the application payload if the command-line option to decode the application (-d) is used.
●Pass. When a rule is triggered that has pass specified as the action, Snort does no further packet inspection—essentially dropping the packet from the detection engine. This is useful, for example, if you want to monitor anonymous ftp attempts on your network to non-anonymous ftp servers. You would write a pass rule to ignore anonymous ftp attempts to your valid anonymous ftp server. You would then use a second, normal, alert rule to log all other anonymous ftp attempts.
●Activate. These rules, when triggered, not only alert, but are also used to turn on other rules (dynamic) that remain idle until turned on.
●Dynamic. These remain idle (do not trigger) until turned on by an activate rule. After they are turned on, their behavior is the same as log rules.
Note that the activate and dynamic actions are being replaced by the tag option, which is found in the rule options. The tag option allows dynamic capture of packets for a given amount of time or a specified number of packets after the rule triggers.
It's also possible to define your own action types, which can be used to route rule output to various destinations. This sophisticated usage is not covered here, but can be explored at Snort's web site (www.snort.org). As briefly mentioned, the default order in which rules are processed is alert rules first, pass rules second, and log rules last. To change this default behavior, you must specify the -o command-line option when running Snort, which changes the order the rules are processed. Using the -o option changes the rule processing order to pass rules first, alert rules second, and log rules last. This was done when Snort was developed for public use to avoid having an errant pass rule accidentally disable every alert and log rule in the system. The –o option was developed as an expert mode for people after they understood how the rules system worked.
The Protocol Field
The protocol field in the rule header tells Snort which protocol to examine. Snort currently supports four different types of network traffic: TCP (Transmission Control Protocol), UDP (User Datagram Protocol), ICMP (Internet Control Message Protocol), and IP (Internet Protocol). Additional protocols may be added in the future such as ARP, RARP, GRE, OSPF, RIP, and IPX. Snort understands only IP version 4, though it will note that it has seen an IP version 6 packet. And, Snort is not IPSec aware, so it cannot decode unencrypted fields of those packets.
The Source and Destination IP Address Fields
The source and destination IP address fields identify where the hostile traffic is coming from and where it is going. It is possible to specify the IP addresses as a host, a subnet, or multiple hosts or subnets. The IP addresses are specified in classless inter-domain routing (CIDR) notation, an easy to write and understand format. This format includes as much of the address as needed, along with the number of bits in the network mask. Let's examine the format and some examples of IP addresses.
Format:
Address/netmask or any or [address/netmask,address/netmask…]
Address = x.x.x.x |
|
|
|
Netmask = bits |
of network mask |
||
24.0.0.0/8 = |
|
Class A |
|
135.1.0.0/16 = |
= |
Class |
B |
192.168.5.0/24 |
Class |
C |
|
192.168.5.5/32 = |
Host address |
|
Special keywords: |
|
|
any |
- match all addresses |
|
! - |
negate address |
|
$HOME_NET – variable defined elsewhere in rules file
CIDR notation details the base address and the number of bits of the base address that are associated with the network. For instance, the representation 24.0.0.0/8 means that this is a Class A address that has the first octet (24) allocated to the network and all the remaining octets associated with hosts on the network. Although the standard Class A, B, and C CIDR notations are seen in the previous examples, the beauty of CIDR notation is that the network bits don't have to fall on byte boundaries, so they might represent all network masks.
You can specify an IP address list by enclosing all IP addresses or networks between brackets ([ ]) and delimiting each of the list values by commas (but no spaces in between—the Snort rule parser doesn't allow spaces in the comma delimited list). If you want to examine traffic to destination host 1.2.3.4 or subnet 2.3.4.x, the following IP
address list could be used:
[1.2.3.4,2.3.4.0/24]
A special keyword any can be used when any IP address is the matching criteria. And, as you've seen, the exclamation point (!) can be used to negate the IP address value when all IP addresses but the specified one are to be considered. Finally, to add more flexibility and portability to the rules, a variable can be used to indicate the IP address. The $HOME_NET variable is one that is used in many of the rules included with Snort to indicate the user's/analyst's home network. You can assign your internal network any variable name you want, but because many of the rules already reference $HOME_NET, it is best to use it. This variable must be defined in a rules file, the configuration file, or on the command line (-S) before it is referenced.Variables can be used in other fields in the rules as well.
The Source and Destination Port Field
The port fields are used to detail the source and destination ports of the traffic. The ports can be listed as a specific number, range of numbers, or the keyword any, which represents all possible source ports. Here are some possible port representations:
static port: |
111 |
all ports: |
any |
range: |
33000:34000 |
negation: |
!80 |
less than or equal: |
:1023 |
greater than or equal: |
1024: |
The first and most common port value is a static one, such as port 111, to represent the port associated with the Remote Procedure Call (RPC) portmapper. As with IP addresses, a generic port value can be supplied using the keyword any. A range of port numbers can be specified, such as ports 33000 through 34000 inclusive (33000:34000), which might represent UNIX traceroute UDP ports. Negation is also supported with ports as we are looking for any port but port 80 (!80) above. Ports can be indicated as a less than or equal to condition or a greater than or equal to condition. The ":1023" identifies that we want to look for all ports less than or equal to 1023 or the reserved port range. Finally, the "1024:" is used to say that all ports greater than or equal to 1024 should be considered—the ports typically found in the ephemeral source port range. You could also specify a port as a variable so long as you assigned a value to the variable before referencing it.
You might be wondering if you have to indicate a port for the ICMP protocol because it