-
Notifications
You must be signed in to change notification settings - Fork 0
Snort Rules: A Comprehensive Guide
Mahesh Shukla - Aka JailBreaker 🚀 edited this page Jun 15, 2024
·
2 revisions
Snort's intrusion detection and prevention system relies on the presence of Snort rules to protect networks. These rules consist of two main sections:
- Rule Header: Defines the action to take upon any matching traffic, as well as the protocols, network addresses, port numbers, and direction of traffic that the rule should apply to.
- Rule Body: Defines the message associated with a given rule, and the payload and non-payload criteria that need to be met for a rule to match.
A fully-formed Snort 3 rule example:
alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (
msg:"Attack attempt!";
flow:to_client,established;
file_data;
content:"1337 hackz 1337",fast_pattern,nocase;
service:http;
sid:1;
)
- Rule Header: Includes all the text up to the first parenthesis.
- Rule Body: Includes everything between the parentheses.
- The action defined in a Snort rule's header is not taken unless all of the rule's individual options evaluate to true.
Note: Snort 3 ignores extra whitespace in rules, so there's no need to escape newlines with backslashes like in Snort 2 rules.
-
Comments can be added to provide additional context or information about a rule or rule option.
-
hash comment here
/* these can be used to create
multi-line comments
*/
content:"ABCD"; /* or they can be used like this */
- Snort rules start with a rule header that filters the traffic the rule's body will evaluate.
Tell Snort what to do when a rule "fires":
- alert -> generate an alert on the current packet
- block -> block the current packet and all subsequent packets in this flow
- drop -> drop the current packet
- log -> log the current packet
- pass -> mark the current packet as passed
- react -> send response to client and terminate session
- reject -> terminate session with TCP reset or ICMP unreachable
- rewrite -> overwrite packet contents based on a "replace" option in the rules
alert http (msg:"Generate an alert"; sid:1;)
drop http (msg:"Drop this packet"; sid:2;)
block http (msg:"Block this packet and subsequent ones"; sid:3;)
Supported protocols include
- ip
- icmp
- tcp
- udp
Only one protocol can be set per rule.
alert udp $EXTERNAL_NET any -> $HOME_NET 53
alert tcp $EXTERNAL_NET any -> $HOME_NET 80
alert ip any any -> $HOME_NET any
Services in Place of Protocols: Rule writers can specify application layer services to match traffic of a specified service.
alert http $EXTERNAL_NET any -> $HOME_NET 8000 (
alert smtp $EXTERNAL_NET any -> $HOME_NET 5300 (
Define source and destination IP addresses a rule should apply to.
alert tcp 192.168.1.0/24 any -> 192.168.5.0/24 any
alert tcp $EXTERNAL_NET any -> $HOME_NET 80
alert tcp any any -> 192.168.1.3 445
alert tcp !192.168.1.0/24 any -> 192.168.1.0/24 23
alert tcp ![192.168.1.0/24,10.1.1.0/24] any -> [192.168.1.0/24,10.1.1.0/24] 80
Define source and destination ports a rule should apply to.
log udp any any -> 192.168.1.0/24 1:1024
log tcp any any -> 192.168.1.0/24 :6000
log tcp any :1024 -> 192.168.1.0/24 500
Indicate the direction of traffic the rule should apply to.
- -> (Unidirectional) This operator indicates that the rule should apply to traffic flowing in one specific direction, from the source IP/port to the destination IP/port. It is the most common operator used in Snort rules.
alert tcp $EXTERNAL_NET 80 -> $HOME_NET any
This rule applies to TCP traffic coming from any IP in the $EXTERNAL_NET with source port 80 and going to any IP in the $HOME_NET on any port.
- This operator indicates that the rule should apply to traffic flowing in both directions between the specified IP addresses and ports. It allows the rule to trigger on traffic in either direction.
log tcp !192.168.1.0/24 any <> 192.168.1.0/24 23
- This rule applies to TCP traffic between any IP outside of 192.168.1.0/24 and any IP within 192.168.1.0/24, specifically on port 23, regardless of which IP is the source and which is the destination.
Practical Example of Direction Operators
alert tcp $HOME_NET 443 -> $EXTERNAL_NET any (msg:"Outgoing HTTPS traffic"; sid:1001;)
- This rule triggers on any outbound HTTPS traffic from the $HOME_NET to any IP in the $EXTERNAL_NET.
alert tcp any any <> 192.168.1.100 22 (msg:"SSH traffic involving specific host"; sid:1002;)
- This rule triggers on any SSH traffic (port 22) involving the host 192.168.1.100, whether it is incoming or outgoing.