Snort Rule Infographic

Official Documentation

-----------------------------------------------------------

SNORTOLOGY 101

THE ANATOMY OF A SNORT RULE

WHAT IS SNORT?

Snort is an open source network intrusion prevention system (IPS) by Cisco. It is capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching and matching, and detect a variety of attacks and probes. Snort can be used as a straight packet sniffer like tcpdump, a packet logger (useful for network traffic debugging), or as a full-blown network intrusion prevention system.

LET’S BREAK IT DOWN

BASIC OUTLINE OF A SNORT RULE
[action][protocol][sourceIP][sourceport] -> [destIP][destport] ( [Rule options] )
|___________________ Rule Header _________________|

RULE HEADER
The rule header contains the rule's action, protocol,
source and destination IP addresses and netmasks,
and the source and destination ports information.

alert Action to take (option) The first item in a rule
is the rule action. The rule action tells Snort what to do
when it finds a packet that matches the rule criteria
(usually alert).

tcp Type of traffic (protocol) The next field in a rule
is the protocol. There are four protocols that Snort
currently analyzes for suspicious behavior
- TCP, UDP, ICMP, and IP.

$EXTERNAL_NET Source address(es) variable or literal

$HTTP_PORTS Source port(s) variable or literal

-> Direction operator The direction operator ->
indicates the orientation of the traffic to which
the rule applies.

$HOME_NET Destination address(es) variable or literal

any Destination port(s) variable or literal

RULE OPTIONS
Rule options form the heart of Snort’s intrusion detection engine combining ease of use with power and flexibility. All Snort rule options are separated from each other using a semicolon (;). Rule option keywords are separated from their arguments with a colon (:).

GENERAL RULE OPTIONS

Message A meaningful message typically includes what the rule is detecting.
The msg rule option tells Snort what to output when the rule matches.
It is a simple text string.

Flow For the rule to fire, specifies which direction the network traffic is going.
The flow keyword is used in conjunction with TCP stream reassembly.
It allows rules to only apply to certain directions of the traffic flow.

Reference The reference keyword allows rules to include references
to external sources of information.

Classtype The classtype keyword is how Snort shares what the effect
of a successful attack would be.

sid/rev The snort id is a unique identifier for each rule. This information
allows output plugins to identify rules easily and should be used with
the rev (revision) keyword.

DETECTION OPTIONS

Content This important feature allows the user to set rules that search for
specific content in the packet payload and trigger response based on that
data. The option data can contain mixed text and binary data.

distance/offset These keywords allow the rule writer to specify where
to start searching relative to the beginning of the payload or the
beginning of a content match.

within/depth These keywords allow the rule write to specify how far
forward to search relative to the end of a previous content match and,
once that content match is found, how far to search for it.

PCRE The pcre keyword allows rules to be written using perl compatible
regular expressions which allows for more complex matches than simple
content matches.

Byte test The byte_test options allows a rule to test a number of bytes
against a specific value in binary.

EXAMPLE

Rule Header      alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any

Message          msg: “BROWSER-IE Microsoft Internet Explorer CacheSize exploit attempt”;

Flow             flow: to_client,established;

Detection        file_data;

                         content:"recordset"; offset:14; depth:9;

                         content:".CacheSize"; distance:0; within:100;

                         pcre:"/CacheSize\s*=\s*/";

                         byte_test:10,>,0x3ffffffe,0,relative,string;

Metadata          policy max-detect-ips drop, service http;

References        reference:cve,2016-8077;

Classification    classtype: attempted-user;

Signature ID      sid:65535;rev:1;

例如:alert tcp any any -> any 80 (msg:"http critical file type(sh) Blocked"; content:".sh"; sid:10101; rev:1;)

=================== End

Snort Rule Infographic的更多相关文章

  1. SNORT入侵检测系统

    SNORT入侵检测系统 YxWa · 2015/10/09 10:38 0x00 一条简单的规则 alert tcp 202.110.8.1 any -> 122.111.90.8 80 (ms ...

