>> Snort rules have two parts, rule header and rule options.The rule header, which appears before the parentheses contains the rule action,very commonly alert, protocol, source IP address and source port,destination IP address and destination port.The header answers the question, who, in relation to analyzed packets?This rule starts with alert, which is the action to take if the criteria is met.IP that follows means all IP packets!The first any refers to any source IP address.The second any refers to any source port.Then, we have the directional operator, in this case, indicating to match trafficfrom the source on the left of the arrow to the destination on the right of the arrow.Followed by a third any, which refers to any destination IP address.Followed by a fourth any, which refers to any destination port.All that is considered the Snort rule header.Now for the rule option.The message which will be displayed in the alert is IP packet detected.The rule option section found inside the parentheses has parametersthat determine if the rules should match.Although we don't have any in this case, we'll see a rule with one such parameter shortly.If there are multiple parameters, the elements are generally evaluated in order,and every single one of them must be true for the rule to match and take action.In addition, the rule option section contains a message to usefor alerts and logs, which we see here.Finally, the rule options section can have metadata classification of the rule itself,and we'll see an example of this shortly, as well.If the rule header answers the question who, then the rule option answers the question, what?That's just a getting our feet wet rule.Take a look at this one.This time, instead of alert, the action is log.We're going for anything encapsulated inside a TCP header here.The source IP to trigger this criteria will be any host noton 192.168.1.0/24 using any source port.The direction is towards an inside host, 192.168.1.73 with a destination port of 22.If that happens, the Snort rule option kicks in and puts this message in the log file.We're going to log all remote SSH attempts to 192.168.1.73.You could have multiple rule options, which are separated by a semicolon,as opposed to alert rules and log rules, pass rules will match benign trafficthat doesn't need to generate alerts or logs.For example, a vulnerability scanner on a network, that should be ignored by Snort.Snort rules can use variables, for example, home underscore net, and external underscore net,can be used to specify internal and external network IP address ranges,and web underscore ports defines the portsthat should be interpreted as HTTP or SSL TLS traffic.You'd specify the variables and give them values in the Snort configuration file.In this rule, we're going to match outbound traffic from our internal network destinedfor ports that web servers will be listening on.The only other directional symbol used by Snort, which is the --is less than symbol followed by the is greater than symbol, represents bidirectional traffic.Now, we're going to also match traffic that comes backto our network from an external web server.Here is a rule that looks for a FIN scan attempt from an external network with any portto our internal network on any port.The rule option section contains what we're looking for,a TCP header with just the FIN flag raised.It also contains a message to be displayed with an alert or log entry, as well as metadata,a general category for the rule, a unique identifier for the rule,a revision number for the rule, and even a URLfor future reference regarding something we might be trying to protect against.You can even match on content in the payload, both in text and binary form,and take action based on a match.Here's some examples of the different Snort rulesets, consisting of thousandsof individual rules located in multiple repositories.Snort rules could be highly specialized and granular.For example, generate an alert if a user tries to SU to route through an SSH session,or generate an alert for an incorrect log in to an SSH session.
转载于:https://www.cnblogs.com/sec875/articles/10028737.html
相关资源:JAVA上百实例源码以及开源项目