next up previous contents
Next: 3.5 Payload Detection Rule Up: 3. Writing Snort Rules Previous: 3.3 Rule Options   Contents

Subsections

3.4 Meta-Data Rule Options

3.4.1 msg

The msg rule option tells the logging and alerting engine the message to print along with a packet dump or to an alert. It is a simple text string that utilizes the \ as an escape character to indicate a discrete character that might otherwise confuse Snort's rules parser (such as the semi-colon ; character).

3.4.1.1 Format

msg: "<message text>";

3.4.2 reference

The reference keyword allows rules to include references to external attack identification systems. The plugin currently supports several specific systems as well as unique URLs. This plugin is to be used by output plugins to provide a link to additional information about the alert produced.

Make sure to also take a look at http://www.snort.org/snort-db/ for a system that is indexing descriptions of alerts based off of the sid (See Section [*]).

Table: Supported Systems
System URL Prefix
bugtraq http://www.securityfocus.com/bid/
cve http://cve.mitre.org/cgi-bin/cvename.cgi?name=
nessus http://cgi.nessus.org/plugins/dump.php3?id=
arachnids (currently down) http://www.whitehats.com/info/IDS
mcafee http://vil.nai.com/vil/dispVirus.asp?virus_k=
url http://

3.4.2.1 Format

reference: <id system>,<id>; [reference: <id system>,<id>;]

Figure: Reference Usage Examples
\begin{figure}\begin{verbatim}alert tcp any any -> any 7070 (msg:''IDS411/dos-...
...:bugtraq,1387; \
reference:cve,CAN-2000-1574;)\end{verbatim}
\par\end{figure}


3.4.3 sid

The sid keyword is used to uniquely identify Snort rules. This information allows output plugins to identify rules easily. This option should be used with the rev keyword. (See section [*])

The file sid-msg.map contains a mapping of alert messages to Snort rule IDs. This information is useful when post-processing alert to map an ID to an alert message.

3.4.3.1 Format

sid: <snort rules id>;

3.4.3.2 Example

This example is a rule with the Snort Rule ID of 1000983.
alert tcp any any -> any 80 (content:"BOB"; sid:1000983; rev:1;)


3.4.4 rev

The sid keyword is used to uniquely identify revisions of Snort rules. Revisions, along with Snort rule id's, allow signatures and descriptions to be refined and replaced with updated information. This option should be used with the sid keyword. (See section [*])

3.4.4.1 Format

rev: <revision integer>

3.4.4.2 Example

This example is a rule with the Snort Rule Revision of 1.
alert tcp any any -> any 80 (content:"BOB"; sid:1000983; rev:1;)

3.4.5 classtype

The classtype keyword categorizes alerts to be attack classes. By using the and prioritized. The user can specify what priority each type of rule classification has. Rules that have a classification will have a default priority set.

3.4.5.1 Format

classtype: <class name>;
Rule classifications are defined in the classification.config file. The config file uses the following syntax:

config classification:  <class name>,<class description>,<default priority>
The standard classifications included with Snort are listed in Table [*]. The standard classifications are ordered with 3 default priorities currently. A priority 1 is the most severe priority level of the default rule set and 4 is the least severe.

Table: Snort Default Classifications
Classtype Description Priority
attempted-admin Attempted Administrator Privilege Gain high
attempted-user Attempted User Privilege Gain high
shellcode-detect Executable code was detected high
successful-admin Successful Administrator Privilege Gain high
successful-user Successful User Privilege Gain high
trojan-activity A Network Trojan was detected high
unsuccessful-user Unsuccessful User Privilege Gain high
web-application-attack Web Application Attack high
attempted-dos Attempted Denial of Service medium
attempted-recon Attempted Information Leak medium
bad-unknown Potentially Bad Traffic medium
denial-of-service Detection of a Denial of Service Attack medium
misc-attack Misc Attack medium
non-standard-protocol Detection of a non-standard protocol or event medium
rpc-portmap-decode Decode of an RPC Query medium
successful-dos Denial of Service medium
successful-recon-largescale Large Scale Information Leak medium
successful-recon-limited Information Leak medium
suspicious-filename-detect A suspicious filename was detected medium
suspicious-login An attempted login using a suspicious username was detected medium
system-call-detect A system call was detected medium
unusual-client-port-connection A client was using an unusual port medium
web-application-activity access to a potentially vulnerable web application medium
icmp-event Generic ICMP event low
misc-activity Misc activity low
network-scan Detection of a Network Scan low
not-suspicious Not Suspicious Traffic low
protocol-command-decode Generic Protocol Command Decode low
string-detect A suspicious string was detected low
unknown Unknown Traffic low

Figure: Example Classtype Rules
\begin{figure}\begin{verbatim}alert tcp any any -> any 80 (msg:''EXPLOIT ntpdx...
...nt:''expn root''; nocase; classtype:attempted-recon;)\end{verbatim}
\end{figure}

3.4.5.2 Warnings

classtype uses classifications defined by the classification config option. The classifications used by the rules provided with Snort are defined in etc/classification.config

3.4.6 Priority

The priority tag assigns a severity level to rules. A classtype rule assigns a default priority that may be overridden with a priority rule. For an example in conjunction with a classification rule refer to Figure [*]. For use by itself, see Figure [*]

3.4.6.1 Format

priority: <priority integer>;

Figure: Example Priority Rule
\begin{figure}\begin{verbatim}alert TCP any any -> any 80 (msg: ''WEB-MISC phf...
...A+; \
content: ''/cgi-bin/phf''; priority:10;)\end{verbatim}
\par\end{figure}


next up previous contents
Next: 3.5 Payload Detection Rule Up: 3. Writing Snort Rules Previous: 3.3 Rule Options   Contents