80
Chapter 3     Working with Snort Rules
The  protocol part is used to apply the rule on packets for a particular protocol
only. This is the first criterion mentioned in the rule. Some examples of protocols used
are IP, ICMP, UDP etc.
The  address parts define source and destination addresses. Addresses may be a
single host, multiple hosts or network addresses. You can also use these parts to exclude
some addresses from a complete network. More about addresses will be discussed later.
Note that there are two address fields in the rule. Source and destination addresses are
determined based on direction field. As an example, if the direction field is   > , the
Address on the left side is source and the Address on the right side is destination.
In case of TCP or UDP protocol, the port parts determine the source and destina 
tion ports of a packet on which the rule is applied. In case of network layer protocols
like IP and ICMP, port numbers have no significance. 
The direction part of the rule actually determines which address and port number
is used as source and which as destination. 
For example, consider the following rule that generates an alert message whenever
it detects an ICMP
1
 ping packet (ICMP ECHO REQUEST) with TTL equal to 100, as
you have seen in Chapter 2.
alert icmp any any  > any any (msg: "Ping with TTL=100"; \
 ttl: 100;)
The part of the rule before the starting parenthesis is called the rule header.  The
part of the rule that is enclosed by the parentheses is the options part.  The header con 
tains the following parts, in order:
  A rule action. In this rule the action is  alert , which means that an alert will be
generated when conditions are met. Remember that packets are logged by
default when an alert is generated. Depending on the action field, the rule
options part may contain additional criteria for the rules.
  Protocol. In this rule the protocol is ICMP, which means that the rule will be
applied only on ICMP type packets. In the Snort detection engine, if the
protocol of a packet is not ICMP, the rest of the rule is not considered in order
to save CPU time. The protocol part plays an important role when you want to
apply Snort rules only to packets of a particular type.
1.
ICMP or Internet Control Message Protocol is defined in RFC 792. ICMP packets are used to con 
vey different types of information in the network. ICMP ECHO REQUEST is one type of ICMP 
packet. There are many other types of ICMP packets as defined in the RFC 792. The references at 
the end of this chapter contains a URL to download the RFC document.






footer




 

 

 

 

 Home | About Us | Network | Services | Support | FAQ | Control Panel | Order Online | Sitemap | Contact

toronto web hosting

 

Our partners: PHP: Hypertext Preprocessor Cheap Web Hosting JSP Web Hosting Ontario Web Hosting  Jsp Web Hosting

Cheapest Web Hosting Java Hosting Cheapest Hosting

Visionwebhosting.net Business web hosting division of Vision Web Hosting Inc.. All rights reserved