Previous Topic

Next Topic

Building IDS Rules

Setting Network Variables

You must change the following variables to reflect your local network. You can specify it explicitly as: var HOME_NET 10.1.1.0/24 or use ôanyö.You can specify lists of IP addresses for HOME_NET by separating the IPs with commas like this: var HOME_NET [10.1.1.0/24,192.168.1.0/24].

MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!

The default value for HOME_NET is:

var HOME_NET any

Set up the external network addresses as well. A good start may be "any"

var EXTERNAL_NET any

Set up your SMTP, web, sql and DNS servers, or simply configure them to HOME_NET:

var SMTP $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var DNS_SERVERS $HOME_NET

You need not to use SMTP, web, sql and DNS server rules if there arenÆt appropriate servers installed on client computers, since these rules are targeted for attacks to them and are meaningful only for IDS implementations on an internet gateway.

Customize your rule set

Up to date snort rules are available at http://www.snort.org. The snort web site has documentation about how to write your own custom snort rules.

The rules included with default IDS blackbox generate alerts based on suspicious activity. Depending on your network environment, your security policies, and what you consider to be suspicious, some of these rules may either generate false positives ore may be detecting activity you consider to be acceptable; therefore, you are encouraged to comment out rules that are not applicable in your environment.

Note that using all of the rules at the same time may lead to performance decrease on slower machines.

Shell code, policy, info, backdoor, and virus rule sets should be disabled by default. These require tuning and maintenance. For example, the shell code rules require detailed inspection of each packet thus increasing the requirements for the computer computing power.

The following rule set files are included by default:

bad-traffic.rules
exploit.rules
scan.rules
finger.rules
ftp.rules
telnet.rules
smtp.rules
rpc.rules
rservices.rules
dos.rules
ddos.rules
dns.rules
tftp.rules
web-cgi.rules
web-coldfusion.rules
web-iis.rules
web-frontpage.rules
web-misc.rules
web-attacks.rules
sql.rules
x11.rules
icmp.rules
netbios.rules
misc.rules
attack-responses.rules
backdoor.rules
shell code.rules
policy.rules
porn.rules
info.rules
icmp-info.rules
virus.rules
local.rules

We recommend to comment out (using #) all unnecessary rule sets at the end of snort.conf file before building the SNORT configuration blackbox to avoid false positives and increase performance. Please see appropriate *.rules file for further detailed description about particular rule set.

Creating or Modifying Single SNORT Rules

Example:

alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"TELNET root login"; content:"login\: root"; flags: A+; class type:suspicious-login; sid:719; rev:2;)

The above rule issues monitoring (here named alert) of any attempt that telnet application on DSE client computer (local port 23) sends packet with TCP ack bit set (flags:A+) and there is the string "login\: root" contained in the packet. ôsidö is the unique id of this IDS rule û you must take care about that in your own rules, otherwise an error during building IDS blackbox will be issued. "TELNET root login" will be the message to be seen in the event reporting. ôclasstypeö and ôrevö fields are ignored. Please see for further details how to write single SNORT rules.

Rule Options Details

1) COMMENTS
syntax:
#comment to end of line

2) PREPROCESSOR
syntax:
preprocessor name[:options]

- defines plug-in running between packet decoding and detection engine
- ignored!

3) INCLUDE

syntax:
include [path\]file_name

- includes given file

4) VARIABLES
syntax:
var name value

- defines variable "name" and sets it to given value

$name, $(name) replaces with the variable content
$(name:-default) if variable is undefined replaces with "default"
$(name:?message) if variable is undefined prints out the "message" and exits

5) CONFIG
syntax:
config directive[:value]

- ignored, but "classification" directive temporarily

6) RULETYPE
syntax:
ruletype action { ... }

- defines user action
- ignored!

