Manuals / Force10 Networks / Computer Equipment / Network Card

Force10 Networks 100-00055-01 manual P-Series Rule Syntax, P-Series Supported Snort Keywords

Models: 100-00055-01

1 132

Download 132 pages 61.04 Kb

Page 66

Destination Address and Port

Destination Address and Port

The destination address and port follow the direction operator. The syntax of these parameters are the same as the source address and port. See “Source Addresses” on page 64, and “Ports” on page 65.

Snort Rule Options

Options are made of a keyword and an argument. An argument is the packet data against which the rule is matched. Option keywords are followed by a colon, and each option is puncutated with a semi-colon. Table 19 lists the option keywords that the P-Series supports.

P-Series Rule Syntax

P-Series rules have a syntax that is slightly different from Snort rules. P-Series rules have the following syntax:

capture/forward_policy on channel Snort_rule

•capture/forward policy can have four values: alert, permit, divert, or deny. These settings are described in Table 5 on page 28.

•channel can be c0 for Channel 0, c1 for Channel 1, or all for both channels.

•Snort_rule is a rule written in Snort syntax.

Table 18 shows an example P-Series rule.

Table 18 P-Series Rule Example

alert on c1 any any -> any any (msg:"Z Default rule fragmented ip";)

Note: P-Series does not support the Snort action keywords log, pass, activate, and dynamic. P-Series supports the action keywords alert, permit, divert, and deny.

P-Series Supported Snort Keywords

Table 19 lists Snort keywords that the P-Series supports for both dynamic and static rules.

Table 19 Supported Snort Keywords for Static and Dynamic Rules

	Keyword	Static	Dynamic

	ack	Yes	Yes

	content	Yes, no negative.	No

66	Writing Rules

Image 66

Force10 Networks 100-00055-01 manual P-Series Rule Syntax, P-Series Supported Snort Keywords, Snort Rule Options

