Low priority numbers show high priority alerts. This feature is very useful when you want to escalate high-risk alerts or want to pay attention to them first.
Using classifications and priorities for rules and alerts, you can distinguish between high- and low-risk alerts. The following is the same rule but we override the default priority used for the classification.Īlert udp any any -> 192.168.1.0/24 6838 (msg:"DoS" content: "server" classtype:DoS priority:1) The following rule uses default priority with the classification DoS:Īlert udp any any -> 192.168.1.0/24 6838 (msg:"DoS" content: "server" classtype:DoS ) Now let us use this classification in a rule. In Chapter 6, you will see that classifications are used in ACID,2 which is a web-based tool to analyze Snort alert data. In the above line the classification is DoS and the priority is 2. An example of this configuration parameter is as follows:Ĭonfig classification: DoS,Denial of Service Attack,2 You can also place these lines in nf file as well.
Priority is a number that shows the default priority of the classification, which can be modified using a priority keyword inside the rule options. The description is a short description of the class type. The name is used with the classtype keyword in Snort rules. The name is a name used for the classification. Each line in the nfig file has the following syntax:Ĭonfig classification: name,description,priority To fully understand the classtype keyword, first look at the file nfig which is included in the nf file using the include keyword. Rules can be assigned classifications and priority numbers to group and distinguish them. Generally when the A flag is set, the ACK value is not zero. You can use any value with the ACK keyword in a rule, however it is added to Snort only to detect this type of attack. The destination of this packet must be a host in network 192.168.1.0/24. This rule shows that an alert message will be generated when you receive a TCP packet with the A flag set and the acknowledgement contains a value of 0. To detect this type of TCP ping, you can have a rule like the following that sends an alert message:Īlert tcp any any -> 192.168.1.0/24 any (flags: A ack: 0 msg: "TCP ping detected" ) This method works on hosts that don't respond to ICMP ECHO REQUEST ping packets. When nmap receives this RST packet, it learns that the host is alive. Since this packet is not acceptable by the receiving side according to TCP rules, it sends back a RST packet. For example, among other techniques used by nmap, it can send a TCP packet to port 80 with ACK flag set and sequence number 0. Tools like nmap ( ) use this feature of the TCP header to ping a machine. Refer to Appendix C and RFC 793 for more information about the TCP header.
This field is significant only when the ACK flag in the TCP header is set. The field shows the next sequence number the sender of the TCP packet is expecting to receive.
The TCP header contains an Acknowledgement Number field which is 32 bits long. The remainder of this section describes keywords used in the options part of Snort rules. In this option msg is the keyword and “Detected confidential” is the argument to this keyword. Consider the following rule options that you have already seen: Arguments are separated from the option keyword by a colon. In general, an option may have two parts: a keyword and an argument. Some rule options also contain arguments. You have already used options like msg and ttl in previous rule examples. The action in the rule header is invoked only when all criteria in the options are true. If you use multiple options, these options form a logical AND. There may be one option or many and the options are separated with a semicolon. 9.Rule options follow the rule header and are enclosed inside a pair of parentheses. 2 Catch the Vulnerability, Not the Exploit
Snort rules manual#
Next: 3.1 The Basics Up: SNORTUsers Manual 2.9.16 Previous: 2.11 Active Response Contents