7) RULES
syntax:
action protocol Src_Address Src_Port -> Dst_Address Dst_Port [options]
action protocol Dst_Address Dst_Port <- Src_Address Src_Port [options]
action protocol Address_1 Port_1 <> Address_2 Port_2 [options]

actions:

alert, log, pass ignored!
activate alerts and turns on given dynamic rules
dynamic alerts only if was activated by activate rule

protocol:

ip, tcp, udp, icmp IP protocols
gre, ipx, arp, igrp, etc. temporaly ignored!
ospf, rip, etc. ignored!

addresses:

any all IP addresses
192.168.1.0/24 IP address with mask 255.255.255.0
!192.168.1.0/24 all IP addresses excluding 192.168.1.0/24
[192.168.1.0/24,10.1.1.0/24] list of IP addresses
![192.168.1.0/24,10.1.1.0/24] all IP address excluding given list

port numbers:

any all port numbers
5190 port number 5190
!5190 all port numbers excluding 5190
:5190 all port numbers equal to or less than 5190
!:5190 all port numbers greather than 5190
5190: all port numbers equal to or greater than 5190
!5190: all port numbers less than 5190
5180:5190 all port numbers from given range 5180...5190
!5180:5190 all port numbers excluding given range

8) RULE OPTIONS
syntax:
(opt_1[:val_1];opt_2[:val_2]; ... opt_N[:val_N];)

sid:number

- SNORT rule id
- throw warning if not present

msg:"message"

- prints given message in case of alert

ttl:[>|<]number

- checks IP time-to-live value

tos:[>|<]number

- checks IP type-of-service value

id:[>|<]number

- checks IP id field

ipopts:ipopt
ipoption:ipopt

- checks presence of given IP option in packet
- ipopt can be one of:

rr record route
eol end of list
nop no operation
ts time stamp
sec security option
lsrr loose source routing
ssrr strict source routing
satid stream id

fragbits:[!][R][D][M][+|*]

- checks fragmentation control bits in IP packet

! negation
R "reserved" bit is set
D "don't fragment" bit is set
M "more fragments" bit is set
+ all specified bits must be set
* any of the specified bits must be set

ip_proto:[!]name|number

- checks protocol number in IP packet

sameip

- checks if source IP is equal to the destination IP

dsize:[>|<]number

- checks packet payload size

content:[!]"content_string"
uricontent:[!]"content_string"

- finds given string in payload or URI portion of request
- rule can content multiple "content" options

! negation

- special characters in content_string:
: ???
| assigns begins and ends of hexadecimal coded parts of string

offset:number

- modifies starting content search position from the beginning of packet payload

depth:number

- modifies length of the scanned payload region

nocase

- deactivates case-sensitivity in a content rule

regex

- turns on wildcards resolving in content string
* any number of characters
? any single character

flags:[!]<[F][S][R][P][A][U][2][1]>|0[+|*]

- checks TCP packet flags

! negation
F fin bit is set
S syn bit is set
R rst bit is set
P push bit is set
A ack bit is set
U urgent bit is set
1 reserved bit 1 bit is set
2 reserved bit 2 bit is set
0 no flags are set
+ all specified bits must be set
* any of the specified bits must be set

seq:[>|<]number

- checks TCP sequence number

ack:[>|<]number

- checks TCP acknowledge number

itype:[>|<]number

- checks ICMP type number

icode:[>|<]number

- checks ICMP code number

icmp_id:[>|<]number

- checks ICMP ECHO identifier

icmp_seq:[>|<]number

- checks ICMP ECHO sequence number

rpc:[>|<]app_num,[proc_num|*],[ver_num|*]

- looks at RPC requests, decodes and checks the application, procedure and program version
* wildcard

temporaly ignored options:

content-list:[!]"file_name"
classtype:name
priority:number

ignored options:

logto:"file_name"
session:[printable|all]
resp:resp_1[,resp_2 ...]
react:react_1[,react_2 ...]
reference:id_system,id
rev:number
tag:type,count,metric[,direction]
stateless

See Also

IDS Policies

Building IDS Policies

Applying IDS Policy