Snort Rules and Configuration
Snort® rules and configuration are added to the parsers/snort directory for Investigator and Decoder. Decoder supports the payload detection capabilities of Snort rules. The rules files must have the extension .rules and the configuration files must have the extension .conf . The Decoder implementation of Snort rules is centered on using the content strings defined in a Snort rule as a token. Once a token is matched, the rule header and additional rule options can be evaluated. Currently, rules that do not define any content (via content or uricontent rule options) are not supported.
Configuration
The configuration files are loaded prior to loading rules.
| Variable Definitions | Description |
|---|---|
ipvar |
The full language for defining IP Address variables is supported, including lists, CIDR, and negation. |
portvar |
The full language for defining IP Address variables is supported, including lists, ranges, and negation. |
var |
Not supported; use ipvar or portvar . |
| Action Definitions | Description |
|---|---|
ruletype |
The definition of additional ruletype s is supported. However, only rules that have a base rule type of alert are supported. |
| General Configuration | Description |
|---|---|
nopcre |
This configuration option disables all rules with pcres. |
Meta key usage
In earlier versions, an attempt has been made to align better the Snort parser's meta key usage with that of other parsers. As of the current version, the default mode operation continues to write to the legacy key set (consistent with previous releases). To use the aligned key set, set the udm option to true for the Snort parser in the parser.options configuration node. Refer to the General options section, below, for a description of how the two modes differ.
Rules
- Any rule that does not properly parse is ignored.
- Any valid Snort rule should successfully parse; however,there are rule options that are not supported by Decoder that are not fully parsed.
Snort rules are parsed and loaded when PCS is loaded (any import/capture in Investigator, initial capture start and parser reload in Decoder).
| Section | Description |
|---|---|
| Header | The header conditions are evaluated when a rule receives the first token callback for a stream. The header is evaluated once per stream, and prevents any further consideration of a rule against a specific stream if the conditions are not met. |
| Actions | The specified action or a rule must be defined (either one of the native Snort actions or defined in the configuration using the ruletype statement) for the rule to be considered valid. Decoder only utilizes rules with alert actions. |
| Protocols | Decoder supports the current Snort protocol keywords ( tcp , udp , icmp , ip ). |
| IP Addresses | The full language for defining IP addresses is supported, including lists, CIDR, and negation. |
| Port Numbers | The full language for defining port numbers is supported, including lists, ranges and negation. |
| Direction Operator | The directional operator supports the from-to ( -> ) and bidirectional ( <> ) values. The to-from ( <- ) value is invalid and will cause the rule to fail to load. |
General options
Snort rule general options can result in different meta keys being written depending on whether the Snort parser is in legacy mode or not.
Aligned key mode:
| Option | Description |
|---|---|
msg |
If the rule matches, the msg value is added as sig.name meta. |
sid |
If the rule matches, the sig.id value is added as meta. |
classtype |
If the rule matches, the classtype name is added as threat.cat meta. |
priority |
If the rule matches and it has a priority option, it is used for the value of the risk.num meta. |
Legacy key mode:
| Option | Description |
|---|---|
msg |
If the rule matches, the msg value is added as risk.info , risk.warning , or risk.suspicious meta, depending on rule priority. |
sid |
If the rule matches, the sid value is added as meta. |
classtype |
If the rule matches, the classtype name is added as threat.cat meta. |
priority |
If the rule matches and it has a priority option, it is used to determine the type of risk meta associated with the msg value. |
Payload options
Decoder supports the following payload rule options:
| Option | Description |
|---|---|
content |
The content option creates a token for Decoder to match. Only tokens of three or more bytes are accepted. It is also important to note that Decoder differs from Snort in that rules are evaluated across the payload of the reconstructed stream and not just a single packet. This can result in differences in rules matches between Snort and Decoder, especially when considering positional options. |
nocase |
Currently not supported. This option is ignored and case-sensitive matching is used. |
depth |
This option is applied to the distance of the token from the beginning of the stream. If the token position is greater than this value, it is not a match. |
offset |
This option is applied to the distance of the token from the beginning of the stream. If the token position is less than this value, it is not a match. |
distance |
This option is applied to the distance of the token from the end of the previous token match. If the relative token position is less than this value, it is not a match. |
within |
This option is applied to the distance of the token from the end of the previous token match. If the relative token position is greater than this value, it is not a match. |
http_uri |
Any token that hits is verified to fall within an http_uri as indicated by the HTTP parser. No URI normalization is applied. |
uricontent |
There is no URI normalization applied. Otherwise, this is equivalent to the content option with the http_uri modifier. |
pcre |
Currently, PCREs are only applied to URIs and must specify the U option. |
Non-payload options
| Option | Description |
|---|---|
flow |
Verifies that the rule is only applied to the client or server stream. |
to_client |
Limits the rule to only matching on a stream that Decoder has defined as Server. |
from_server |
Synonym for to_client . |
from_client |
Limits the rule to only matching on a stream that Decoder has defined as Client. |
flowbits |
Maintains state per session and are reset at the end of each session. |
set |
When the rule matches, the specified flowbit is set. |
unset |
When the rule matches, the specified flowbit is cleared. |
toggle |
When the rule matches, the specified flowbit is flipped. |
isset |
When the rule is evaluated, the specified flowbit state must be set for the rule to match. |
isnotset |
When the rule is evaluated, the specified flowbit state must not be set for the rule to match. |
noalert |
Prevents the rule from generating meta data if it matches. |
