Next: 3.7 Post-Detection Rule Options Up: 3. Writing Snort Rules Previous: 3.5 Payload Detection Rule Contents
The fragoffset keyword allows one to compare the IP fragment offset field against a decimal value. To catch all the first fragments of an IP session, you could use the fragbits keyword and look for the More fragments option in conjunction with a fragoffset of 0.
fragoffset:[!|<|>]<number>;
alert ip any any -> any any \
(msg:"First Fragment"; fragbits:M; fragoffset:0;)
The ttl keyword is used to check the IP time-to-live value. This option keyword was intended for use in the detection of traceroute attempts. This keyword takes numbers from 0 to 255.
ttl:[<, >, =, <=, >=]<number>;
ttl:[<number>]-[<number>];
This example checks for a time-to-live value that is less than 3.
ttl:<3;
This example checks for a time-to-live value that between 3 and 5.
ttl:3-5;
This example checks for a time-to-live value that between 0 and 5.
ttl:-5;
This example checks for a time-to-live value that between 5 and 255.
ttl:5-;
Few other examples are as follows:
ttl:<=5;
ttl:>=5;
ttl:=5;
The following examples are NOT allowed by ttl keyword:
ttl:=>5;
ttl:=<5;
ttl:5-3;
The tos keyword is used to check the IP TOS field for a specific value.
tos:[!]<number>;
This example looks for a tos value that is not 4
tos:!4;
The id keyword is used to check the IP ID field for a specific value. Some tools (exploits, scanners and other odd programs) set this field specifically for various purposes, for example, the value 31337 is very popular with some hackers.
id:<number>;
This example looks for the IP ID of 31337.
id:31337;
The ipopts keyword is used to check if a specific IP option is present.
The following options may be checked:
The most frequently watched for IP options are strict and loose source routing which aren't used in any widespread internet applications.
ipopts:<rr|eol|nop|ts|sec|esec|lsrr|lsrre|ssrr|satid|any>;
This example looks for the IP Option of Loose Source Routing.
ipopts:lsrr;
Only a single ipopts keyword may be specified per rule.
The fragbits keyword is used to check if fragmentation and reserved bits are set in the IP header.
The following bits may be checked:
The following modifiers can be set to change the match criteria:
fragbits:[+*!]<[MDR]>;
This example checks if the More Fragments bit and the Do not Fragment bit are set.
fragbits:MD+;
The dsize keyword is used to test the packet payload size. This may be used to check for abnormally sized packets that might cause buffer overflows.
dsize:min<>max;
dsize:[<|>]<number>;
This example looks for a dsize that is between 300 and 400 bytes (inclusive).
dsize:300<>400;
Note that segmentation makes dsize less reliable for TCP based protocols such as HTTP. Furthermore, dsize will fail on stream rebuilt packets, regardless of the size of the payload, unless protocol aware flushing (PAF) marks this packet as the start of a message.
The flags keyword is used to check if specific TCP flag bits are present.
The following bits may be checked:
The following modifiers can be set to change the match criteria:
To handle writing rules for session initiation packets such as ECN where a SYN packet is sent with CWR and ECE set, an option mask may be specified by preceding the mask with a comma. A rule could check for a flags value of S,CE if one wishes to find packets with just the syn bit, regardless of the values of the reserved bits.
flags:[!|*|+]<FSRPAUCE0>[,<FSRPAUCE>];
This example checks if just the SYN and the FIN bits are set, ignoring CWR (reserved bit 1) and ECN (reserved bit 2).
alert tcp any any -> any any (flags:SF,CE;)
|
Note:
The reserved bits '1' and '2' have been replaced with 'C' and 'E', respectively, to match RFC 3168, "The Addition of Explicit Congestion Notification (ECN) to IP". The old values of '1' and '2' are still valid for the flag keyword, but are now deprecated.
|
The flow keyword is used in conjunction with session tracking (see Section
![[*]](crossref.png)
). It allows rules to only apply to certain directions of
the traffic flow.
This allows rules to only apply to clients or servers. This allows packets related to $HOME_NET clients viewing web pages to be distinguished from servers running in the $HOME_NET.
The established keyword will replace the flags:+A used in many places to show established TCP connections.
| Option | Description |
| to_client | Trigger on server responses from A to B |
| to_server | Trigger on client requests from A to B |
| from_client | Trigger on client requests from A to B |
| from_server | Trigger on server responses from A to B |
| established | Trigger only on established TCP connections |
| not_established | Trigger only when no TCP connection is established |
| stateless | Trigger regardless of the state of the stream processor (useful for packets that are designed to cause machines to crash) |
| no_stream | Do not trigger on rebuilt stream packets (useful for dsize and stream5) |
| only_stream | Only trigger on rebuilt stream packets |
| no_frag | Do not trigger on rebuilt frag packets |
| only_frag | Only trigger on rebuilt frag packets |
flow:[(established|not_established|stateless)]
[,(to_client|to_server|from_client|from_server)]
[,(no_stream|only_stream)]
[,(no_frag|only_frag)];
alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"cd incoming detected"; \
flow:from_client; content:"CWD incoming"; nocase;)
alert tcp !$HOME_NET 0 -> $HOME_NET 0 (msg:"Port 0 TCP traffic"; \
flow:stateless;)
The flowbits keyword is used in conjunction with conversation tracking
from the Session preprocessor (see Section). It allows
rules to track states during a transport protocol session. The flowbits option
is most useful for TCP sessions, as it allows rules to generically track the
state of an application protocol.
