Application Rules Cheat Sheet

Application rules compare fields to values or to other fields.

This is an example of a simple expression with a meta key on the left side of the operator and a value on the right side:

ip.dst=192.168.1.1

This is an example of a simple expression with a meta key on the left side of the operator and a meta key on the right side:

ip.src=ip.dst

EXAMPLE 1

EXAMPLE 2

To truncate packets carried via Server Message Block protocol (SMB), create a rule as follows:

  • Rule Name: Truncate SMB
  • Condition: service = 139
  • Rule Action: Truncate All

To alert when a configuration change is detected for a router, create a rule as follows:

  • Rule Name: config:router-change
  • Condition: event.cat.name='config.changes' && device.class='router'
  • Session Options: Alert on alert.id

Rule Elements

LITERALS

All string literals and time stamps must be quoted. Do not quote numbers, MAC, or IP addresses.

Examples:

  • extension = 'torrent'

  • time='2015-jan-01 00:00:00'

  • service=80

  • ip.src = 192.168.0.1

Notes:

  • Quotes can use single or double quotes; but they must match
  • If the literal value itself has a quote, escape it by using a backslash: username = 'User\'s'

DATES

VALUES
  • All time values should use quotes for dates in this form: time = 'YYYY-MM-DD HH:MM:SS'
  • All time values that are the number of seconds since EPOCH (Jan 1, 1970), should not be quoted. Example: time = 1448034064

Values can be expressed as discrete values, a range of values, an upper or lower bound, or a combination of these three. You can create a greater than or less than comparison, and test equality or inequality against a range of values or an upper or lower bound.

  • key 0-5 (a range of values)
  • key = 0-u is the same as key >= 0 (upper bound, greater than or equal to)

SYNTAX ELEMENT
*

Default rule. By using an asterisk (*) as the sole character in a rule, that rule will select all traffic.
u

Upper bound of a range a range of times, IP addresses, or numeric formats. For example, to select all TCP ports above 40000, the syntax would be:

tcp.port = 40000-u
l

Lower bound of a range of times, IP addresses, or numeric values. For example, to select all TCP ports below 40000, the syntax would be:

tcp.port = l-40000
-

A dash (-) denotes a range. This is only applicable to time values, IP or MAC addresses, or numeric values. Separate the lower and upper bounds of the range with a dash character. For example, to select TCP ports between 25 and 443, the syntax would be:

tcp.port = 25-443
,

A comma (,) denotes a list of ranges or values or meta keys. Single values may be used as well as any combination of ranges and upper or lower bounds. Single meta keys may be used in a list. Meta keys and literal values cannot both appear on the right-hand side of an operator. For example, the following is valid syntax:

tcp.port = 1-10,25,110,143-225,40000-u
( )

Grouping operator. An expression can be enclosed in parentheses to create a new logical expression. For example, the following would select traffic on port 80 to/from 192.168.1.1 OR traffic on port 443 to/from 10.10.10.1:

(ip.addr=192.168.1.1 && tcp.port=80) || (ip.addr=10.10.10.1 && tcp.port=443)

~, not

Logical NOT operator. You can use either ~ or not: they are equivalent:

~category = 'dll'

or

not(category = 'dll')

Both of these match when the category value is anything other than dll.
&&

Logical AND operator.
||

Logical OR operator.

Session Data Actions

Action

Description
Stop Rule Processing

If checked, further rule evaluation ends if the rule is matched, and the session is saved in accordance with the session action. If not checked, rule evaluation continues until all rules are evaluated.
Keep

The packet payload and associated metadata are saved when they match the rule.
Filter

The packet is not saved when it matches the rule.
Truncate

Truncate All – truncates all session payload bytes. The packet payload is not saved when it matches the rule, but packet headers and associated metadata are retained. This is the default truncation option.

Truncate After First <n> Bytes – truncates the session payload bytes after the specified first <n> bytes, where <n> is an integer. The packet payload is not saved after <n> bytes when it matches the rule, but packet headers and associated metadata are retained.

Truncate SSL/TLS After Handshake – truncates the payload for all sessions except in the case of an SSL/TLS session, where the SSL exchange is preserved, but the rest of the payload is not saved. This option is for use with SSL parsers.
Alert, Alert On

If Alert is checked, the packet generates a custom alert when metadata matches the rule. You can select the name of the alert in the Alert On field.
Forward

Enables the performance of syslog forwarding when the log matches the rule.
Transient

Prevents the alert metadata that is created from being written to the disk.

Operators

LEFT OPERAND

OPERATOR

RIGHT OPERAND

DESCRIPTION
any =

compatible with left operand

Equality operator. You can use values or meta keys on the right side of the equality operator.

any

!=

compatible with left operand

Inequality operator. You can use values or meta keys on the right side of the inequality operator.
any <

compatible with left operand

Less than operator. You can use values or meta keys on the right side of this operator.
any <=

compatible with left operand

Less than or equal to operator. You can use values or meta keys on the right side of this operator.
any >

compatible with left operand

Greater than operator. You can use values or meta keys on the right side of this operator.
any >=

compatible with left operand

Greater than or equal to operator. You can use values or meta keys on the right side of this operator.
text contains

text

Find values that contain the right operand. You can use meta keys or values on the right side of this operator.

text

begins

text

Find values that begin with the right operand. You can use meta keys or values on the right side of this operator.
text ends

text

Find values that end with the right operand. You can use meta keys or values on the right side of this operator.

text

length

integer

Find strings of a certain length. You can use meta keys or values on the right side of this operator.

any

count

integer

Find values with a specific number of occurrences within the session. You can use meta keys or values on the right side of this operator.

any

ucount and unique

integer

Finds a number of uniquely occurring values. You can use meta keys or values on the right side of this operator. For example, if the results include instances of a meta key with five unique values and three of the same value, the ucount is six.
N/A exists

any

Finds any values for the meta key. You can use meta keys or values on the right side of this operator.
N/A !exists

any

Finds any sessions in which the meta key does not occur. You can use meta keys or values on the right side of this operator.

text

regex

text

Finds values matching a regular expression. You can use values on the right side of this operator.