Keyword Description Rule Syntax | Force10 Networks 100-00055-01

Appendix B	Snort Keywords

Table 28 describes briefly the valid Snort keywords supported on the P-Series. For a more detailed explanation for these keywords, see the Snort website at http://www.snort.org/docs/snort_manual/ node17.html.

Table 28 Description of P-Series Snort Keywords

Keyword	Description		Rule Syntax

ack	Checks for a specific TCP acknowledgment number.		ack: number;
	number is a reference to a previously transmitted
	sequence number that is being acknowleged.
content	Specifies the content within the packet payload for which		content: [!] "data_string";
	the rule is to search.
	data_string can contain mixed text and binary data.
	Binary data is enclosed within pipe characters and is
	written in hexadecimal form.

dsize	Inspects the packet payload size.		dsize: [><] number [><number];
	number is the payload size in bytes.

flags	Checks for the presence of the specified TCP flag bits.		flags:[!*+] {FSRPAU120}
	Valid flag bits include:		[,{FSRPAU120}];
	• F: FIN (Least Significant Bit (LSB) in the TCP Flags
		byte)
	•	S: SYN
	•	R: RST
	•	P: PSH
	•	A: ACK
	•	U: URG
	• 1: Reserved bit 1 (Most Significant Bit (MSB) in TCP
		Flags byte)
	•	2: Reserved bit 2
	• 0: No TCP Flags Set

The following modifiers change the match criteria:

•+: Match on the specified bits, plus any others.

•*: Match if any of the specified bits are set.

•!: Match if the specified bits are not set.

P-Series Installation and Operation Guide, version 2.3.1.2

119

Image 119

Force10 Networks 100-00055-01 Description of P-Series Snort Keywords, Keyword Description Rule Syntax, Flags!*+ FSRPAU120

