Reproduced from: "IPs analysis" snort grammar rules and examples explained
Direction operator:
The direction operator, "," represents the direction of the flow applied by the rule. The IP address and port number on the left side of the direction operator is considered to be the source host where the flow comes from, and the IP address to the right of the direction operator is the destination host, and there is a bidirectional operator
"<>". It tells Snort to consider the address/port number as both a source and a target. This is handy for recording/analyzing two-way conversations, such as Telnet or POP3 sessions. Examples of streams used to record the two sides of a telnet session are:
Log! 192.168. 1.0/192.168. 1.0/ per
Activate and dynamic Rules:
Note: The Activate and dynamic rules will be replaced by tagging. In the future version of Snort, the Activate and dynamic rules will be replaced entirely by enhanced tagging.
The Activate and the dynamic rules give snort more power. You can now activate another rule with one rule, when this rule applies to some packets. In some cases this is very useful, for example you want to set a rule: when a rule is finished and then the record is completed. The Activate rule consists of a selection field: Activates is the same as an alert rule. The dynamic rule includes a different selection field: activated_by
As with the log rule, the dynamic rule also contains a count field.
The Actevate rule, in addition to an alert rule, tells Snort to load a rule when a particular network event occurs. The dynamic rule is similar to the log rule, but it is dynamically loaded when a activate rule occurs. Put them together as shown in:
143 " | E8c0ffffff|/bin"1"IMAP buffer overflow! " 1431;)
Rule options
Rule options make up the core of the snort intrusion detection engine, which is both easy to use and powerful and flexible. All snort rule options are separated by a semicolon ";". The rule option keywords and their arguments are separated by a colon ":". In this notation, Snort has 42 rule option keywords.
MSG-print a message in the alarm and packet logs. Logto-logs the package to a user-specified file rather than to standard output. TTL-Check the value of the TTL of the IP header. TOS-Check the value of the TOS field in the IP header. ID-Check the Shard ID value of the IP header. Ipoption-View the specific encoding of the IP option field. Fragbits-Check the fragment of the IP header. Dsize-Check the value of the package's net load size. Flags-Check the value of TCP flags. Seq-Check the value of the TCP sequence number. Ack-Check the value of the TCP reply (acknowledgement). Window-tests the special value of the TCP Window field. Itype-Check the value of the ICMP type. Icode-Check the value of ICMP code. icmp_id-Check the value of the ICMP ECHO ID. Icmp_seq-Check the value of the ICMP echo sequence number. Content-searches for the specified style in the payload of the package. Content-list searches for a collection of patterns in the payload of a packet. Offset-the modifier for the content option, which sets the location at which to start the search. Depth-the modifier for the content option, which sets the maximum depth of the search. Nocase-specifies that the content string is case insensitive. Session-records the content of the application-level information for the specified session. RPC-Monitor specific applications/the RPC service called by the process. Resp-Active reactions (cut off connections, etc.). React-Response Action (blocking the Web site). Reference-external attack reference IDs. Sid-snort rule ID. Rev-The rule version number. ClassType-The rule category identification. Priority-The rule priority identification number. Uricontent-searches for a content in the URI portion of the packet. Tag-the high-level record behavior of the rule. Ip_proto-the Protocol field value for the IP header. Sameip-determines whether the source IP and destination IP are equal. Stateless-ignore the validity of Liu State. Regex-wildcard pattern matching. Distance-forces the relationship pattern to match the distance that was skipped. Within-the extent to which the forced relationship pattern matches. Byte_test-digital pattern matching. Byte_jump-digital mode test and offset adjustment. Flow-This option is used in conjunction with TCP stream rebuilds. It allows rules to be applied to only one direction of traffic flow. This allows the rule to be applied only to the client or server side
To illustrate:
Example 1:
Alert TCP any any3306(msg:"MySQL Server Geometry Query integer overflow attack"; flow:to_server,established; dsize:< -; flags:a; Content"|03|"; nocase; Offset4; Depth1; Content"select|20|geometryn|28|0x00000000000700000001"; DistanceTen; Within: -; Reference:cve, --1861; Reference:bugtraq,58511; Classtype-danger:medium; Tid14999; Rev:1;)
Rule header: Alert TCP Any any, any 3306//matches any source IP and port to any destination IP and TCP packets with port 3306 send an alarm message.
Rule options:
Msg"MySQL Server Geometry Query integer overflow attack";//The message content that is printed in the alarm and packet logs. flow:to_server,established;//detects messages that send directions to the server. dsize:< -;//Application tier payload package length less thanflags:a;//the TCP Flags value is tenContent"|03|"; nocase; Offset4; Depth1;//The load offset 4 takes 1 of the value to 03, is not case-sensitive, this block should be written with a problematic string that is not case sensitive, and the 16 binary is not involved.
//offset 10 bytes backward from the 03 feature above and then fetch 50 bytes.
50 bytes Inside contains select|20|geometryn|28|0x00000000000700000001
Content: "select|20|geometryn|28|0x00000000000700000001"; Distance:10; within:50;
Reference:cve,1861; Reference:bugtraq,58511// can refer to CVE and Bugtraq// hazard level medium sid:20141107 ; // rule IDRev:1 // version information, first version
Example 2:
Heartbleed vulnerability downlink detection rule
Alert TCP $EXTERNAL _net any, $HOME _net443(msg:"OpenSSL Heartbleed attack"; flow:to_server,established; Content"|18 03|"; Depth3; Byte_test:2, A; $,3, Big; Byte_test:2, <,16385,3, Big; Threshold:type limit, track by_src, Count1, Seconds -; Reference:cve, the-0160; Classtype:bad-unknown; Sid:20140160; Rev:2;)
Rule header: Alert TCP $EXTERNAL _net any, $HOME _net 443 external_net and home_net are all configured in/etc/snort/snort.conf.
Rule options:
Msg"OpenSSL Heartbleed attack";//Message Informationflow:to_server,established;//request packets sent to the server are detected onceContent"|18 03|"; Depth3;//0x1803 within 3 bytes of headByte_test:2, A; $,3, Big;//2 bytes from the beginning of the 3rd byte larger thanByte_test:2, <,16385,3, Big;//2 bytes from the beginning of the 3rd byte with a large section order less than 16385Threshold:type limit, track by_src, Count1, Seconds -;//speed limit 600s record once by SRC addressReference:cve, the-0160;//Reference CVE numberClasstype:bad-unknown;//Hazard LevelSid:20140160;//Rule IDRev:2;//Version 2
Report:
bugtraq:http://www.securityfocus.com/
Cve:http://cve.mitre.org/compatible/product_type.html
cnvd:http://www.cnvd.org.cn/
The system can be scanned using Nmap,nessus,cis or X-scan in the Kali virtual machine to generate a warning record
"Turn" snort grammar rule description and example explanation