Manuals / Force10 Networks / Computer Equipment / Network Card

Force10 Networks 100-00055-01 manual Appendix B, Snort Keywords, ack number, dsize number number

Models: 100-00055-01

1 132

Download 132 pages 61.04 Kb

Page 119

Appendix B

Appendix B	Snort Keywords

Table 28 describes briefly the valid Snort keywords supported on the P-Series. For a more detailed explanation for these keywords, see the Snort website at http://www.snort.org/docs/snort_manual/ node17.html.

Table 28 Description of P-Series Snort Keywords

Keyword	Description		Rule Syntax

ack	Checks for a specific TCP acknowledgment number.		ack: number;
	number is a reference to a previously transmitted
	sequence number that is being acknowleged.
content	Specifies the content within the packet payload for which		content: [!] "data_string";
	the rule is to search.
	data_string can contain mixed text and binary data.
	Binary data is enclosed within pipe characters and is
	written in hexadecimal form.

dsize	Inspects the packet payload size.		dsize: [><] number [><number];
	number is the payload size in bytes.

flags	Checks for the presence of the specified TCP flag bits.		flags:[!*+] {FSRPAU120}
	Valid flag bits include:		[,{FSRPAU120}];
	• F: FIN (Least Significant Bit (LSB) in the TCP Flags
		byte)
	•	S: SYN
	•	R: RST
	•	P: PSH
	•	A: ACK
	•	U: URG
	• 1: Reserved bit 1 (Most Significant Bit (MSB) in TCP
		Flags byte)
	•	2: Reserved bit 2
	• 0: No TCP Flags Set

The following modifiers change the match criteria:

•+: Match on the specified bits, plus any others.

•*: Match if any of the specified bits are set.

•!: Match if the specified bits are not set.

P-Series Installation and Operation Guide, version 2.3.1.2

119

Image 119

Force10 Networks 100-00055-01 manual Appendix B, Snort Keywords, ack number, dsize number number

