Rule Headers
81
  Source address and source port. In this example both of them are set to  any ,
which means that the rule will be applied on all packets coming from any
source. Of course port numbers have no relevance to ICMP packets. Port
numbers are relevant only when protocol is either TCP or UDP.
  Direction. In this case the direction is set from left to right using the  > symbol.
This shows that the address and port number on the left hand side of the symbol
are source and those on the right hand side are destination. It also means that
the rule will be applied on packets traveling from source to destination. You can
also use a <  symbol to reverse the meaning of source and destination address
of the packet. Note that a symbol <> can also be used to apply the rule on
packets going in either direction.
  Destination address and port address. In this example both are set to  any ,
meaning the rule will be applied to all packets irrespective of their destination
address. The direction in this rule does not play any role because the rule is
applied to all ICMP packets moving in either direction, due to the use of the
keyword  any  in both source and destination address parts.
The options part enclosed in parentheses shows that an alert message will be gen 
erated containing the text string  Ping with TTL=100  whenever the condition of
TTL=100 is met. Note that TTL or Time To Live is a field in the IP packet header. Refer
to RFC 791 at http://www.rfc editor.org/rfc/rfc791.txt or Appendix C for information
on IP packet headers.
3.5 Rule Headers
As mentioned earlier, a rule header consists of the section of the rule before starting
parentheses and has many parts. Let us take a detailed look at different parts used in the
rule header, starting with rule actions.
3.5.1
Rule Actions
The action is the first part of a Snort rule. It shows what action will be taken when
rule conditions are met. An action is taken only when all of the conditions mentioned in
a rule are true. There are five predefined actions. However, you can also define your
own actions as needed. As a precaution, keep in mind that Snort versions 1.x and 2.x
apply rules in different ways. In Snort 1.x, if multiple rules match a given packet, only
the first one is applied. After applying the first rule, no further action is taken on the
packet. However in Snort version 2, all rules are applied before generating an alert mes 
sage. The most severe alert message is then generated.






footer




 

 

 

 

 Home | About Us | Network | Services | Support | FAQ | Control Panel | Order Online | Sitemap | Contact

toronto web hosting

 

Our partners: PHP: Hypertext Preprocessor Cheap Web Hosting JSP Web Hosting Ontario Web Hosting  Jsp Web Hosting

Cheapest Web Hosting Java Hosting Cheapest Hosting

Visionwebhosting.net Business web hosting division of Vision Web Hosting Inc.. All rights reserved