Snort rule options, P-series rule syntax, P-series supported snort keywords – Force10 Networks PSeries 100-00055-01 User Manual

66

Writing Rules

Destination Address and Port

The destination address and port follow the direction operator. The syntax of these parameters are the same
as the source address and port. See

“Source Addresses” on page 64

, and

“Ports” on page 65.

Snort Rule Options

Options are made of a keyword and an argument. An argument is the packet data against which the rule is
matched. Option keywords are followed by a colon, and each option is puncutated with a semi-colon.

Table 19

lists the option keywords that the P-Series supports.

P-Series Rule Syntax

P-Series rules have a syntax that is slightly different from Snort rules. P-Series rules have the following
syntax:

capture/forward_policy on channel Snort_rule

•

capture/forward

policy can have four values: alert, permit, divert, or deny. These settings are

described in

Table 5 on page 28.

•

channel

can be

c0

for Channel 0,

c1

for Channel 1, or

all

for both channels.

•

Snort_rule

is a rule written in Snort syntax.

Table 18

shows an example P-Series rule.

P-Series Supported Snort Keywords

Table 19

lists Snort keywords that the P-Series supports for both dynamic and static rules.

Table 18 P-Series Rule Example

alert on c1 any any -> any any (msg:"Z Default rule fragmented ip";)

Note: P-Series does not support the Snort action keywords log, pass, activate, and dynamic. P-Series
supports the action keywords alert, permit, divert, and deny.

Table 19 Supported Snort Keywords for Static and Dynamic Rules

Keyword

Static

Dynamic

ack

Yes

Yes

content

Yes, no negative.

No