Force10 Networks 100-00055-01 manual Writing Rules, Snort Rule Syntax, Snort Rule Headers, Action

P-Series rule syntax is based on Snort. Both rule structures are described in this chapter.

•Snort Rule Syntax on page 63

•P-Series Rule Syntax on page 66

Snort Rule Syntax

Snort rules are descriptions of traffic plus a prescribed action that is taken if a packet matches that description. Rules are divided into two sections:

•Header: The header contains the action, protocol, source and destination IP addresses (with subnet masks), and the source and destination ports.

•Options: The options section contains alert messages, and specifies values to search for inside the packet.

Table 11 shows the syntax for Snort rules, and Table 12 shows an example. The text preceding parenthesis is the header, and the section enclosed in parenthesis contains the rule options. The words before the colons in the rule options section are option keywords. Rules that span multiple lines must have a backslash at the end of the line. All rules and options must be punctuated with a semicolon.

Table 11 Snort Rule Syntax

action protocol source_address source_port ->destination_address destination_port\ (content:”data_string”; msg:”message”);

Table 12 Snort Rule Example

alert tcp any any -> 192.168.1.0/24 111 (content:” 00 01 86 a5 ”; msg:”mounted access”);

Snort Rule Headers

Action

The first item in a rule is the action keyword. It dictates how Snort is to handle a packet that matches the rule. All of the elements in a rule must be true for Snort to execute the action. There are five actions keywords in Snort:

•alert directs Snort to generate an alert and log the packet.

•log directs Snort to log the packet.