Chapter 3. Rules and Signatures
The ability to customize Snort through the use of rules is one of the program’s greatest advantages. This chapter will show you how to build rules that aid Snort in seeking out things specific to your needs. The chapter includes some examples of specific uses of the rules language. The trick to writing effective rules lies in a few tips:
Look for something that’s repeated every time the condition occurs. Like
POST /in a web connection.
Try not to make your trigger so general that it fires on every connection.
alert tcp any any -> any 80 (msg:"port 80 connection!!!"; flow: stateless; rev:1;)
You can use multiple conditions in a single rule for more accurate detection. For example, the following rule looks for a successful compromise of a wu-ftpd server (one of the most common Unix FTP servers that has been known to be plagued by exploits). The rule looks for the client sending the command
uname, along with some reference to a /bin directory.
alert tcp $HOME_NET any -> any 21 (msg:"FTP compromise - success w00t"; content:"uname"; content:"\/bin"; flow:from_client, established; rev:1;)
Now let’s look at some specific examples of the rules engine and its power in helping defend your network.
3.1. How to Build Rules
I see all these examples. Now, how do I create my own rules?
This is a rough example of the Snort rule language and its capabilities. We’ll take some generic rules from the official Snort rules so that you can look ...