110
Chapter 3     Working with Snort Rules
3.6.30 The sid Keyword
The sid keyword is used to add a  Snort ID  to rules. Output modules or log scan 
ners can use SID to identify rules. Authors have reserved SID ranges for rules as shown
below:
  Range 0 99 is reserved for future use.
  Range 100 1,000,000 is reserved for rules that come with Snort distribution.
  All numbers above 1,000,000 can be used for local rules.
Refer to the list of rules that came with your Snort distribution for examples. The
only argument to this keyword is a number. The following rule adds SID equal to
1000001. 
alert ip any any  > any any (ipopts: lsrr; \
   msg: "Loose source routing attempt"; sid: 1000001;)
Using SID, tools like ACID can display the actual rule that generated a particular
alert.
3.6.31 The tag Keyword
The tag keyword is another very important keyword that can be used for logging
additional data from/to the intruder host when a rule is triggered. The additional data
can then be analyzed later on for detailed intruder activity. The general syntax of the
keyword is as follows:
tag: , , [, direction]
The arguments are explained in Table 3 5.
Table 3 5 Arguments used with tag keyword
Argument
Description
Type
You can use either  session  or  host  as the type argument. Using session, packets are 
logged from the particular session that triggered the rule. Using host, all packets from 
the host are logged.
Count
This indicates either the number of packets logged or the number of seconds during 
which packets will be logged. The distinction between the two is made by the metric 
argument.
Metric
You can use either  packets  or  seconds  as mentioned above.
Direction
This argument is optional. You can use either  src  to log packets from source or  dst  
to log packets from the destination.






footer




 

 

 

 

 Home | About Us | Network | Services | Support | FAQ | Control Panel | Order Online | Sitemap | Contact

toronto web hosting

 

Our partners: PHP: Hypertext Preprocessor Cheap Web Hosting JSP Web Hosting Ontario Web Hosting  Jsp Web Hosting

Cheapest Web Hosting Java Hosting Cheapest Hosting

Visionwebhosting.net Business web hosting division of Vision Web Hosting Inc.. All rights reserved