Scribd
Upload
97 views5 pages

Snort RuleStruct

This document discusses the Snort intrusion detection and prevention system. It provides an introduction to Snort and describes its operation modes and basic rule structure, including common actions, protocols, and ways of filtering by IP addresses and port numbers.

Uploaded by

zacktoby74
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
97 views5 pages

Snort RuleStruct

This document discusses the Snort intrusion detection and prevention system. It provides an introduction to Snort and describes its operation modes and basic rule structure, including common actions, protocols, and ways of filtering by IP addresses and port numbers.

Uploaded by

zacktoby74
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

TryHackMe | Snort https://tryhackme.

com/room/snort

• 
Dashboard

• 
Learn

• 
Compete


Leaderboards
Platform Rankings

King of the Hill
Attack & Defend

Workspace
Compete & Collaborate

• 
Other

Resources Buy Vouchers Develop Rooms For Business For Education Swag Shop

• 

• 

• Go Premium
• 4

Profile Refer a friend Badges My Rooms Access Give Feedback Logout


951

Snort Show Split View  Cloud Details Awards Help 

Learn how to use Snort to detect real-time threats, analyse recorded traffic files and identify anomalies.

 Chart  Scoreboard  Discuss  Writeups  More

Difficulty: Medium

Active Machine Information

Loading... Loading... Loading... Loading...

38%

Task 1  Introduction 

Task 2  Interactive Material and VM  

Task 3  Introduction to IDS/IPS 

Task 4  First Interaction with Snort 

Task 5  Operation Mode 1: Sniffer Mode 

Task 6  Operation Mode 2: Packet Logger Mode 

Task 7  Operation Mode 3: IDS/IPS 

1 of 5 2/18/24, 18:18
TryHackMe | Snort https://tryhackme.com/room/snort

Task 8  Operation Mode 4: PCAP Investigation 

Task 9  Snort Rule Structure 

Let's Learn Snort Rules!


Understanding the Snort rule format is essential for any blue and purple teamer. The primary structure of the snort rule is shown
below;

Each rule should have a type of action, protocol, source and destination IP, source and destination port and an option. Remember,
Snort is in passive mode by default. So most of the time, you will use Snort as an IDS. You will need to start "inline mode" to
turn on IPS mode. But before you start playing with inline mode, you should be familiar with Snort features and rules.

The Snort rule structure is easy to understand but difficult to produce. You should be familiar with rule options and related details
to create efficient rules. It is recommended to practice Snort rules and option details for different use cases.

We will cover the basic rule structure in this room and help you take a step into snort rules. You can always advance your rule
creation skills with different rule options by practising different use cases and studying rule option details in depth. We will focus
on two actions; "alert" for IDS mode and "reject" for IPS mode.

Rules cannot be processed without a header. Rule options are "optional" parts. However, it is almost impossible to detect
sophisticated attacks without using the rule options.

Action There are several actions for rules. Make sure you understand the functionality and test it before creating rules for
live systems. The most common actions are listed below.

• alert: Generate an alert and log the packet.


• log: Log the packet.
• drop: Block and log the packet.
• reject: Block the packet, log it and terminate the packet session.

Protocol Protocol parameter identifies the type of the protocol that filtered for the rule.

Note that Snort2 supports only four protocols filters in the rules (IP, TCP, UDP and ICMP). However, you can
detect the application flows using port numbers and options. For instance, if you want to detect FTP traffic, you
cannot use the FTP keyword in the protocol field but filter the FTP traffic by investigating TCP traffic on port 21.

IP and Port Numbers


These parameters identify the source and destination IP addresses and associated port numbers filtered for the rule.

IP Filtering alert icmp 192.168.1.56 any <> any any (msg: "ICMP Packet From "; sid: 100001; rev:1;)
This rule will create an alert for each ICMP packet originating from the 192.168.1.56 IP
address.

Filter an IP range alert icmp 192.168.1.0/24 any <> any any (msg: "ICMP Packet Found"; sid: 100001; rev:1;)
This rule will create an alert for each ICMP packet originating from the 192.168.1.0/24 subnet.