Contents

P-Series Installation and Operation Guide VersionMay 27 Statement of Conditions Copyright 2008 Force10 NetworksTrademarks USA Federal Communications Commission FCC StatementInstallation ContentsContents PrefaceChapter Command Line InterfaceGraphical User Interface Web-based ManagementCompiling Rules Command Line ReferenceBasic Unix Commands Writing RulesAppendix F Appendix EGlossary Technical SupportObjectives PrefaceAbout this Guide AudienceAdditional Resources Information SymbolsRelated Documents P-Series Release NotesInstallation ChapterSystem Specifications Physical ConnectionsPB-10GE-2P Step Task Security Check BootingConfiguration Upgrading Softwarecd upgradedirectory mkdir ~/upgradedirectoryfilename ~/upgradedirectory scp username@serverabsolutepathcd upgradedirectory/firmware Commandcd upgradedirectory/pnic-compiler gmake installChapter Returning to the Default ConfigurationGetting Started To begin inspecting and filtering traffic you mustGetting Started Introduction Hardware Architecture OverviewChapter Types of Rules Sample Rules and FirmwareRule Management Deploying the P-SeriesFirewall Deployment” on page 10-Gigabit Inline DeploymentFail-safe Deployment Optical Bypass 10-GigabitP1P0 Highly-available DeploymentPassive Deployment 10-GigabitNetwork Tap 10-Gigabit 10-Gigabit Capturing Matched TrafficNetwork Switch with SPAN port P-Series P10Capturing to a Host CPU M1 P1 P0 M0 Mirroring to Another DevicePB-10GE-2P Traffic to MonitorChapter 4 Graphical User Interface GUI Commands Command DescriptionManaging Rules, Policies, and Firmware PNIC0 Not ActiveGUI” on page Editing Dynamic Rules with the GUIdirectory see “Editing Dynamic Rules with the GUI” on page To manage firmware, see “Selecting Firmware with the GUI” on pageManaging Capture/Forward Policies with the GUI To modify dynamic rulesTo change capture/forward policies Selecting Firmware with the GUI fn9000013fn9000014 Runtime Statistics Figure 19 Runtime Statistics for Channel 0 and 1-FPGA Loaded Graphical User InterfaceReloading Firmware Graphical User Interface Chapter 5 Web-based Management Launching the P-Series Node ManagerTo launch the P-Series Node Manager Figure 21 Lauching the P-Series Node Manager Web-based ManagementMonitoring System Performance on page Managing the P-Series using Node ManagerWeb-browser Security Certificates Managing Firmware Images on pageMonitoring System Performance Managing Firmware Images Managing the Network Interface CardFigure 25 P-Series Node Manager Card Management Panel Web-based ManagementManaging Policies Figure 26 P-Series Node Manager Policy Managment Panel Web-based ManagementSguil Server Chapter 6 Network Security MonitoringP-Series Sensors Sguil ClientInstalling the Sguil Server Installing the Sguil SystemInstalling the Sguil Sensor Hardware and Software RequirementsInstalling the Sguil Client Uninstalling the Sguil ServerWireshark Installation Files # win32 example set TLSPATH c/progra~1/Tcl/lib/tls1.4.1/tls14.dllRunning the Sguil System Running the Sguil SensorWriting New Rules Running the Sguil Server Running the Sguil Client To run the Sguil Clientfn90028mp fn90027mpCLI commands are given in Command Line Reference on page Chapter 7 Command Line InterfaceCLI Commands Editing Dynamic Rules with the CLIIn Figure To enable MAC rewritingRemoving VLAN Tags Command Line Interface Rules Capacity Compiling RulesCreating Rules Files Compiling Rulespage Target DeviceMatch non-IP Traffic 3 Match Fragmented IPv4 Packets or IPv4 Packets w/ OptionsMaximum String Segmentation Evasion Rulessee Figure 36 on page see Figure 37 on pageEnter command gmake from pnic-compiler directory P-Series Installation and Operation Guide, version Figure 36 pnic-Compiler OptionSummary of configuration Starting and Stopping the pnic-CompilerConfiguration and Generated Files which the .bit files in /usr/local/pnic/0 areto which the .mapping files in /usr/local/pnic Compiler Errors Firmware FilenamesSnort Rule Headers Writing RulesSnort Rule Syntax ActionProtocol Source AddressesPorts Direction OperatorSnort Rule Options P-Series Rule SyntaxP-Series Supported Snort Keywords Destination Address and PortDynamic KeywordStatic protocolWriting Stateful Rules Stateful Matching= si ⎬ Equation∧ si then cpiStateful Rule Examples In TableSupport for Snorts flow Keyword Handling Segmentation EvasionThe meta.rules File Support for Snorts within Keyword Anomalous TCP Flags Writing Rules Firewall Deploying the P-Series as a FirewallChapter Verify Drop mode is Enabled Enabling the FirewallDrop mode Disabled Drop mode Enabled Figure 39 Enabling and Disabling Drop ModeAllowing Traffic through the Firewall Writing Rules for a Firewall Deployment#permit let through and do not log to the host pnic aggregate-mode-enable on page pnic apply-firmware on page Appendix A Command Line Referencepnic aggregate-mode-disable on page pnic default-drop-disable on page pnic default-drop-enable on pagepnic updatemacvalue on page pnic vlan-remove-disable on page pnic aggregate-mode-disablepnic temp-mem-disable on page pnic temp-mem-enable on page pnic vlan-remove-enable on page pnic web-gui-start on pagepnic aggregate-mode-enable pnic apply-firmwarepnic show-firmwares Parameters Command History ExampleCommands Display the available firmwareEnable the capturing of packets via direct memory access pnic capture-offpnic capture-on Syntax Parameters Command History ExampleSyntax Parameters Command History Example pnic cardstatusCommands Commandspnic default-drop-disable pnic compilerulespnic diag pnic default-drop-enableTemporary memory is disabled while the firewall is enabled Parameters Command History ExampleParameters Command History Example Usage InformationVersion PMAIN2.3.0.014 root@localhost SW# pnic flow-teardown-disable pnic flow-teardown-disablepnic flow-teardown-enable pnic flow-teardown-enablepnic getmachashindex value for an IP address pairsDisable MAC rewriting pnic guiEnable MAC rewriting pnic updatemacvaluepnic gui Command Example P-Series Installation and Operation Guide, versionExample pnic help pnic helpSyntax Command History Example output omittedSyntax Parameters Command History Example pnic linkdownpnic linkup CommandsCommands pnic loadconfParameters Command History Example Syntax Parameters Command HistoryAddress Corresponding Parameterpnic loadeproms number pnic loadepromspnic loadparams deprecated pnic loadparams numberAddress Corresponding Parameterpnic loadrules Command History Example Usage InformationSyntax Parameters pnic macrewrite-off pnic macrewrite-onpnic off deprecated Syntax pnic offSyntax Parameters Command History Example pnic on deprecatedUsage Information Related Commands pnic on deprecatedpnic passive-mode-disable pnic paramsCommand pnic passive-mode-enablepnic passive-mode-enable CommandsSyntax Parameters Command History Example pnic resetconfpnic restart Stop capturing and matchingEnable the network interface pnic sguil-sensor-startDisable the network interface Syntax Command History ExampleCommands Stop the Sguil sensor using the command pnic sguil-sensor-stopSyntax Parameters Command History Example pnic sguil-sensor-start -fCommands pnic sguil-sensor-stopSyntax Parameters Command History Example pnic sguil-sensor-start Start the Sguil sensorSyntax Parameters Command History Example pnic showconfpnic show-firmwares CommandsCommands pnic showtechCommand History Example Syntax Parameters Command HistoryEnable the network interface pnic startLoad the capture/block configuration Load the runtime parameters Disable the network interface using the command pnic stopCommands pnic stopEnable the network interface Syntax Parameters Command History Examplepnic temp-mem-disable pnic temp-mem-enablepnic temp-mem-disable pnic updatemacvalueUse this command with the MAC rewrite feature Enable MAC rewritingpnic vlan-remove-disable pnic vlan-remove-disablepnic vlan-remove-enable pnic vlan-remove-enableDisable the web server using the command pnic web-gui-stop pnic versionpnic web-gui-start Display the driver versionCommands Enable the web server using the command pnic web-gui-startpnic web-gui-stop CommandExample Commandspnic web-gui-start RelatedAppendix A ack number Appendix BSnort Keywords dsize number numberKeyword Description uricontent ! “datastring”Keyword Rule SyntaxAppendix B Appendix C Meta and Evasion Rules meta RulesEvasion Rules Appendix C Command Appendix D Basic Unix CommandsUnix Commands DescriptionDescription vi CommandsCommand ? textAppendix E GlossaryState SnortSPAN Port Static RulesTechnical Support Accessing iSupport ServicesAppendix F Manual PagesContacting the Technical Assistance Center Locating P-Series Serial NumbersSerial Number see Locating P-Series Serial Numbers on page Requesting a Hardware Replacement To request replacement hardware, follow these stepsTechnical Support