There are several keywords associated with flowbits. Most of the options need a user-defined name for the specific state that is being checked. Some keyword uses group name. When no group name is specified the flowbits will belong to a default group. A particular flowbit can belong to more than one group. Flowbit name and group name should be limited to any alphanumeric string including periods, dashes, and underscores.
flowbits:[set|setx|unset|toggle|isset|isnotset|noalert|reset][, <bits/bats>][, <GROUP_NAME>];
bits ::= bit[|bits]
bats ::= bit[&bats]
| Option | Description |
| set | Sets the specified states for the current flow and assign them to a group when a GROUP_NAME is specified. |
| setx | Sets the specified states for the current flow and clear other states in the group |
| unset | Unsets the specified states for the current flow. |
| toggle | For every state specified, sets the specified state if the state is unset and unsets it if the state is set. |
| isset | Checks if the specified states are set. |
| isnotset | Checks if the specified states are not set. |
| noalert | Cause the rule to not generate an alert, regardless of the rest of the detection options. |
| reset | Reset all states on a given flow. |
Syntax:
flowbits:set,bats[,group]
Usage:
flowbits:set,bit1,doc;
flowbits:set,bit2&bit3,doc;
First rule sets bit1 in doc group, second rule sets bit2 and bit3 in doc group.
So doc group has bit 1, bit2 and bit3 set
Syntax:
flowbits:setx,bats,group
Usage:
flowbits: setx, bit1, doc
flowbits: setx, bit2&bit3, doc
First rule sets bit1 in doc group, second rule sets bit2 and bit3 in doc group.
So doc group has bit2 and bit3 set, because bit1 is cleared by rule 2.
Syntax: flowbits:unset,bats flowbits:unset,all,group Usage: flowbits: unset, bit1 Clear bit1. flowbits: unset, bit1&bit2 Clear bit1 and bit2 flowbits: unset, all, doc This clears all bits in the doc group.
Syntax: flowbits:toggle,bats flowbits:toggle,all,group Usage: flowbits: toggle, bit1&bit2 If bit1 is 0 and bit2 is 1 before, after this rule, bit1 is 1 and bit2 is 0. flowbits:toggle,all,doc Toggle all the bits in group doc as described above.
Syntax: flowbits:isset, bits => Check whether any bit is set flowbits:isset, bats => Check whether all bits are set flowbits:isset, any, group => Check whether any bit in the group is set. flowbits:isset, all, group => Check whether all bits in the group are set. Usage flowbits:isset, bit1|bit2 => If either bit1 or bit2 is set, return true flowbits:isset, bit1&bit2 => If both bit1 and bit2 are set, return true, otherwise false flowbits:isset, any, doc => If any bit in group doc is set, return true flowbits:isset, all, doc => If all the bits in doc group are set, return true
Syntax: flowbits:isnotset, bits => Check whether not any bit is set flowbits:isnotset, bats => Check whether not all bits are set flowbits:isnotset, any, group => Check whether not bit in the group is set. flowbits:isnotset, all, group => Check whether not all bits in the group are set. Usage flowbits:isnotset, bit1|bit2 => If either bit1 or bit2 is set, return true flowbits:isnotset, bit1&bit2 => If both bit1 and bit2 are set, return true, otherwise false flowbits:isnotset, any, doc => If any bit in group doc is set, return true flowbits:isnotset, all, doc => If all the bits in doc group are set, return true
flowbits:noalert;
This keyword resets all of the states on a given flow if no group specified, otherwise, reset all the bits in a group. This always returns true. There is no bit specified with this keyword.
Syntax: flowbits:reset[,group] Usage: flowbits:reset => reset all the bits in the flow flowbits: reset, doc => reset all the bits in the doc group
alert tcp any 143 -> any any (msg:"IMAP login";
content:"OK LOGIN"; flowbits:set,logged_in;
flowbits:noalert;)
alert tcp any any -> any 143 (msg:"IMAP LIST"; content:"LIST";
flowbits:isset,logged_in;)
The seq keyword is used to check for a specific TCP sequence number.
seq:<number>;
This example looks for a TCP sequence number of 0.
seq:0;
The ack keyword is used to check for a specific TCP acknowledge number.
ack:<number>;
This example looks for a TCP acknowledge number of 0.
ack:0;
The window keyword is used to check for a specific TCP window size.
window:[!]<number>;
This example looks for a TCP window size of 55808.
window:55808;
The itype keyword is used to check for a specific ICMP type value.
itype:min<>max;
itype:[<|>]<number>;
This example looks for an ICMP type greater than 30.
itype:>30;
The icode keyword is used to check for a specific ICMP code value.
icode:min<>max;
icode:[<|>]<number>;
The <> operator in the first format checks for an ICMP code within a specified range (exclusive). That is, strictly greater than the min value and strictly less than the max value. Note that the min value can a -1 allowing an ICMP code of zero to be included in the range.