Filter multiple IP ranges alert icmp [192.168.1.0/24, 10.1.1.0/24] any <> any any (msg: "ICMP Packet Found"; sid:
100001; rev:1;)
This rule will create an alert for each ICMP packet originating from the 192.168.1.0/24 and
10.1.1.0/24 subnets.

Exclude IP "negation operator" is used for excluding specific addresses and ports. Negation operator is
addresses/ranges indicated with "!"
alert icmp !192.168.1.0/24 any <> any any (msg: "ICMP Packet Found"; sid: 100001; rev:1;)
This rule will create an alert for each ICMP packet not originating from the 192.168.1.0/24
subnet.

Port Filtering alert tcp any any <> any 21 (msg: "FTP Port 21 Command Activity Detected"; sid: 100001;
rev:1;)
This rule will create an alert for each TCP packet sent to port 21.

Exclude a specific port alert tcp any any <> any !21 (msg: "Traffic Activity Without FTP Port 21 Command Channel";
sid: 100001; rev:1;)
This rule will create an alert for each TCP packet not sent to port 21.

2 of 5 2/18/24, 18:18
TryHackMe | Snort https://tryhackme.com/room/snort

Filter a port range (Type 1) alert tcp any any <> any 1:1024 (msg: "TCP 1-1024 System Port Activity"; sid: 100001; rev:1;)
This rule will create an alert for each TCP packet sent to ports between 1-1024.

Filter a port range (Type 2) alert tcp any any <> any :1024 (msg: "TCP 0-1024 System Port Activity"; sid: 100001; rev:1;)
This rule will create an alert for each TCP packet sent to ports less than or equal to 1024.

Filter a port range (Type 3) alert tcp any any <> any 1025: (msg: "TCP Non-System Port Activity"; sid: 100001; rev:1;)
This rule will create an alert for each TCP packet sent to source port higher than or equal to
1025.

Filter a port range (Type 4) alert tcp any any <> any [21,23] (msg: "FTP and Telnet Port 21-23 Activity Detected"; sid:
100001; rev:1;)
This rule will create an alert for each TCP packet sent to port 21 and 23.

Direction
The direction operator indicates the traffic flow to be filtered by Snort. The left side of the rule shows the source, and the right side
shows the destination.

• -> Source to destination flow.


• <> Bidirectional flow

Note that there is no "<-" operator in Snort.

There are three main rule options in Snort;


• General Rule Options - Fundamental rule options for Snort.
• Payload Rule Options - Rule options that help to investigate the payload data. These options are helpful to detect specific
payload patterns.
• Non-Payload Rule Options - Rule options that focus on non-payload data. These options will help create specific patterns
and identify network issues.

General Rule Options

Msg The message field is a basic prompt and quick identifier of the rule. Once the rule is triggered, the message filed
will appear in the console or log. Usually, the message part is a one-liner that summarises the event.

Sid Snort rule IDs (SID) come with a pre-defined scope, and each rule must have a SID in a proper format. There
are three different scopes for SIDs shown below.

• <100: Reserved rules


• 100-999,999: Rules came with the build.
• >=1,000,000: Rules created by user.

Briefly, the rules we will create should have sid greater than 100.000.000. Another important point is; SIDs
should not overlap, and each id must be unique.

Reference Each rule can have additional information or reference to explain the purpose of the rule or threat pattern. That
could be a Common Vulnerabilities and Exposures (CVE) id or external information. Having references for the
rules will always help analysts during the alert and incident investigation.

Rev Snort rules can be modified and updated for performance and efficiency issues. Rev option help analysts to
have the revision information of each rule. Therefore, it will be easy to understand rule improvements. Each rule
has its unique rev number, and there is no auto-backup feature on the rule history. Analysts should keep the rule
history themselves. Rev option is only an indicator of how many times the rule had revisions.

alert icmp any any <> any any (msg: "ICMP Packet Found"; sid: 100001; reference:cve,CVE-XXXX; rev:1;)

Payload Detection Rule Options

Content Payload data. It matches specific payload data by ASCII, HEX or both. It is possible to use this option multiple
times in a single rule. However, the more you create specific pattern match features, the more it takes time to
investigate a packet.