Contents

Series Installation and Operation Guide Copyright 2008 Force10 Networks Contents Graphical User Interface Contents Command Line Reference Glossary Convention Description Keyword ObjectivesAudience Conventions Additional Resources Information SymbolsSymbol Warning Description Related Documents This LED is not used This LED is blue when the hard disk is accessedThis LED is green when the power is on Label Description PB-10GE-2P System SpecificationsPhysical Connections Step Task Security Check BootingConfiguration Once the appliance is booted Cd SW Gmake installCp -Rf /usr/local/pnic/ /home Tar xvzf PTPS-PMAIN Located in the directory pnic-compiler Cd upgradedirectory/pnic-compilerInstall pre-compiled firmware if needed Re-compile all rules firmware with the new compiler Chapter Getting Started Returning to the Default Configuration Getting Started Hardware Architecture Overview Chapter Introduction Introduction Types of RulesSample Rules and Firmware Rx1 Tx1 Mirror Rule Set Description Rule ManagementDeploying the P-Series Sample Rules Files Fail-safe Deployment Inline Deployment Passive Deployment Highly-available Deployment Series supports capturing matched traffic for analysis Capturing Matched Traffic Capturing Matched Traffic via the libpcap Interface Capturing to a Host CPU Creating an IDS Accelerator with the P-Series Mirroring to Another Device Graphical User Interface Invoke the GUI by entering the command pnic gui Command Description GUI CommandsGUI Commands Rule Management GUI Managing Rules, Policies, and Firmware Permit Deny Editing Dynamic Rules with the GUIOption Description Policy Capture To modify dynamic rules Managing Capture/Forward Policies with the GUI Managing Capture/Forward Policies GUI Selecting Firmware with the GUI Select Manage Firmware see Figure Runtime StatisticsTo select firmware Runtime Statistics for Channel 0 and 1-FPGA Loaded Statistic Description Reloading FirmwareRuntime Statistics Description Graphical User Interface Launching the P-Series Node Manager Web-based Management Lauching the P-Series Node Manager Web-based Management Series Node Manager has four major management capabilities Managing the P-Series using Node ManagerWeb-browser Security Certificates Series Node Manager Home Panel Web-based Management Monitoring System Performance Managing the Network Interface Card Managing Firmware ImagesPage Managing Policies Page Network Security Monitoring Installing the Sguil Server Installing the Sguil SystemInstalling the Sguil Sensor Wish Installing the Sguil ClientTo uninstall the server Source the server configuration file. The default Server Installation FilesSguil Files and Directories File Location Sensor Running the Sguil Sensor Running the Sguil System Task Script Running the Sguil Server To run the Sguil Client Running the Sguil Client Selecting the Sensor to Monitor Change directories to /usr/local/pnic/0 CLI CommandsEditing Dynamic Rules with the CLI MAC Rewriting Rewriting Destination MAC Addresses to Load Balance Command Line Interface Removing Vlan Tags Command Line Interface To complile rules Creating Rules FilesRules Capacity Compiling Rules Compilation Option Description Positives Content matching Enter command gmake from pnic-compilerdirectory Pnic-Compiler Option Starting and Stopping the pnic-Compiler Summary of configuration File Description Location Configuration and Generated FilesConfiguration and Generated Files Firmware Filename Description Compiler ErrorsFirmware Filenames Describes each of the elements in this format Snort Rule Syntax Snort Rule SyntaxSnort Rule Headers Protocol Ports Keyword Static Dynamic Series Rule SyntaxSeries Supported Snort Keywords Snort Rule Options Yes Yes, no ranges Seq YesYes Only /8/16/24/32 masks Stateful Matching Writing Stateful Rules Pre-match Condition the S Value Stateful Rule Examples Handling Segmentation Evasion Support for Snorts flow Keyword Support for Snorts within Keyword Anomalous TCP Flags Writing Rules Deploying the P-Series as a Firewall Chapter Firewall Firewall Enabling the Firewall Writing Rules for a Firewall Deployment Allowing Traffic through the Firewall Sample Firewall Rules Appendix a Command Line Reference Appendix a Pnic aggregate-mode-disablePnic aggregate-mode-disable number Pnic apply-firmware Pnic aggregate-mode-enablePnic aggregate-mode-enable number Different ports. This is the default behavior Display the available firmware Pnic apply-firmware Command Example Syntax pnic capture-on Pnic capture-offPnic capture-on Pnic capture-off Display the driver version Display the configuration parameters of the systemPnic cardstatus Pnic cardstatus number Pnic compilerules number Pnic default-drop-disablePnic default-drop-disable number Pnic compilerules Pnic diag Pnic default-drop-enableEnable firewall functionality Run diagnostic tests on the card Example pnic diag Command Example Pnic diag Command Example Pnic flow-teardown-enable Pnic flow-teardown-disablePnic flow-teardown-enable Pnic flow-teardown-disable Pnic getmachashindex number Example pnic flow-teardown-enable Command ExamplePnic getmachashindex Syntax pnic gui Pnic guiLaunch the graphical user interface Pnic gui Command Example Pnic help Pnic help Pnic linkup Pnic linkdown Pnic loadconf number Pnic loadconf Address Corresponding Parameter Pnic loadconf Address Mapping Pnic loadeproms number Pnic loadepromsPnic loadparams deprecated Load the PCI-X and front-end EEPROMs Loadparams Address Mapping Pnic loadparams Command Example Pnic loadrules channel Pnic loadrules Pnic macrewrite-off Disable MAC rewriting. This is the default behaviorEnable MAC rewriting using the command pnic macrewrite-on Disable MAC rewriting using the command pnic macrewrite-off 100 Appendix a Pnic off deprecatedSyntax pnic off Pnic on Example pnic off Command ExampleEnable the capturing of packets via direct memory access Pnic on deprecated Pnic params number Pnic passive-mode-disableSyntax pnic passive-mode-disable number Pnic params Configure the ports to only receive traffic Pnic passive-mode-enableConfigure the ports to only receive traffic Example pnic passive-mode-disable Command Example Stop capturing and matching Pnic resetconfPnic resetconf number Pnic restart Pnic restart Series Installation and Operation Guide, version 105Pnic sguil-sensor-start Start the Sguil sensor Pnic sguil-sensor-start -f Pnic sguil-sensor-stop -f Series Installation and Operation Guide, version 107Pnic sguil-sensor-stop Stop the Sguil sensor List the available firmware images Display configuration parameters of the cardPnic showconf Pnic show-firmwares Pnic showtech number filename.dat Series Installation and Operation Guide, version 109Pnic showtech Apply a specific firmware to the card Pnic start number Disable the network interface using the command pnic stopExample pnic showtech Command Example Pnic start Pnic stop Turn off capture and disable the network interfaceEnable the network interface using the command pnic start Disable the network interface Enable temporary memory. This is the default behavior Pnic temp-mem-disablePnic temp-mem-enable Disable temporary memory Specifies an LSB value for a particular hash index Pnic updatemacvalueDisable temporary memory Pnic updatemacvalue number Vlan Tag Remove feature is disabled by default Pnic vlan-remove-disablePnic vlan-remove-enable Disable the Vlan Tag Remove feature Display the driver version Disable the web server using the command pnic web-gui-stopPnic version Pnic web-gui-start Pnic web-gui-stop -f Pnic web-gui-stopStop the web server Stop the web server Start the web server Series Installation and Operation Guide, version 117 118 Appendix a Flags!*+ FSRPAU120 Description of P-Series Snort KeywordsKeyword Description Rule Syntax Ack Checks for a specific TCP acknowledgment number Ipproto ! name number Flow establishedstatelessIcmp idnumber Icmp seq number Ttl This keyword checks for the specified IP time-to-live Uricontent ! datastring 122 Appendix B Evasion Rules Meta Rules for Channel 0 and ChannelMeta Rules 124 Appendix C Pwd Unix CommandsLogout Passwd Number Vi Commands? text Set number no Collection Dynamic RulesFlow Garbage Static Rules SnortSpan Port State ISupport Website Accessing iSupport ServicesSeries Installation and Operation Guide, version 129 Manual Pages Locating P-Series Serial Numbers Contacting the Technical Assistance Center To request replacement hardware, follow these steps Requesting a Hardware Replacement 132 Technical Support