Mobile Information Systems / 2017 / Article / Tab 3

Research Article

An Enhancement of Optimized Detection Rule of Security Monitoring and Control for Detection of Cyberthreat in Location-Based Mobile System

Table 3

Definition of Snort option detection rules [4].

Snort instruction formatDefinition

Option
 General
  msgMessage to record when Alert or logging
  referenceReferences to additional information
  gidAlert generation module id
  sidUse to distinguish snort detection rules
  revDisplay information about revision of rule with sid
  classtypeInformation that can classify an attack
  priorityShow the importance (priority) of detection rules
 Payload
Detection
  contentSpecific content looking for in the payload of a packet
  content modifier
   nocaseNot classifying capital and small letter
   rawbytesIgnore the decoding process and check the raw packet data
   offsetSpecify whether to start pattern search after the first few bytes of the packet
   depthSpecify how to compare pattern search from offset to how many bytes
   distanceSpecify whether to start pattern after how many bytes from previous pattern matching.
   withinSpecify how to compare pattern searches from distance to how many bytes
   http_client_bodySearch in body part of HTTP request
   http_cookieSearch in the cookie portion of the HTTP header
   http_headerSearch in the HTTP header section
   http_methodSearch in the HTTP methods section
   http_uriSearch in the HTTP URI section
   fast_patternSpecify the pattern to search first
  uricontentRetrieve patterns from URI information in HTTP
  urilenCheck HTTP URI length
  isdataatChecks if the payload has a certain number of bytes
  pcreSearch by regular expression
  byte_testCompare with specific value after specific byte operation
  byte_jumpJump as much as the operation result value after a certain byte operation
  ftpbounceFTP bounce attack detection
  asn1Detect malicious encoding
  cvsDetect invalid Entry string in CVS
  dce_ifaceDetect traffic pattern requesting DCE/RPC
  dce_opnum
  dce_stup_data
 Non-Payload
Detection
  IP
   fragoffsetIP fragment offset field check
   fragbitsIP fragment offset field check
   tosIP Service type field check
   idIP identification field check
   ttlIP Time To Live field check
   ip_protoIP protocol inspection
   ipoptsIP Options field check
  TCP
   seqTCP sequence number check
   ackTCP acknowledge number check
   flagsTCP flag bit field check
   windowTCP window size check
  ICMP
   itypeICMP type check
   icodeICMP code check
   icmp_idICMP identification check
   icmp_seqICMP sequence number check
  dsizeDetect the payload size of packets to detect abnormal size packets
  flowDefines the direction of the packet in relation to the client-server communication stream
  flowbitsOptions to support session-based detection
  rpcrpc service identification
  sameipCheck if origin and destination IP are the same
  stream_sizeCheck the size of the session according to the TCP sequence number
 Thresholding
  limitOnly the first warning occurs when multiple identical events occur within a certain time
  thresholdAlert when the number of the same events that occur within a certain time is exceeded

Article of the Year Award: Outstanding research contributions of 2020, as selected by our Chief Editors. Read the winning articles.