Rule Options
89
and an argument. Arguments are separated from the option keyword by a colon. Con 
sider the following rule options that you have already seen:
msg: "Detected confidential";
In this option msg is the keyword and  Detected confidential  is the argument to
this keyword.
The remainder of this section describes keywords used in the options part of Snort
rules.
3.6.1
The ack Keyword
The TCP header contains an Acknowledgement Number field which is 32 bits
long. The field shows the next sequence number the sender of the TCP packet is expect 
ing to receive. This field is significant only when the ACK flag in the TCP header is set.
Refer to Appendix C and RFC 793 for more information about the TCP header.
Tools like nmap (http://www.nmap.org) use this feature of the TCP header to ping
a machine. For example, among other techniques used by nmap, it can send a TCP
packet to port 80 with ACK  flag set and sequence number 0. Since this packet is not
acceptable by the receiving side according to TCP rules, it sends back a RST packet.
When nmap receives this RST packet, it learns that the host is alive. This method works
on hosts that don't respond to ICMP ECHO REQUEST ping packets.
To detect this type of TCP ping, you can have a rule like the following that sends
an alert message:
alert tcp any any  > 192.168.1.0/24  any (flags: A; \
   ack: 0; msg: "TCP ping detected";)
This rule shows that an alert message will be generated when you receive a TCP
packet with the A flag set and the acknowledgement contains a value of 0. Other TCP
flags are listed in Table 3 2. The destination of this packet must be a host in network
192.168.1.0/24. You can use any value with the 
ACK
 keyword in a rule, however it is
added to Snort only to detect this type of attack. Generally when the A flag is set, the
ACK value is not zero.
3.6.2
The classtype Keyword
Rules can be assigned  classifications and priority numbers to group and distin 
guish them. To fully understand the classtype keyword, first look at the file classi 
fication.config which is included in the snort.conf file using the include
keyword. Each line in the classification.config file has the following syntax:
config classification: name,description,priority






footer




 

 

 

 

 Home | About Us | Network | Services | Support | FAQ | Control Panel | Order Online | Sitemap | Contact

toronto web hosting

 

Our partners: PHP: Hypertext Preprocessor Cheap Web Hosting JSP Web Hosting Ontario Web Hosting  Jsp Web Hosting

Cheapest Web Hosting Java Hosting Cheapest Hosting

Visionwebhosting.net Business web hosting division of Vision Web Hosting Inc.. All rights reserved