Sophie

Sophie

distrib > Mandriva > 2006.0 > x86_64 > by-pkgid > 56c5837d9d111437878acba01e4df73e > files > 3065

snort-2.3.3-2.3.20060mdk.x86_64.rpm

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">

<!--Converted with LaTeX2HTML 2002-2-1 (1.71)
original version by:  Nikos Drakos, CBLU, University of Leeds
* revised and updated by:  Marcus Hennecke, Ross Moore, Herb Swan
* with significant contributions from:
  Jens Lippmann, Marek Rouchal, Martin Wilck and others -->
<HTML>
<HEAD>
<TITLE>3.1 The Basics</TITLE>
<META NAME="description" CONTENT="3.1 The Basics">
<META NAME="keywords" CONTENT="snort_manual">
<META NAME="resource-type" CONTENT="document">
<META NAME="distribution" CONTENT="global">

<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="LaTeX2HTML v2002-2-1">
<META HTTP-EQUIV="Content-Style-Type" CONTENT="text/css">

<LINK REL="STYLESHEET" HREF="snort_manual.css">

<LINK REL="next" HREF="node18.html">
<LINK REL="previous" HREF="node16.html">
<LINK REL="up" HREF="node16.html">
<LINK REL="next" HREF="node18.html">
</HEAD>

<BODY >
<!--Navigation Panel-->
<A NAME="tex2html635"
  HREF="node18.html">
<IMG WIDTH="37" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="next" SRC="next.png"></A> 
<A NAME="tex2html631"
  HREF="node16.html">
<IMG WIDTH="26" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="up" SRC="up.png"></A> 
<A NAME="tex2html625"
  HREF="node16.html">
<IMG WIDTH="63" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="previous" SRC="prev.png"></A> 
<A NAME="tex2html633"
  HREF="node1.html">
<IMG WIDTH="65" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="contents" SRC="contents.png"></A>  
<BR>
<B> Next:</B> <A NAME="tex2html636"
  HREF="node18.html">3.2 Rules Headers</A>
<B> Up:</B> <A NAME="tex2html632"
  HREF="node16.html">3. Writing Snort Rules</A>
<B> Previous:</B> <A NAME="tex2html626"
  HREF="node16.html">3. Writing Snort Rules</A>
 &nbsp; <B>  <A NAME="tex2html634"
  HREF="node1.html">Contents</A></B> 
<BR>
<BR>
<!--End of Navigation Panel-->

<H1><A NAME="SECTION00410000000000000000">
3.1 The Basics</A>
</H1>

<P>
Snort uses a simple, lightweight rules description language that is flexible
and quite powerful. There are a number of simple guidelines to remember when
developing Snort rules.

<P>
Most Snort rules are written in a single line. This was required in versions
prior to 1.8. In current versions of Snort, rules may span multiple lines by
adding a backslash &#92; to the end of the line. 

<P>
Snort rules are divided into two logical sections, the rule header and the rule
options. The rule header contains the rule's action, protocol, source and
destination IP addresses and netmasks, and the source and destination ports
information. The rule option section contains alert messages and information on
which parts of the packet should be inspected to determine if the rule action
should be taken.

<P>
Figure <A HREF="#Sample_Snort_Rule"><IMG  ALIGN="BOTTOM" BORDER="1" ALT="[*]" SRC="crossref.png"></A> illustrates a sample Snort rule.

<P>
<DIV ALIGN="CENTER">
</DIV>
<DIV ALIGN="CENTER"><A NAME="Sample_Snort_Rule"></A><A NAME="2179"></A>
<TABLE>
<CAPTION ALIGN="BOTTOM"><STRONG>Figure:</STRONG>
Sample Snort Rule</CAPTION>
<TR><TD><IMG
 WIDTH="723" HEIGHT="15" BORDER="0"
 SRC="img31.png"
 ALT="\begin{figure}\begin{verbatim}alert tcp any any -&gt; 192.168.1.0/24 111 (content:''\vert0 01 86 a5\vert''; msg:''mountd access'';)\end{verbatim}
\par\end{figure}"></TD></TR>
</TABLE>
</DIV>
<DIV ALIGN="CENTER">
</DIV>

<P>
The text up to the first parenthesis is the rule header and the section
enclosed in parenthesis contains the rule options. The words before the
colons in the rule options section are called option <I>keywords</I>.

    <BR>
<BR><I>
         <FONT SIZE="+4"><IMG
 WIDTH="18" HEIGHT="30" ALIGN="MIDDLE" BORDER="0"
 SRC="img3.png"
 ALT="$\triangle$"> <FONT SIZE="+2"><IMG
 WIDTH="8" HEIGHT="20" ALIGN="BOTTOM" BORDER="0"
 SRC="img4.png"
 ALT="$^!$"></FONT></FONT> 
        <FONT SIZE="+2">NOTE</FONT>
    </I>
    
   <DIV ALIGN="CENTER">
</DIV>
<P>
<DIV ALIGN="CENTER">
<BR>
</DIV>
<P>
<DIV ALIGN="CENTER">
    <!-- MATH
 $\fbox{
        \usebox{
            \savepar
        }
    }$
 -->
<IMG
 WIDTH="714" HEIGHT="76" ALIGN="MIDDLE" BORDER="0"
 SRC="img5.png"
 ALT="\fbox{
\usebox{
\savepar
}
}">
    </DIV>
<P>
<DIV ALIGN="CENTER">
</DIV>
All of the elements in that make up a rule must be true for the indicated
rule action to be taken. When taken together, the elements can be
considered to form a logical <SMALL>AND</SMALL> statement. At the same time,
the various rules in a Snort rules library file can be considered
to form a large logical <SMALL>OR</SMALL> statement. 

<P>
<HR>
<!--Navigation Panel-->
<A NAME="tex2html635"
  HREF="node18.html">
<IMG WIDTH="37" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="next" SRC="next.png"></A> 
<A NAME="tex2html631"
  HREF="node16.html">
<IMG WIDTH="26" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="up" SRC="up.png"></A> 
<A NAME="tex2html625"
  HREF="node16.html">
<IMG WIDTH="63" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="previous" SRC="prev.png"></A> 
<A NAME="tex2html633"
  HREF="node1.html">
<IMG WIDTH="65" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="contents" SRC="contents.png"></A>  
<BR>
<B> Next:</B> <A NAME="tex2html636"
  HREF="node18.html">3.2 Rules Headers</A>
<B> Up:</B> <A NAME="tex2html632"
  HREF="node16.html">3. Writing Snort Rules</A>
<B> Previous:</B> <A NAME="tex2html626"
  HREF="node16.html">3. Writing Snort Rules</A>
 &nbsp; <B>  <A NAME="tex2html634"
  HREF="node1.html">Contents</A></B> 
<!--End of Navigation Panel-->

</BODY>
</HTML>

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional