Chapter 3. Rules and Signatures

Introduction

The ability to customize Snort through the use of rules is one of the program’s greatest advantages. This chapter will show you how to build rules that aid Snort in seeking out things specific to your needs. The chapter includes some examples of specific uses of the rules language. The trick to writing effective rules lies in a few tips:

  1. Look for something that’s repeated every time the condition occurs. Like GET / or POST / in a web connection.

  2. Try not to make your trigger so general that it fires on every connection.

    alert tcp any any -> any 80 (msg:"port 80 connection!!!"; 
    flow: stateless; rev:1;)
  3. You can use multiple conditions in a single rule for more accurate detection. For example, the following rule looks for a successful compromise of a wu-ftpd server (one of the most common Unix FTP servers that has been known to be plagued by exploits). The rule looks for the client sending the command uname, along with some reference to a /bin directory.

    alert tcp $HOME_NET any -> any 21 (msg:"FTP compromise - success 
    w00t"; content:"uname"; content:"\/bin"; flow:from_client, 
    established; rev:1;)

Now let’s look at some specific examples of the rules engine and its power in helping defend your network.

3.1. How to Build Rules

Problem

I see all these examples. Now, how do I create my own rules?

Solution

This is a rough example of the Snort rule language and its capabilities. We’ll take some generic rules from the official Snort rules so that you can look ...

Get Snort Cookbook now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.