Next:
3.1 The Basics
Up:
Snort
TM
Users Manual 2.3.3
Previous:
2.5 Output Modules
Contents
3. Writing Snort Rules
How to Write Snort Rules and Keep Your Sanity
Subsections
3.1 The Basics
3.2 Rules Headers
3.2.1 Rule Actions
3.2.2 Protocols
3.2.3 IP Addresses
3.2.4 Port Numbers
3.2.5 The Direction Operator
3.2.6 Activate/Dynamic Rules
3.3 Rule Options
3.4 Meta-Data Rule Options
3.4.1 msg
3.4.2 reference
3.4.3 sid
3.4.4 rev
3.4.5 classtype
3.4.6 Priority
3.5 Payload Detection Rule Options
3.5.1 content
3.5.2 nocase
3.5.3 rawbytes
3.5.4 depth
3.5.5 offset
3.5.6 distance
3.5.7 within
3.5.8 uricontent
3.5.9 isdataat
3.5.10 pcre
3.5.11 byte_test
3.5.12 byte_jump
3.5.13 regex
3.5.14 content-list
3.6 Non-payload Detection Rule Options
3.6.1 fragoffset
3.6.2 ttl
3.6.3 tos
3.6.4 id
3.6.5 ipopts
3.6.6 fragbits
3.6.7 dsize
3.6.8 flags
3.6.9 flow
3.6.10 flowbits
3.6.11 seq
3.6.12 ack
3.6.13 window
3.6.14 itype
3.6.15 icode
3.6.16 icmp_id
3.6.17 icmp_seq
3.6.18 rpc
3.6.19 ip_proto
3.6.20 sameip
3.7 Post-Detection Rule Options
3.7.1 logto
3.7.2 session
3.7.3 resp
3.7.4 React
3.7.5 tag
3.8 Writing Good Rules
3.8.1 Content Matching
3.8.2 Catch the Vulnerability, Not the Exploit
3.8.3 Catch the Oddities of the Protocol in the Rule
3.8.4 Optimizing Rules
3.8.5 testing numerical values