Snort Rule Syntax | Force10 Networks 100-00055-01 specs

Chapter 9	Writing Rules

P-Series rule syntax is based on Snort. Both rule structures are described in this chapter.

•Snort Rule Syntax on page 63

•P-Series Rule Syntax on page 66

Snort Rule Syntax

Snort rules are descriptions of traffic plus a prescribed action that is taken if a packet matches that description. Rules are divided into two sections:

•Header: The header contains the action, protocol, source and destination IP addresses (with subnet masks), and the source and destination ports.

•Options: The options section contains alert messages, and specifies values to search for inside the packet.

Table 11 shows the syntax for Snort rules, and Table 12 shows an example. The text preceding parenthesis is the header, and the section enclosed in parenthesis contains the rule options. The words before the colons in the rule options section are option keywords. Rules that span multiple lines must have a backslash at the end of the line. All rules and options must be punctuated with a semicolon.

Table 11 Snort Rule Syntax

action protocol source_address source_port ->destination_address destination_port\ (content:”data_string”; msg:”message”);

Table 12 Snort Rule Example

alert tcp any any -> 192.168.1.0/24 111 (content:” 00 01 86 a5 ”; msg:”mounted access”);

Snort Rule Headers

Action

The first item in a rule is the action keyword. It dictates how Snort is to handle a packet that matches the rule. All of the elements in a rule must be true for Snort to execute the action. There are five actions keywords in Snort:

•alert directs Snort to generate an alert and log the packet.

•log directs Snort to log the packet.