Contents

May 27 P-Series Installation and Operation GuideVersion USA Federal Communications Commission FCC Statement Copyright 2008 Force10 NetworksTrademarks Statement of ConditionsPreface ContentsContents InstallationWeb-based Management Command Line InterfaceGraphical User Interface ChapterWriting Rules Command Line ReferenceBasic Unix Commands Compiling RulesTechnical Support Appendix EGlossary Appendix FAudience PrefaceAbout this Guide ObjectivesP-Series Release Notes Information SymbolsRelated Documents Additional ResourcesChapter InstallationPB-10GE-2P System SpecificationsPhysical Connections Step Task Upgrading Software BootingConfiguration Security Checkscp username@serverabsolutepath mkdir ~/upgradedirectoryfilename ~/upgradedirectory cd upgradedirectorygmake install Commandcd upgradedirectory/pnic-compiler cd upgradedirectory/firmwareTo begin inspecting and filtering traffic you must Returning to the Default ConfigurationGetting Started ChapterGetting Started Chapter IntroductionHardware Architecture Overview Sample Rules and Firmware Types of RulesFirewall Deployment” on page Rule ManagementDeploying the P-Series Optical Bypass 10-Gigabit Inline DeploymentFail-safe Deployment 10-Gigabit10-Gigabit Highly-available DeploymentPassive Deployment P1P0P-Series P10 Capturing Matched TrafficNetwork Switch with SPAN port Network Tap 10-Gigabit 10-GigabitCapturing to a Host CPU Traffic to Monitor Mirroring to Another DevicePB-10GE-2P M1 P1 P0 M0Chapter 4 Graphical User Interface Command Description GUI CommandsPNIC0 Not Active Managing Rules, Policies, and FirmwareTo manage firmware, see “Selecting Firmware with the GUI” on page Editing Dynamic Rules with the GUIdirectory see “Editing Dynamic Rules with the GUI” on page GUI” on pageTo change capture/forward policies Managing Capture/Forward Policies with the GUITo modify dynamic rules fn9000014 Selecting Firmware with the GUIfn9000013 Runtime Statistics Graphical User Interface Figure 19 Runtime Statistics for Channel 0 and 1-FPGA LoadedReloading Firmware Graphical User Interface To launch the P-Series Node Manager Chapter 5 Web-based ManagementLaunching the P-Series Node Manager Web-based Management Figure 21 Lauching the P-Series Node ManagerManaging Firmware Images on page Managing the P-Series using Node ManagerWeb-browser Security Certificates Monitoring System Performance on pageMonitoring System Performance Managing the Network Interface Card Managing Firmware ImagesWeb-based Management Figure 25 P-Series Node Manager Card Management PanelManaging Policies Web-based Management Figure 26 P-Series Node Manager Policy Managment PanelSguil Client Chapter 6 Network Security MonitoringP-Series Sensors Sguil ServerHardware and Software Requirements Installing the Sguil SystemInstalling the Sguil Sensor Installing the Sguil ServerWireshark Installing the Sguil ClientUninstalling the Sguil Server # win32 example set TLSPATH c/progra~1/Tcl/lib/tls1.4.1/tls14.dll Installation FilesWriting New Rules Running the Sguil SystemRunning the Sguil Sensor Running the Sguil Server To run the Sguil Client Running the Sguil Clientfn90027mp fn90028mpEditing Dynamic Rules with the CLI Chapter 7 Command Line InterfaceCLI Commands CLI commands are given in Command Line Reference on pageTo enable MAC rewriting In FigureRemoving VLAN Tags Command Line Interface Compiling Rules Compiling RulesCreating Rules Files Rules Capacity3 Match Fragmented IPv4 Packets or IPv4 Packets w/ Options Target DeviceMatch non-IP Traffic pagesee Figure 37 on page Segmentation Evasion Rulessee Figure 36 on page Maximum StringEnter command gmake from pnic-compiler directory Figure 36 pnic-Compiler Option P-Series Installation and Operation Guide, versionStarting and Stopping the pnic-Compiler Summary of configurationto which the .mapping files in /usr/local/pnic Configuration and Generated Fileswhich the .bit files in /usr/local/pnic/0 are Firmware Filenames Compiler ErrorsAction Writing RulesSnort Rule Syntax Snort Rule HeadersSource Addresses ProtocolDirection Operator PortsDestination Address and Port P-Series Rule SyntaxP-Series Supported Snort Keywords Snort Rule Optionsprotocol KeywordStatic DynamicStateful Matching Writing Stateful Rulesthen cpi Equation∧ si = si ⎬In Table Stateful Rule ExamplesThe meta.rules File Support for Snorts flow KeywordHandling Segmentation Evasion Support for Snorts within Keyword Anomalous TCP Flags Writing Rules Chapter FirewallDeploying the P-Series as a Firewall Figure 39 Enabling and Disabling Drop Mode Enabling the FirewallDrop mode Disabled Drop mode Enabled Verify Drop mode is EnabledWriting Rules for a Firewall Deployment Allowing Traffic through the Firewall#permit let through and do not log to the host pnic default-drop-disable on page pnic default-drop-enable on page Appendix A Command Line Referencepnic aggregate-mode-disable on page pnic aggregate-mode-enable on page pnic apply-firmware on pagepnic vlan-remove-enable on page pnic web-gui-start on page pnic aggregate-mode-disablepnic temp-mem-disable on page pnic temp-mem-enable on page pnic updatemacvalue on page pnic vlan-remove-disable on pagepnic apply-firmware pnic aggregate-mode-enableDisplay the available firmware Parameters Command History ExampleCommands pnic show-firmwaresSyntax Parameters Command History Example pnic capture-offpnic capture-on Enable the capturing of packets via direct memory accessCommands pnic cardstatusCommands Syntax Parameters Command History Examplepnic compilerules pnic default-drop-disableParameters Command History Example pnic default-drop-enableTemporary memory is disabled while the firewall is enabled pnic diagVersion PMAIN2.3.0.014 root@localhost SW# Parameters Command History ExampleUsage Information pnic flow-teardown-enable pnic flow-teardown-disablepnic flow-teardown-enable pnic flow-teardown-disablevalue for an IP address pairs pnic getmachashindexpnic updatemacvalue pnic guiEnable MAC rewriting Disable MAC rewritingExample pnic gui Command ExampleP-Series Installation and Operation Guide, version output omitted pnic helpSyntax Command History Example pnic helpCommands pnic linkdownpnic linkup Syntax Parameters Command History ExampleSyntax Parameters Command History pnic loadconfParameters Command History Example CommandsCorresponding Parameter Addresspnic loadparams number pnic loadepromspnic loadparams deprecated pnic loadeproms numberCorresponding Parameter AddressSyntax Parameters pnic loadrulesCommand History Example Usage Information pnic macrewrite-on pnic macrewrite-offSyntax pnic off pnic off deprecatedpnic on deprecated pnic on deprecatedUsage Information Related Commands Syntax Parameters Command History Examplepnic params pnic passive-mode-disableCommands pnic passive-mode-enablepnic passive-mode-enable CommandStop capturing and matching pnic resetconfpnic restart Syntax Parameters Command History ExampleSyntax Command History Example pnic sguil-sensor-startDisable the network interface Enable the network interfacepnic sguil-sensor-start -f Stop the Sguil sensor using the command pnic sguil-sensor-stopSyntax Parameters Command History Example Commandspnic sguil-sensor-start Start the Sguil sensor pnic sguil-sensor-stopSyntax Parameters Command History Example CommandsCommands pnic showconfpnic show-firmwares Syntax Parameters Command History ExampleSyntax Parameters Command History pnic showtechCommand History Example CommandsDisable the network interface using the command pnic stop pnic startLoad the capture/block configuration Load the runtime parameters Enable the network interfaceSyntax Parameters Command History Example pnic stopEnable the network interface Commandspnic temp-mem-enable pnic temp-mem-disableEnable MAC rewriting pnic updatemacvalueUse this command with the MAC rewrite feature pnic temp-mem-disablepnic vlan-remove-enable pnic vlan-remove-disablepnic vlan-remove-enable pnic vlan-remove-disableDisplay the driver version pnic versionpnic web-gui-start Disable the web server using the command pnic web-gui-stopCommand Enable the web server using the command pnic web-gui-startpnic web-gui-stop CommandsRelated Commandspnic web-gui-start ExampleAppendix A dsize number number Appendix BSnort Keywords ack numberKeyword Rule Syntax uricontent ! “datastring”Keyword DescriptionAppendix B Evasion Rules Appendix C Meta and Evasion Rulesmeta Rules Appendix C Description Appendix D Basic Unix CommandsUnix Commands Command? text vi CommandsCommand DescriptionGlossary Appendix EStatic Rules SnortSPAN Port StateManual Pages Accessing iSupport ServicesAppendix F Technical SupportSerial Number see Locating P-Series Serial Numbers on page Contacting the Technical Assistance CenterLocating P-Series Serial Numbers To request replacement hardware, follow these steps Requesting a Hardware ReplacementTechnical Support