Snort Rules and ConfigurationSnort Rules and Configuration
Snort® rules and configuration are added to the parsers/snort directory for Investigator and Decoder. Decoder supports the payload detection capabilities of Snort rules. The rules files must have the extension
.rules
and the configuration files must have the extension
.conf
. The Decoder implementation of Snort rules is centered on using the content strings defined in a Snort rule as a token. Once a token is matched, the rule header and additional rule options can be evaluated. Currently, rules that do not define any content (via
content
or
uricontent
rule options) are not supported.
ConfigurationConfiguration
The configuration files are loaded prior to loading rules.
Variable Definitions | Description |
---|---|
ipvar
|
The full language for defining IP Address variables is supported, including lists, CIDR, and negation. |
portvar
|
The full language for defining IP Address variables is supported, including lists, ranges, and negation. |
var
|
Not supported; use
ipvar
or
portvar
.
|
Action Definitions | Description |
---|---|
ruletype
|
The definition of additional
ruletype
s is supported. However, only rules that have a base rule type of
alert
are supported.
|
General Configuration | Description |
---|---|
nopcre
|
This configuration option disables all rules with pcres. |
Meta key usageMeta key usage
Starting with the 11.3 release, an attempt has been made to align better the Snort parser's meta key usage with that of other parsers. As of the 11.3 release, the default mode operation continues to write to the legacy key set (consistent with previous releases). To use the aligned key set, set the
udm
option to
true
for the Snort parser in the
parser.options
configuration node. Refer to the
General options
section, below, for a description of how the two modes differ.
RulesRules
- Any rule that does not properly parse is ignored.
- Any valid Snort rule should successfully parse; however,there are rule options that are not supported by Decoder that are not fully parsed.
Snort rules are parsed and loaded when PCS is loaded (any import/capture in Investigator, initial capture start and parser reload in Decoder).
Section | Description |
---|---|
Header | The header conditions are evaluated when a rule receives the first token callback for a stream. The header is evaluated once per stream, and prevents any further consideration of a rule against a specific stream if the conditions are not met. |
Actions |
The specified action or a rule must be defined (either one of the native Snort actions or defined in the configuration using the
ruletype
statement) for the rule to be considered valid. Decoder only utilizes rules with alert actions.
|
Protocols |
Decoder supports the current Snort protocol keywords (
tcp
,
udp
,
icmp
,
ip
).
|
IP Addresses | The full language for defining IP addresses is supported, including lists, CIDR, and negation. |
Port Numbers | The full language for defining port numbers is supported, including lists, ranges and negation. |
Direction Operator |
The directional operator supports the from-to (
->
) and bidirectional (
<>
) values. The to-from (
<-
) value is invalid and will cause the rule to fail to load.
|
General optionsGeneral options
Snort rule general options can result in different meta keys being written depending on whether the Snort parser is in legacy mode or not.
Aligned key mode:
Option | Description |
---|---|
msg
|
If the rule matches, the
msg
value is added as
sig.name
meta.
|
sid
|
If the rule matches, the
sig.id
value is added as meta.
|
classtype
|
If the rule matches, the
classtype
name is added as
threat.cat
meta.
|
priority
|
If the rule matches and it has a
priority
option, it is used for the value of the
risk.num
meta.
|
Legacy key mode:
Option | Description |
---|---|
msg
|
If the rule matches, the
msg
value is added as
risk.info
,
risk.warning
, or
risk.suspicious
meta, depending on rule priority.
|
sid
|
If the rule matches, the
sid
value is added as meta.
|
classtype
|
If the rule matches, the
classtype
name is added as
threat.cat
meta.
|
priority
|
If the rule matches and it has a
priority
option, it is used to determine the type of risk meta associated with the
msg
value.
|
Payload optionsPayload options
Decoder supports the following payload rule options:
Option | Description |
---|---|
content
|
The
content
option creates a token for Decoder to match. Only tokens of three or more bytes are accepted. It is also important to note that Decoder differs from Snort in that rules are evaluated across the payload of the reconstructed stream and not just a single packet. This can result in differences in rules matches between Snort and Decoder, especially when considering positional options.
|
nocase
|
Currently not supported. This option is ignored and case-sensitive matching is used. |
depth
|
This option is applied to the distance of the token from the beginning of the stream. If the token position is greater than this value, it is not a match. |
offset
|
This option is applied to the distance of the token from the beginning of the stream. If the token position is less than this value, it is not a match. |
distance
|
This option is applied to the distance of the token from the end of the previous token match. If the relative token position is less than this value, it is not a match. |
within
|
This option is applied to the distance of the token from the end of the previous token match. If the relative token position is greater than this value, it is not a match. |
http_uri
|
Any token that hits is verified to fall within an
http_uri
as indicated by the HTTP parser. No URI normalization is applied.
|
uricontent
|
There is no URI normalization applied. Otherwise, this is equivalent to the content option with the
http_uri
modifier.
|
pcre
|
Currently, PCREs are only applied to URIs and must specify the U option. |
Non-payload optionsNon-payload options
Option | Description |
---|---|
flow
|
Verifies that the rule is only applied to the client or server stream. |
to_client
|
Limits the rule to only matching on a stream that Decoder has defined as Server. |
from_server
|
Synonym for
to_client
.
|
from_client
|
Limits the rule to only matching on a stream that Decoder has defined as Client. |
flowbits
|
Maintains state per session and are reset at the end of each session. |
set
|
When the rule matches, the specified flowbit is set. |
unset
|
When the rule matches, the specified flowbit is cleared. |
toggle
|
When the rule matches, the specified flowbit is flipped. |
isset
|
When the rule is evaluated, the specified flowbit state must be set for the rule to match. |
isnotset
|
When the rule is evaluated, the specified flowbit state must not be set for the rule to match. |
noalert
|
Prevents the rule from generating meta data if it matches. |