Scribd Logo
Carica

Benvenuto in Scribd!

  • Snort Rule Cheat Sheet: Header Format

    Caricato da

    alucian
    50 visualizzazioni2 pagine
    Quick user manual for Snort

    Titolo originale

    Snort Cheat Draft v1.2

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Formati disponibili

    PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento
    Quick user manual for Snort

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    50 visualizzazioni2 pagine

    Snort Rule Cheat Sheet: Header Format

    Caricato da

    alucian
    Quick user manual for Snort

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 2

    Act|on

    Iunct|on
    alerL alerLs and logs evenL
    log logs evenL
    pass lgnores evenL
    drop drops packeL and logs evenL
    re[ecL 1C reseL of sesslon or lCM 1ype3 Code 3 of
    uu Lrafflc and logs
    sdrop drops packeL wlLhouL logglng
    acLlvaLe drops packeL wlLhouL logglng
    dynamlc alerLs and acLlvaLes a dynamlc rule
    Source]Dest|nat|on ort Mean|ng
    A.8.C.u Slngle lA
    A.8.C.u/xx Clu8
    [A.8.C.u, A.8.C.L, A.8.C.C] MaLch An?, noL all
    roto
    l (covers all)
    1C
    uu
    lCM
    D|rect|on Mean|ng
    -> from S8C Lo uLS1
    <> ln elLher dlrecLlon
    neader Iormat
    AcLlon roLo S8C S8C orL ulrecLlon uS1 uS1 orL
    Mod|f|er Iunct|on
    nocase, makes prevlous conLenL maLch case lnsenslLlve, should be used ln mosL cases Lo allow for vendor
    lmplemenLaLlon varlaLlons. Should nC1 be used when Lrylng Lo maLch 8ase64 or u8L encodlng.
    rawbyLes, lgnores pre---processor lnLerpreLaLlon of payload conLenLs and looks for a raw packeL payload maLch
    offseL: advances polnLer Lo afLer a number of byLes from Lhe beglnnlng of Lhe A?LCAu. Lxample offseL:3,
    depLh: wlll only look for Lhe conLenL maLch from Lhe beglnnlng of Lhe A?LCAu up Lo Lhe speclfled byLe number.
    dlsLance: advances Lhe polnLer Lo afLer Lhe number of byLes from Lhe end of Lhe lasL CCn1Ln1 MA1CP Lxample
    dlsLance:12,
    wlLhln: wlll only look for Lhe conLenL maLch from Lhe end of Lhe lasL CCn1Ln1 MA1CP Lhrough Lhe speclfled
    number of byLes
    !"#$% $'() *+),% !+))%
    CreaLed by uave Werden
    Iormat of Snort ru|es:
    header (body,)

    Lxamp|e:
    alerL udp 10.10.10.10 any -> 10.10.10.11 33 (msg:We got the DNS traffic; content:|07|foundit|03|com;
    nocase, reference, url:somelnLel.google.com,classLype: aLLempLed_recon, sld:3000000, rev:1,)
    2/8/2013 1
    Cperator Cpt|ons
    msg: ascll LexL Lo be prlnLed ln alerL or log, musL be ln quoLes eg msg:Yet another Scan;
    reference: wlll call a llnk Lo speclflc documenLaLlon of rules lncluded ln snorL rule seL (100---999,999) example uslng a
    CvL as a reference:cve,CVL---1999---010S, an example for url reference:ur|,some|nte|.goog|e.com
    sld: SnorL lu number, <100 reserved, 100---1000000 (now 2000000) used for packaged rules, above that are
    cusLom
    rev: revlslon of Lhe snorL rule (or seL)
    classLype: a named class of aLLack, bullL ln ones are assoclaLed wlLh a cerLaln prlorlLy. Lxample
    classLype:aLLempLed_recon,
    prlorlLy: level of concern, 1 ls really bad, 2 noL so bad, 3 lnformaLlonal, eLc.
    conLenL: searches the entire packet payload for either an ASCII string or a binary match.
    lsdaLaaL: verlfles a cerLaln number of byLes ls presenL, can be made relaLlve Lo prevlous conLenL by addlng relaLlve Lo
    Lhe end
    urlconLenL: Same as conLenL, buL applles speclflcally Lo uris
    urllen: Speclfles a parLlcular lengLh of u8l, or range of lengLhs. 8equlres P11 re---processor
    flow: descrlbes sLaLe of sesslon and dlrecLlonallLy. lncludes opLlons: Lo_server from_server, Lo_cllenL from_cllenL
    only_sLream no_sLream sLaLeless esLabllshed
    lpopLs: lndlcaLes Lhe presence of opLlons flelds ln Lhe l header . lncludes: eol--- Lnd of LlsL lsrr ---Loose Source
    8ouLlng rr 8ecord 8ouLe saLld SLream lu sec SecurlLy ssrr SLrlcL Source 8ouLlng Ls 1lme SLamp
    dslze: lndlcaLes a slze, or slze range of Lhe enLlre packeL (lncludes headers)
    flags: lndlcaLes Lhe presence of 1C llags. lncludes: A Ack l lln ush SnorL CheaL SheeL 8 8eseL S Syn u
    urgenL uaLa 0 no llags (used ln nmap null scan) 1 8eserved blL 1 (LCn) 2 8eserved blL 2 (CW8) + ---
    MulLlple llags * --- Any llag ! noL LhaL flag
    LLl: speclfles a parLlcular Llme Lo llve value ln Lhe l header, some declmal number beLween 0--- 233.
    Lag: used Lo log a serles of packeLs raLher Lhan [usL one. 1hlnk of lL as a Lrlgger. 1ag largely replaces Lhe acLlvaLe:
    a? dynamlc: palr. arameLers: sesslon logs all packeLs ln Lhe sesslon LhaL Lrlggered Lhe rule hosL logs all
    packets to/from host whos IP triggered the rule (this will capture all traffic, not just that particular session
    good for capLurlng boLneL acLlvlLy) counL how much Lo log, a declmal number packeLs logs LhaL many
    packeLs seconds logs all packeLs for Lhe sesslon or hosL for a speclfled number of seconds S8C only logs
    packeLs from source uS1 only logs packeLs from desLlnaLlon
    8as|c 8ody Cpt|ons
    CreaLed by uave Werden 2/8/2013 2

    Potrebbero piacerti anche