108

Chapter 3     Working with Snort Rules

  Procedure number

  Version number

These arguments are separated by a comma. You can also use an asterisk to match

all numbers in a particular location of the arguments. The following rule detects RPC

requests for TPC number 10000, all procedures and version number 3.

alert ip any any  > 192.168.1.0/24 any (rpc: 10000,*,3; \

   msg: "RPC request to local network";)

3.6.26 The sameip Keyword

The sameip keyword is used to check if source and destination IP addresses are

the same in an IP packet. It has no arguments. Some people try to spoof IP packets to

get information or attack a server. The following rule can be used to detect these

attempts.

alert ip any any  > 192.168.1.0/24 any (msg: "Same IP"; \

   sameip;)

3.6.27 The seq Keyword

The seq keyword in Snort rule options can be used to test the sequence number of

a TCP packet. The argument to this keyword is a sequence number. The general format

is as follows:

seq: "sequence_number";

Sequence numbers are a part of the TCP header. More explanation of sequence

number is found in Appendix C where the TCP header is discussed.

3.6.28 The flow

4

 Keyword

The flow keyword is used to apply a rule on TCP sessions to packets flowing in a

particular direction. You can use options with the keyword to determine direction. The

following options can be used with this keyword determine direction:

  to_client

  to_server

  from_client

  from_server

4.

This is available in Snort 1.9 and above.