Following rules will create an alert for each HTTP packet containing the keyword "GET". This rule option is
case sensitive!

• ASCII mode - alert tcp any any <> any 80 (msg: "GET Request Found"; content:"GET"; sid: 100001;
rev:1;)
• HEX mode - alert tcp any any <> any 80 (msg: "GET Request Found"; content:"|47 45 54|"; sid: 100001;
rev:1;)

Nocase Disabling case sensitivity. Used for enhancing the content searches.
alert tcp any any <> any 80 (msg: "GET Request Found"; content:"GET"; nocase; sid: 100001; rev:1;)

Fast_pattern Prioritise content search to speed up the payload search operation. By default, Snort uses the biggest content
and evaluates it against the rules. "fast_pattern" option helps you select the initial packet match with the
specific value for further investigation. This option always works case insensitive and can be used once per
rule. Note that this option is required when using multiple "content" options.

The following rule has two content options, and the fast_pattern option tells to snort to use the first content
option (in this case, "GET") for the initial packet match.

alert tcp any any <> any 80 (msg: "GET Request Found"; content:"GET"; fast_pattern; content:"www";
sid:100001; rev:1;)

Non-Payload Detection Rule Options


There are rule options that focus on non-payload data. These options will help create specific patterns and identify network
issues.

ID Filtering the IP id field.


alert tcp any any <> any any (msg: "ID TEST"; id:123456; sid: 100001; rev:1;)

3 of 5 2/18/24, 18:18
TryHackMe | Snort https://tryhackme.com/room/snort

Flags Filtering the TCP flags.

• F - FIN
• S - SYN
• R - RST
• P - PSH
• A - ACK
• U - URG

alert tcp any any <> any any (msg: "FLAG TEST"; flags:S; sid: 100001; rev:1;)

Dsize Filtering the packet payload size.

• dsize:min<>max;
• dsize:>100
• dsize:<100

alert ip any any <> any any (msg: "SEQ TEST"; dsize:100<>300; sid: 100001; rev:1;)

Sameip Filtering the source and destination IP addresses for duplication.


alert ip any any <> any any (msg: "SAME-IP TEST"; sameip; sid: 100001; rev:1;)

Remember, once you create a rule, it is a local rule and should be in your "local.rules" file. This file is located under "/etc/snort
/rules/local.rules". A quick reminder on how to edit your local rules is shown below.

modifying the local rules

user@ubuntu$ sudo gedit /etc/snort/rules/local.rules

That is your "local.rules" file.

Note that there are some default rules activated with snort instance. These rules are deactivated to manage your rules and
improve your exercise experience. For further information, please refer to the TASK-10 or Snort manual.

Answer the questions below

Use "task9.pcap".

Write a rule to filter IP ID "35369" and run it against the given pcap file. What is the request name of the detected packet? snort
-c local.rules -A full -l . -r task9.pcap

Answer format: ********* *******  Submit  Hint

Create a rule to filter packets with Syn flag and run it against the given pcap file. What is the number of detected packets?

1 Correct Answer

Clear the previous log and alarm files and deactivate/comment out the old rule.

Write a rule to filter packets with Push-Ack flags and run it against the given pcap file. What is the number of detected packets?

Answer format: ***  Submit

Clear the previous log and alarm files and deactivate/comment out the old rule.

Create a rule to filter packets with the same source and destination IP and run it against the given pcap file. What is the
number of packets that show the same source and destination address?

7 Correct Answer  Hint

Case Example - An analyst modified an existing rule successfully. Which rule option must the analyst change after the
implementation?

Answer format: ***  Submit

Task 10  Snort2 Operation Logic: Points to Remember 

Task 11  Conclusion  

Created by tryhackme and

4 of 5 2/18/24, 18:18
TryHackMe | Snort https://tryhackme.com/room/snort

ujohn

This is a free room, which means anyone can deploy virtual machines in the room (without being subscribed)! 40480 users are in
here and this room is 706 days old.

5 of 5 2/18/24, 18:18

You might also like