Stateful Rule Examples | Force10 Networks 100-00055-01 manual

When a packet is stored in either Temporary Memory or Match Memory, a pointer to the previously stored packet in the same flow (contained in a portion of the flow register Cf) is also stored. Thus a packet stored in Match Memory may reference another packet stored in Temporary Memory, which in turn may reference more packets, thus forming a linked list of partial matches, starting with a packet stored in Match Memory.

The values for ri have the following meanings:

1:store the packet in Temporary Memory

2:store the packet in Match Memory and notify host software

Note: If the Hash key option is selected, the R=2 flag no longer causes the packet to be stored in Temporary Memory.

Stateful Rule Examples

Table 20 Stateful Matching Signatures

Signature 1: alert on c0 tcp any any -> any any (msg:"SYN"; flags:S; S:1; R:0; C:3;)

Signature 2: alert on c0 tcp any any -> any any (msg:"ack"; flags:A+; S:2; R:1; C:4;)

Signature 3: alert on c0 tcp any any -> any any (msg:"ack"; flags:A+; S:4; R:2; C:4;)

Signature 4: alert on c0 tcp any any -> any any (msg:"frag"; dsize: 0 <> 100; S:1; R:1; C:9;)

Signature 5: alert on c0 tcp any any -> any any (msg:"frag"; dsize: 0 <> 100; S:8; R:1; C:16;)

Signature 6: alert on c0 tcp any any -> any any (msg:"frag"; dsize: 0 <> 100; S:16; R:2; C:16;)

In Table 20:

•Signature 1 matches any TCP SYN packet, erasing any expired Cf register; if this signatures triggers - meaning a SYN is present — it sets bits 0 and 1 (value 3) in the Cf register. The SYN packets is discarded (R=0).

•Signature 2 triggers if Signature 1 has triggered (the Cf register having bit 1 set) and a TCP packet contains an ACK bit. The result for this match is that bit 2 (value 4) is set in the Cf register. The packet is stored in Temporary Memory (R=1).

•Signature 3 triggers if Signature 2 has triggered (the Cf register having bit 2 (value 4) set) and another later TCP packet contains an ACK bit. The result for this match does not modify the existing content of the Cf register. The packet is stored in Match Memory, referencing the packet of Signature 2. The DPI driver then presents to the host the packet matched by 2, followed by the packet matched by 3, through the DPI network interface.

