Snort Rules and Configuration

Snort® rules and configuration are added to the parsers/snort directory for Investigator and Decoder. Decoder supports the payload detection capabilities of Snort rules. The rules files must have the extension .rules and the configuration files must have the extension .conf . The Decoder implementation of Snort rules is centered on using the content strings defined in a Snort rule as a token. Once a token is matched, the rule header and additional rule options can be evaluated. Currently, rules that do not define any content (via content or uricontent rule options) are not supported.

Configuration

The configuration files are loaded prior to loading rules.

Variable Definitions Description
ipvar The full language for defining IP Address variables is supported, including lists, CIDR, and negation.
portvar The full language for defining IP Address variables is supported, including lists, ranges, and negation.
var Not supported; use ipvar or portvar .

Action Definitions Description
ruletype The definition of additional ruletype s is supported. However, only rules that have a base rule type of alert are supported.

General Configuration Description
nopcre This configuration option disables all rules with pcres.

Meta key usage

Starting with the 11.3 release, an attempt has been made to align better the Snort parser's meta key usage with that of other parsers. As of the 11.3 release, the default mode operation continues to write to the legacy key set (consistent with previous releases). To use the aligned key set, set the udm option to true for the Snort parser in the parser.options configuration node. Refer to the General options section, below, for a description of how the two modes differ.

Rules

  • Any rule that does not properly parse is ignored.
  • Any valid Snort rule should successfully parse; however,there are rule options that are not supported by Decoder that are not fully parsed.

Snort rules are parsed and loaded when PCS is loaded (any import/capture in Investigator, initial capture start and parser reload in Decoder).

Section Description
Header The header conditions are evaluated when a rule receives the first token callback for a stream. The header is evaluated once per stream, and prevents any further consideration of a rule against a specific stream if the conditions are not met.
Actions The specified action or a rule must be defined (either one of the native Snort actions or defined in the configuration using the ruletype statement) for the rule to be considered valid. Decoder only utilizes rules with alert actions.
Protocols Decoder supports the current Snort protocol keywords ( tcp , udp , icmp , ip ).
IP Addresses The full language for defining IP addresses is supported, including lists, CIDR, and negation.
Port Numbers The full language for defining port numbers is supported, including lists, ranges and negation.
Direction Operator The directional operator supports the from-to ( -> ) and bidirectional ( <> ) values. The to-from ( <- ) value is invalid and will cause the rule to fail to load.

General options

Snort rule general options can result in different meta keys being written depending on whether the Snort parser is in legacy mode or not.

Aligned key mode:

Option Description
msg If the rule matches, the msg value is added as sig.name meta.
sid If the rule matches, the sig.id value is added as meta.
classtype If the rule matches, the classtype name is added as threat.cat meta.
priority If the rule matches and it has a priority option, it is used for the value of the risk.num meta.

Legacy key mode:

Option Description
msg If the rule matches, the msg value is added as risk.info , risk.warning , or risk.suspicious meta, depending on rule priority.
sid If the rule matches, the sid value is added as meta.
classtype If the rule matches, the classtype name is added as threat.cat meta.
priority If the rule matches and it has a priority option, it is used to determine the type of risk meta associated with the msg value.

Payload options

Decoder supports the following payload rule options:

Option Description
content The content option creates a token for Decoder to match. Only tokens of three or more bytes are accepted. It is also important to note that Decoder differs from Snort in that rules are evaluated across the payload of the reconstructed stream and not just a single packet. This can result in differences in rules matches between Snort and Decoder, especially when considering positional options.
nocase Currently not supported. This option is ignored and case-sensitive matching is used.
depth This option is applied to the distance of the token from the beginning of the stream. If the token position is greater than this value, it is not a match.
offset This option is applied to the distance of the token from the beginning of the stream. If the token position is less than this value, it is not a match.
distance This option is applied to the distance of the token from the end of the previous token match. If the relative token position is less than this value, it is not a match.
within This option is applied to the distance of the token from the end of the previous token match. If the relative token position is greater than this value, it is not a match.
http_uri Any token that hits is verified to fall within an http_uri as indicated by the HTTP parser. No URI normalization is applied.
uricontent There is no URI normalization applied. Otherwise, this is equivalent to the content option with the http_uri modifier.
pcre Currently, PCREs are only applied to URIs and must specify the U option.

Non-payload options

Option Description
flow Verifies that the rule is only applied to the client or server stream.
to_client Limits the rule to only matching on a stream that Decoder has defined as Server.
from_server Synonym for to_client .
from_client Limits the rule to only matching on a stream that Decoder has defined as Client.
flowbits Maintains state per session and are reset at the end of each session.
set When the rule matches, the specified flowbit is set.
unset When the rule matches, the specified flowbit is cleared.
toggle When the rule matches, the specified flowbit is flipped.
isset When the rule is evaluated, the specified flowbit state must be set for the rule to match.
isnotset When the rule is evaluated, the specified flowbit state must not be set for the rule to match.
noalert Prevents the rule from generating meta data if it matches.