Writing rules, Snort rule syntax, Snort rule headers – Force10 Networks PSeries 100-00055-01 User Manual
Page 63: Chapter 9, Chapter 9 writing rules
P-Series Installation and Operation Guide, version 2.3.1.2
63
P-Series rule syntax is based on Snort. Both rule structures are described in this chapter.
•
•
P-Series Rule Syntax on page 66
Snort Rule Syntax
Snort rules are descriptions of traffic plus a prescribed action that is taken if a packet matches that
description. Rules are divided into two sections:
•
Header: The header contains the action, protocol, source and destination IP addresses (with subnet
masks), and the source and destination ports.
•
Options: The options section contains alert messages, and specifies values to search for inside the
packet.
shows the syntax for Snort rules, and
shows an example. The text preceding parenthesis
is the header, and the section enclosed in parenthesis contains the rule options. The words before the colons
in the rule options section are option keywords. Rules that span multiple lines must have a backslash at the
end of the line. All rules and options must be punctuated with a semicolon.
Snort Rule Headers
Action
The first item in a rule is the action keyword. It dictates how Snort is to handle a packet that matches the
rule. All of the elements in a rule must be true for Snort to execute the action. There are five actions
keywords in Snort:
•
alert
directs Snort to generate an alert and log the packet.
•
log
directs Snort to log the packet.
Chapter 9
Writing Rules
Table 11 Snort Rule Syntax
action protocol source_address source_port -> destination_address destination_port\
(content:”
data_string”; msg:”message”);
Table 12 Snort Rule Example
alert tcp any any -> 192.168.1.0/24 111 (content:”| 00 01 86 a5 |”; msg:”mounted access”);