1 Format

    rev:<revision integer>;

3.4.5.2 Example

This example is a rule with the Snort Rule Revision of 1.

    alert tcp any any -> any 80 (content:"BOB"; sid:1000983; rev:1;)

3.4.6 classtype

The classtype keyword is used to categorize a rule as detecting an attack that is part of a more general type of attack class. Snort provides a default set of attack classes that are used by the default set of rules it provides. Defining classifications for rules provides a way to better organize the event data Snort produces.

3.4.6.1 Format

    classtype:<class name>;

3.4.6.2 Example

    alert tcp any any -> any 25 (msg:"SMTP expn root"; flags:A+; \
        content:"expn root"; nocase; classtype:attempted-recon;)

Attack classifications defined by Snort reside in the classification.config file. The file uses the following syntax:

    config classification:  <class name>,<class description>,<default priority>

These attack classifications are listed in Table [*]. They are currently ordered with 4 default priorities. A priority of 1 (high) is the most severe and 4 (very low) is the least severe.

Table: Snort Default Classifications
   
Classtype Description Priority
attempted-admin Attempted Administrator Privilege Gain high
attempted-user Attempted User Privilege Gain high
inappropriate-content Inappropriate Content was Detected high
policy-violation Potential Corporate Privacy Violation high
shellcode-detect Executable code was detected high
successful-admin Successful Administrator Privilege Gain high
successful-user Successful User Privilege Gain high
trojan-activity A Network Trojan was detected high
unsuccessful-user Unsuccessful User Privilege Gain high
web-application-attack Web Application Attack high
attempted-dos Attempted Denial of Service medium
attempted-recon Attempted Information Leak medium
bad-unknown Potentially Bad Traffic medium
default-login-attempt Attempt to login by a default username and password medium
denial-of-service Detection of a Denial of Service Attack medium
misc-attack Misc Attack medium
non-standard-protocol Detection of a non-standard protocol or event medium
rpc-portmap-decode Decode of an RPC Query medium
successful-dos Denial of Service medium
successful-recon-largescale Large Scale Information Leak medium
successful-recon-limited Information Leak medium
suspicious-filename-detect A suspicious filename was detected medium
suspicious-login An attempted login using a suspicious username was detected medium
system-call-detect A system call was detected medium
unusual-client-port-connection A client was using an unusual port medium
web-application-activity Access to a potentially vulnerable web application medium
icmp-event Generic ICMP event low
misc-activity Misc activity low
network-scan Detection of a Network Scan low
not-suspicious Not Suspicious Traffic low
protocol-command-decode Generic Protocol Command Decode low
string-detect A suspicious string was detected low
unknown Unknown Traffic low
tcp-connection A TCP connection was detected very low

3.4.6.3 Warnings

The classtype option can only use classifications that have been defined in snort.conf by using the config classification option. Snort provides a default set of classifications in classification.config that are used by the rules it provides.

3.4.7 priority

The priority tag assigns a severity level to rules. A classtype rule assigns a default priority (defined by the config classification option) that may be overridden with a priority rule. Examples of each case are given below.

3.4.7.1 Format

    priority:<priority integer>;

3.4.7.2 Examples

    alert tcp any any -> any 80 (msg:"WEB-MISC phf attempt"; flags:A+; \
        content:"/cgi-bin/phf"; priority:10;)

    alert tcp any any -> any 80 (msg:"EXPLOIT ntpdx overflow"; \ 
        dsize:>128; classtype:attempted-admin; priority:10 );

3.4.8 metadata

The metadata tag allows a rule writer to embed additional information about the rule, typically in a key-value format. Certain metadata keys and values have meaning to Snort and are listed in Table [*]. Keys other than those listed in the table are effectively ignored by Snort and can be free-form, with a key and a value. Multiple keys are separated by a comma, while keys and values are separated by a space.


Table: Snort Metadata Keys
Key Description Value Format
engine Indicate a Shared Library Rule "shared"
soid Shared Library Rule Generator and SID gid$\vert$sid
service Target-Based Service Identifier "http"

Note:  

The service Metadata Key is only meaningful when a Host Attribute Table is provided. See Section [*] for details on the Host Attribute Table.

.

3.4.8.1 Format

The examples below show an stub rule from a shared library rule. The first uses multiple metadata keywords, the second a single metadata keyword, with keys separated by commas.

    metadata:key1 value1;
    metadata:key1 value1, key2 value2;

3.4.8.2 Examples

    alert tcp any any -> any 80 (msg:"Shared Library Rule Example"; \
        metadata:engine shared; metadata:soid 3|12345;)

    alert tcp any any -> any 80 (msg:"Shared Library Rule Example"; \
        metadata:engine shared, soid 3|12345;)

    alert tcp any any -> any 80 (msg:"HTTP Service Rule Example"; \
        metadata:service http;)

3.4.9 General Rule Quick Reference

Table: General rule option keywords
Keyword Description
msg

The msg keyword tells the logging and alerting engine the message to print with the packet dump or alert.

reference

The reference keyword allows rules to include references to external attack identification systems.

gid

The gid keyword (generator id) is used to identify what part of Snort generates the event when a particular rule fires.

sid

The sid keyword is used to uniquely identify Snort rules.

rev

The rev keyword is used to uniquely identify revisions of Snort rules.

classtype

The classtype keyword is used to categorize a rule as detecting an attack that is part of a more general type of attack class.

priority

The priority keyword assigns a severity level to rules.

metadata

The metadata keyword allows a rule writer to embed additional information about the rule, typically in a key-value format.