  2. How to compile and install Snort from source code on Ubuntu

    http://www.tuicool.com/articles/v6j2Ab Snort is by far the most popular open-source network intrusio ...

  3. 如何编写snort的检测规则

    如何编写snort的检测规则 2013年09月08日 ⁄ 综合 ⁄ 共 16976字 前言 snort是一个强大的轻量级的网络入侵检测系统.它具有实时数据流量分析和日志IP网络数据包的能力,能够进行协 ...

  4. Snort Inline IPS Mode

    Snort Inline IPS Mode https://forum.netgate.com/topic/143812/snort-package-4-0-inline-ips-mode-intro ...

  5. snort_inline

    snort_inline Link   http://snort-inline.sourceforge.net/oldhome.html What is snort_inline? snort_inl ...

  6. BlackArch-Tools

    BlackArch-Tools 简介 安装在ArchLinux之上添加存储库从blackarch存储库安装工具替代安装方法BlackArch Linux Complete Tools List 简介 ...

  7. snort installation, configuration and test

    snort installation: https://www.snort.org/#get-started wget https://www.snort.org/rules/snortrules-s ...

  8. Snort - 配置文件

    Snort.conf 版本 2.9.8.3 编译可用选项: --enable-gre --enable-mpls --enable-targetbased --enable-ppm --enable- ...

  9. Snort - manual 笔记(一)

    Chapter 1 Snort Overview This manual is based on Writing Snort Rules by Martin Roesch and further wo ...

随机推荐

  1. 小D课堂 - 零基础入门SpringBoot2.X到实战_第6节 SpringBoot拦截器实战和 Servlet3.0自定义Filter、Listener_24、深入SpringBoot过滤器和Servlet配置过滤器

    笔记 1.深入SpringBoot2.x过滤器Filter和使用Servlet3.0配置自定义Filter实战(核心知识)     简介:讲解SpringBoot里面Filter讲解和使用Servle ...

  2. flutter PopupMenuButton弹出式菜单列表

    import 'package:flutter/material.dart'; class PopupMenuButtonDemo extends StatefulWidget { @override ...

  3. WebSocket始终保持连接的办法

    在项目中,后台为了其实把处理结果主动推送个前端,因此使用了WebSocket. 但是问题来了,页面每跳转一次,socket都要重新关闭建立连接.这个资源消耗是很大的,而且线上环境随着并发量的增加会报错 ...

  4. c# list 使用Where()方法过滤数据

    //根据任务id过滤数据 Func<RfidCodeResultDto, bool> expression = c => c.lineTaskId == _lineTaskId; r ...

  5. ES6深入浅出-3 三个点运算 & 新版字符串-1.函数与对象的语法糖

    主要讲的内容 时间充裕的话就讲,模板字面量 默认参数值 首先讲es6之前,我们是怎么做的.例如我们要写一个求和的函数, 请两个参数的和,但是如果有的人就是穿一个参数呢? 那么b没有传值,b的值是多少呢 ...

  6. LeetCode_219. Contains Duplicate II

    219. Contains Duplicate II Easy Given an array of integers and an integer k, find out whether there ...

  7. 抓取二维数组某值出来,到一维数组---array_column

    /*** * '抓取二维数组某值出来,到一维数组' * @param $arr * @param $item * @return array */ function get_arr_item_val( ...

  8. 汉字转拼音插件:LM-PinYin.js

    CDN:http://dtdxrk.github.io/jsPlug/pinyin/LM-PinYin.js demo演示地址:http://dtdxrk.github.io/jsPlug/pinyi ...

  9. shell脚本通过子网掩码计算出掩码位数

    子网掩码格式为255.255.255.0可以通过以下脚本计算掩码位数 #!/bin/sh #maskdigits.sh mask maskdigits () { a=$(echo "$1&q ...

  10. Keras代码超详细讲解LSTM实现细节

    1.首先我们了解一下keras中的Embedding层:from keras.layers.embeddings import Embedding: Embedding参数如下: 输入尺寸:(batc ...