Numerical values are validated with respect to permissible ICMP code values between 0 and 255 and other criteria.
icode:min<>max
-1 <= min <= 254
1 <= max <= 256
(max - min) > 1
icode:number
0 <= number <= 255
icode:<number
1 <= number <= 256
icode:>number
0 <= number <= 254
This example looks for an ICMP code greater than 30.
icode:>30;
This example looks for an ICMP code greater than zero and less than 30.
icode:-1<>30;
The icmp_id keyword is used to check for a specific ICMP ID value.
This is useful because some covert channel programs use static ICMP fields when they communicate. This particular plugin was developed to detect the stacheldraht DDoS agent.
icmp_id:<number>;
This example looks for an ICMP ID of 0.
icmp_id:0;
The icmp_seq keyword is used to check for a specific ICMP sequence value.
This is useful because some covert channel programs use static ICMP fields when they communicate. This particular plugin was developed to detect the stacheldraht DDoS agent.
icmp_seq:<number>;
This example looks for an ICMP Sequence of 0.
icmp_seq:0;
The rpc keyword is used to check for a RPC application, version, and procedure numbers in SUNRPC CALL requests.
Wildcards are valid for both version and procedure numbers by using '*';
rpc:<application number>, [<version number>|*], [<procedure number>|*]>;
The following example looks for an RPC portmap GETPORT request.
alert tcp any any -> any 111 (rpc:100000, *, 3;);
Because of the fast pattern matching engine, the RPC keyword is slower than looking for the RPC values by using normal content matching.
The ip_proto keyword allows checks against the IP protocol header. For a list of protocols that may be specified by name, see /etc/protocols.
ip_proto:[!|>|<] <name or number>;
This example looks for IGMP traffic.
alert ip any any -> any any (ip_proto:igmp;)
The sameip keyword allows rules to check if the source ip is the same as the destination IP.
sameip;
This example looks for any traffic where the Source IP and the Destination IP is the same.
alert ip any any -> any any (sameip;)
The stream_reassemble keyword allows a rule to enable or disable TCP stream reassembly on matching traffic.
|
Note:
The stream_reassemble option is only available when the Stream preprocessor is enabled.
|
stream_reassemble:<enable|disable>, <server|client|both>[, noalert][, fastpath];
For example, to disable TCP reassembly for client traffic when we see a HTTP 200 Ok Response message, use:
alert tcp any 80 -> any any (flow:to_client, established; content:"200 OK";
stream_reassemble:disable,client,noalert;)
The stream_size keyword allows a rule to match traffic according to the number of bytes observed, as determined by the TCP sequence numbers.
|
Note:
The stream_size option is only available when the Stream preprocessor is enabled.
|
stream_size:<server|client|both|either>, <operator>, <number>;
Where the operator is one of the following:
- less than
- greater than
= - less than or equal
= - greater than or equal
For example, to look for a session that is less that 6 bytes from the client side, use:
alert tcp any any -> any any (stream_size:client,<,6;)
| Keyword | Description |
| fragoffset | The fragoffset keyword allows one to compare the IP fragment offset field against a decimal value. |
| ttl | The ttl keyword is used to check the IP time-to-live value. |
| tos | The tos keyword is used to check the IP TOS field for a specific value. |
| id | The id keyword is used to check the IP ID field for a specific value. |
| ipopts | The ipopts keyword is used to check if a specific IP option is present. |
| fragbits | The fragbits keyword is used to check if fragmentation and reserved bits are set in the IP header. |
| dsize | The dsize keyword is used to test the packet payload size. |
| flags | The flags keyword is used to check if specific TCP flag bits are present. |
| flow | The flow keyword allows rules to only apply to certain directions of the traffic flow. |
| flowbits | The flowbits keyword allows rules to track states during a transport protocol session. |
| seq | The seq keyword is used to check for a specific TCP sequence number. |
| ack | The ack keyword is used to check for a specific TCP acknowledge number. |
| window | The window keyword is used to check for a specific TCP window size. |
| itype | The itype keyword is used to check for a specific ICMP type value. |
| icode | The icode keyword is used to check for a specific ICMP code value. |
| icmp_id | The icmp_id keyword is used to check for a specific ICMP ID value. |
| icmp_seq | The icmp_seq keyword is used to check for a specific ICMP sequence value. |
| rpc | The rpc keyword is used to check for a RPC application, version, and procedure numbers in SUNRPC CALL requests. |
| ip_proto | The ip_proto keyword allows checks against the IP protocol header. |
| sameip | The sameip keyword allows rules to check if the source ip is the same as the destination IP. |