Skip to Main Content
Snort Cookbook
book

Snort Cookbook

by Angela Orebaugh, Simon Biles, Jacob Babbin
March 2005
Intermediate to advanced content levelIntermediate to advanced
288 pages
7h 30m
English
O'Reilly Media, Inc.
Content preview from Snort Cookbook

Chapter 3. Rules and Signatures

Introduction

The ability to customize Snort through the use of rules is one of the program’s greatest advantages. This chapter will show you how to build rules that aid Snort in seeking out things specific to your needs. The chapter includes some examples of specific uses of the rules language. The trick to writing effective rules lies in a few tips:

  1. Look for something that’s repeated every time the condition occurs. Like GET / or POST / in a web connection.

  2. Try not to make your trigger so general that it fires on every connection.

    alert tcp any any -> any 80 (msg:"port 80 connection!!!"; 
    flow: stateless; rev:1;)
  3. You can use multiple conditions in a single rule for more accurate detection. For example, the following rule looks for a successful compromise of a wu-ftpd server (one of the most common Unix FTP servers that has been known to be plagued by exploits). The rule looks for the client sending the command uname, along with some reference to a /bin directory.

    alert tcp $HOME_NET any -> any 21 (msg:"FTP compromise - success 
    w00t"; content:"uname"; content:"\/bin"; flow:from_client, 
    established; rev:1;)

Now let’s look at some specific examples of the rules engine and its power in helping defend your network.

3.1. How to Build Rules

Problem

I see all these examples. Now, how do I create my own rules?

Solution

This is a rough example of the Snort rule language and its capabilities. We’ll take some generic rules from the official Snort rules so that you can look ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Start your free trial

You might also like

NGINX Cookbook

NGINX Cookbook

Derek DeJonghe
Linux Security Cookbook

Linux Security Cookbook

Daniel J. Barrett, Richard E. Silverman, Robert G. Byrnes

Publisher Resources

ISBN: 0596007914Errata Page