P-Series Installation and Operation Guide, version 2.3.1.2

63

Image 63

Force10 Networks 100-00055-01 manual Snort Rule Syntax, Snort Rule Headers

Contents

Series Installation and Operation Guide Copyright 2008 Force10 Networks Contents Graphical User Interface Contents Command Line Reference Glossary Convention Description Keyword ObjectivesAudience Conventions Additional Resources Information SymbolsSymbol Warning Description Related Documents This LED is not used This LED is blue when the hard disk is accessedThis LED is green when the power is on Label Description System Specifications Physical ConnectionsPB-10GE-2P Step Task Security Check BootingConfiguration Once the appliance is booted Cd SW Gmake installCp -Rf /usr/local/pnic/ /home Tar xvzf PTPS-PMAIN Located in the directory pnic-compiler Cd upgradedirectory/pnic-compilerInstall pre-compiled firmware if needed Re-compile all rules firmware with the new compiler Chapter Getting Started Returning to the Default Configuration Getting Started Hardware Architecture Overview Chapter Introduction Introduction Types of RulesSample Rules and Firmware Rx1 Tx1 Mirror Rule Set Description Rule ManagementDeploying the P-Series Sample Rules Files Fail-safe Deployment Inline Deployment Passive Deployment Highly-available Deployment Series supports capturing matched traffic for analysis Capturing Matched Traffic Capturing Matched Traffic via the libpcap Interface Capturing to a Host CPU Creating an IDS Accelerator with the P-Series Mirroring to Another Device Graphical User Interface Invoke the GUI by entering the command pnic gui GUI Commands GUI CommandsCommand Description Rule Management GUI Managing Rules, Policies, and Firmware Permit Deny Editing Dynamic Rules with the GUIOption Description Policy Capture To modify dynamic rules Managing Capture/Forward Policies with the GUI Managing Capture/Forward Policies GUI Selecting Firmware with the GUI Runtime Statistics To select firmwareSelect Manage Firmware see Figure Runtime Statistics for Channel 0 and 1-FPGA Loaded Reloading Firmware Runtime Statistics DescriptionStatistic Description Graphical User Interface Launching the P-Series Node Manager Web-based Management Lauching the P-Series Node Manager Web-based Management Managing the P-Series using Node Manager Web-browser Security CertificatesSeries Node Manager has four major management capabilities Series Node Manager Home Panel Web-based Management Monitoring System Performance Managing the Network Interface Card Managing Firmware ImagesPage Managing Policies Page Network Security Monitoring Installing the Sguil System Installing the Sguil SensorInstalling the Sguil Server Wish Installing the Sguil ClientTo uninstall the server Source the server configuration file. The default Server Installation FilesSguil Files and Directories File Location Sensor Running the Sguil Sensor Running the Sguil System Task Script Running the Sguil Server To run the Sguil Client Running the Sguil Client Selecting the Sensor to Monitor Change directories to /usr/local/pnic/0 CLI CommandsEditing Dynamic Rules with the CLI MAC Rewriting Rewriting Destination MAC Addresses to Load Balance Command Line Interface Removing Vlan Tags Command Line Interface To complile rules Creating Rules FilesRules Capacity Compiling Rules Compilation Option Description Positives Content matching Enter command gmake from pnic-compilerdirectory Pnic-Compiler Option Starting and Stopping the pnic-Compiler Summary of configuration Configuration and Generated Files Configuration and Generated FilesFile Description Location Firmware Filename Description Compiler ErrorsFirmware Filenames Describes each of the elements in this format Snort Rule Syntax Snort Rule HeadersSnort Rule Syntax Protocol Ports Keyword Static Dynamic Series Rule SyntaxSeries Supported Snort Keywords Snort Rule Options Seq Yes Yes Only /8/16/24/32 masksYes Yes, no ranges Stateful Matching Writing Stateful Rules Pre-match Condition the S Value Stateful Rule Examples Handling Segmentation Evasion Support for Snorts flow Keyword Support for Snorts within Keyword Anomalous TCP Flags Writing Rules Deploying the P-Series as a Firewall Chapter Firewall Firewall Enabling the Firewall Writing Rules for a Firewall Deployment Allowing Traffic through the Firewall Sample Firewall Rules Appendix a Command Line Reference Pnic aggregate-mode-disable Pnic aggregate-mode-disable numberAppendix a Pnic apply-firmware Pnic aggregate-mode-enablePnic aggregate-mode-enable number Different ports. This is the default behavior Display the available firmware Pnic apply-firmware Command Example Syntax pnic capture-on Pnic capture-offPnic capture-on Pnic capture-off Display the driver version Display the configuration parameters of the systemPnic cardstatus Pnic cardstatus number Pnic compilerules number Pnic default-drop-disablePnic default-drop-disable number Pnic compilerules Pnic diag Pnic default-drop-enableEnable firewall functionality Run diagnostic tests on the card Example pnic diag Command Example Pnic diag Command Example Pnic flow-teardown-enable Pnic flow-teardown-disablePnic flow-teardown-enable Pnic flow-teardown-disable Example pnic flow-teardown-enable Command Example Pnic getmachashindexPnic getmachashindex number Pnic gui Launch the graphical user interfaceSyntax pnic gui Pnic gui Command Example Pnic help Pnic help Pnic linkup Pnic linkdown Pnic loadconf number Pnic loadconf Address Corresponding Parameter Pnic loadconf Address Mapping Pnic loadeproms number Pnic loadepromsPnic loadparams deprecated Load the PCI-X and front-end EEPROMs Loadparams Address Mapping Pnic loadparams Command Example Pnic loadrules channel Pnic loadrules Pnic macrewrite-off Disable MAC rewriting. This is the default behaviorEnable MAC rewriting using the command pnic macrewrite-on Disable MAC rewriting using the command pnic macrewrite-off Pnic off deprecated Syntax pnic off100 Appendix a Pnic on Example pnic off Command ExampleEnable the capturing of packets via direct memory access Pnic on deprecated Pnic params number Pnic passive-mode-disableSyntax pnic passive-mode-disable number Pnic params Configure the ports to only receive traffic Pnic passive-mode-enableConfigure the ports to only receive traffic Example pnic passive-mode-disable Command Example Stop capturing and matching Pnic resetconfPnic resetconf number Pnic restart Pnic restart Series Installation and Operation Guide, version 105Pnic sguil-sensor-start Start the Sguil sensor Pnic sguil-sensor-start -f Pnic sguil-sensor-stop -f Series Installation and Operation Guide, version 107Pnic sguil-sensor-stop Stop the Sguil sensor List the available firmware images Display configuration parameters of the cardPnic showconf Pnic show-firmwares Pnic showtech number filename.dat Series Installation and Operation Guide, version 109Pnic showtech Apply a specific firmware to the card Pnic start number Disable the network interface using the command pnic stopExample pnic showtech Command Example Pnic start Pnic stop Turn off capture and disable the network interfaceEnable the network interface using the command pnic start Disable the network interface Enable temporary memory. This is the default behavior Pnic temp-mem-disablePnic temp-mem-enable Disable temporary memory Specifies an LSB value for a particular hash index Pnic updatemacvalueDisable temporary memory Pnic updatemacvalue number Vlan Tag Remove feature is disabled by default Pnic vlan-remove-disablePnic vlan-remove-enable Disable the Vlan Tag Remove feature Display the driver version Disable the web server using the command pnic web-gui-stopPnic version Pnic web-gui-start Pnic web-gui-stop -f Pnic web-gui-stopStop the web server Stop the web server Start the web server Series Installation and Operation Guide, version 117 118 Appendix a Flags!*+ FSRPAU120 Description of P-Series Snort KeywordsKeyword Description Rule Syntax Ack Checks for a specific TCP acknowledgment number Ipproto ! name number Flow establishedstatelessIcmp idnumber Icmp seq number Ttl This keyword checks for the specified IP time-to-live Uricontent ! datastring 122 Appendix B Meta Rules for Channel 0 and Channel Meta RulesEvasion Rules 124 Appendix C Pwd Unix CommandsLogout Passwd Number Vi Commands? text Set number no Collection Dynamic RulesFlow Garbage Static Rules SnortSpan Port State ISupport Website Accessing iSupport ServicesSeries Installation and Operation Guide, version 129 Manual Pages Locating P-Series Serial Numbers Contacting the Technical Assistance Center To request replacement hardware, follow these steps Requesting a Hardware Replacement 132 Technical Support