70	Writing Rules

Image 70

Force10 Networks 100-00055-01 manual Stateful Rule Examples

Contents

Series Installation and Operation Guide Copyright 2008 Force10 Networks Contents Contents Graphical User Interface Command Line Reference Glossary Conventions ObjectivesAudience Convention Description Keyword Related Documents Information SymbolsSymbol Warning Description Additional Resources Label Description This LED is blue when the hard disk is accessedThis LED is green when the power is on This LED is not used Physical Connections System SpecificationsPB-10GE-2P Step Task Once the appliance is booted BootingConfiguration Security Check Tar xvzf PTPS-PMAIN Gmake installCp -Rf /usr/local/pnic/ /home Cd SW Re-compile all rules firmware with the new compiler Cd upgradedirectory/pnic-compilerInstall pre-compiled firmware if needed Located in the directory pnic-compiler Returning to the Default Configuration Chapter Getting Started Getting Started Chapter Introduction Hardware Architecture Overview Rx1 Tx1 Mirror Types of RulesSample Rules and Firmware Introduction Sample Rules Files Rule ManagementDeploying the P-Series Rule Set Description Inline Deployment Fail-safe Deployment Highly-available Deployment Passive Deployment Capturing Matched Traffic Series supports capturing matched traffic for analysis Capturing to a Host CPU Capturing Matched Traffic via the libpcap Interface Mirroring to Another Device Creating an IDS Accelerator with the P-Series Invoke the GUI by entering the command pnic gui Graphical User Interface GUI Commands GUI CommandsCommand Description Managing Rules, Policies, and Firmware Rule Management GUI Policy Capture Editing Dynamic Rules with the GUIOption Description Permit Deny Managing Capture/Forward Policies with the GUI To modify dynamic rules Selecting Firmware with the GUI Managing Capture/Forward Policies GUI To select firmware Runtime StatisticsSelect Manage Firmware see Figure Runtime Statistics for Channel 0 and 1-FPGA Loaded Runtime Statistics Description Reloading FirmwareStatistic Description Graphical User Interface Web-based Management Launching the P-Series Node Manager Lauching the P-Series Node Manager Web-based Management Web-browser Security Certificates Managing the P-Series using Node ManagerSeries Node Manager has four major management capabilities Monitoring System Performance Series Node Manager Home Panel Web-based Management Managing Firmware Images Managing the Network Interface CardPage Managing Policies Page Network Security Monitoring Installing the Sguil Sensor Installing the Sguil SystemInstalling the Sguil Server Source the server configuration file. The default Installing the Sguil ClientTo uninstall the server Wish File Location Sensor Installation FilesSguil Files and Directories Server Running the Sguil System Running the Sguil Sensor Running the Sguil Server Task Script Running the Sguil Client To run the Sguil Client Selecting the Sensor to Monitor MAC Rewriting CLI CommandsEditing Dynamic Rules with the CLI Change directories to /usr/local/pnic/0 Command Line Interface Rewriting Destination MAC Addresses to Load Balance Removing Vlan Tags Command Line Interface Compiling Rules Creating Rules FilesRules Capacity To complile rules Compilation Option Description Content matching Positives Enter command gmake from pnic-compilerdirectory Pnic-Compiler Option Summary of configuration Starting and Stopping the pnic-Compiler Configuration and Generated Files Configuration and Generated FilesFile Description Location Describes each of the elements in this format Compiler ErrorsFirmware Filenames Firmware Filename Description Snort Rule Headers Snort Rule SyntaxSnort Rule Syntax Protocol Ports Snort Rule Options Series Rule SyntaxSeries Supported Snort Keywords Keyword Static Dynamic Yes Only /8/16/24/32 masks Seq YesYes Yes, no ranges Writing Stateful Rules Stateful Matching Pre-match Condition the S Value Stateful Rule Examples Support for Snorts flow Keyword Handling Segmentation Evasion Support for Snorts within Keyword Anomalous TCP Flags Writing Rules Chapter Firewall Deploying the P-Series as a Firewall Enabling the Firewall Firewall Allowing Traffic through the Firewall Writing Rules for a Firewall Deployment Sample Firewall Rules Appendix a Command Line Reference Pnic aggregate-mode-disable number Pnic aggregate-mode-disableAppendix a Different ports. This is the default behavior Pnic aggregate-mode-enablePnic aggregate-mode-enable number Pnic apply-firmware Pnic apply-firmware Command Example Display the available firmware Pnic capture-off Pnic capture-offPnic capture-on Syntax pnic capture-on Pnic cardstatus number Display the configuration parameters of the systemPnic cardstatus Display the driver version Pnic compilerules Pnic default-drop-disablePnic default-drop-disable number Pnic compilerules number Run diagnostic tests on the card Pnic default-drop-enableEnable firewall functionality Pnic diag Pnic diag Command Example Example pnic diag Command Example Pnic flow-teardown-disable Pnic flow-teardown-disablePnic flow-teardown-enable Pnic flow-teardown-enable Pnic getmachashindex Example pnic flow-teardown-enable Command ExamplePnic getmachashindex number Launch the graphical user interface Pnic guiSyntax pnic gui Pnic gui Command Example Pnic help Pnic help Pnic linkdown Pnic linkup Pnic loadconf Pnic loadconf number Pnic loadconf Address Mapping Address Corresponding Parameter Load the PCI-X and front-end EEPROMs Pnic loadepromsPnic loadparams deprecated Pnic loadeproms number Pnic loadparams Command Example Loadparams Address Mapping Pnic loadrules Pnic loadrules channel Disable MAC rewriting using the command pnic macrewrite-off Disable MAC rewriting. This is the default behaviorEnable MAC rewriting using the command pnic macrewrite-on Pnic macrewrite-off Syntax pnic off Pnic off deprecated100 Appendix a Pnic on deprecated Example pnic off Command ExampleEnable the capturing of packets via direct memory access Pnic on Pnic params Pnic passive-mode-disableSyntax pnic passive-mode-disable number Pnic params number Example pnic passive-mode-disable Command Example Pnic passive-mode-enableConfigure the ports to only receive traffic Configure the ports to only receive traffic Pnic restart Pnic resetconfPnic resetconf number Stop capturing and matching Start the Sguil sensor Series Installation and Operation Guide, version 105Pnic sguil-sensor-start Pnic restart Pnic sguil-sensor-start -f Stop the Sguil sensor Series Installation and Operation Guide, version 107Pnic sguil-sensor-stop Pnic sguil-sensor-stop -f Pnic show-firmwares Display configuration parameters of the cardPnic showconf List the available firmware images Apply a specific firmware to the card Series Installation and Operation Guide, version 109Pnic showtech Pnic showtech number filename.dat Pnic start Disable the network interface using the command pnic stopExample pnic showtech Command Example Pnic start number Disable the network interface Turn off capture and disable the network interfaceEnable the network interface using the command pnic start Pnic stop Disable temporary memory Pnic temp-mem-disablePnic temp-mem-enable Enable temporary memory. This is the default behavior Pnic updatemacvalue number Pnic updatemacvalueDisable temporary memory Specifies an LSB value for a particular hash index Disable the Vlan Tag Remove feature Pnic vlan-remove-disablePnic vlan-remove-enable Vlan Tag Remove feature is disabled by default Pnic web-gui-start Disable the web server using the command pnic web-gui-stopPnic version Display the driver version Stop the web server Pnic web-gui-stopStop the web server Pnic web-gui-stop -f Series Installation and Operation Guide, version 117 Start the web server 118 Appendix a Ack Checks for a specific TCP acknowledgment number Description of P-Series Snort KeywordsKeyword Description Rule Syntax Flags!*+ FSRPAU120 Icmp seq number Flow establishedstatelessIcmp idnumber Ipproto ! name number Uricontent ! datastring Ttl This keyword checks for the specified IP time-to-live 122 Appendix B Meta Rules Meta Rules for Channel 0 and ChannelEvasion Rules 124 Appendix C Passwd Unix CommandsLogout Pwd Set number no Vi Commands? text Number Garbage Dynamic RulesFlow Collection State SnortSpan Port Static Rules Manual Pages Accessing iSupport ServicesSeries Installation and Operation Guide, version 129 ISupport Website Contacting the Technical Assistance Center Locating P-Series Serial Numbers Requesting a Hardware Replacement To request replacement hardware, follow these steps 132 Technical Support