|
Snort instruction format | Definition |
|
Option | |
General | |
msg | Message to record when Alert or logging |
reference | References to additional information |
gid | Alert generation module id |
sid | Use to distinguish snort detection rules |
rev | Display information about revision of rule with sid |
classtype | Information that can classify an attack |
priority | Show the importance (priority) of detection rules |
Payload Detection | |
content | Specific content looking for in the payload of a packet |
content modifier | |
nocase | Not classifying capital and small letter |
rawbytes | Ignore the decoding process and check the raw packet data |
offset | Specify whether to start pattern search after the first few bytes of the packet |
depth | Specify how to compare pattern search from offset to how many bytes |
distance | Specify whether to start pattern after how many bytes from previous pattern matching. |
within | Specify how to compare pattern searches from distance to how many bytes |
http_client_body | Search in body part of HTTP request |
http_cookie | Search in the cookie portion of the HTTP header |
http_header | Search in the HTTP header section |
http_method | Search in the HTTP methods section |
http_uri | Search in the HTTP URI section |
fast_pattern | Specify the pattern to search first |
uricontent | Retrieve patterns from URI information in HTTP |
urilen | Check HTTP URI length |
isdataat | Checks if the payload has a certain number of bytes |
pcre | Search by regular expression |
byte_test | Compare with specific value after specific byte operation |
byte_jump | Jump as much as the operation result value after a certain byte operation |
ftpbounce | FTP bounce attack detection |
asn1 | Detect malicious encoding |
cvs | Detect invalid Entry string in CVS |
dce_iface | Detect traffic pattern requesting DCE/RPC |
dce_opnum |
dce_stup_data |
Non-Payload Detection | |
IP | |
fragoffset | IP fragment offset field check |
fragbits | IP fragment offset field check |
tos | IP Service type field check |
id | IP identification field check |
ttl | IP Time To Live field check |
ip_proto | IP protocol inspection |
ipopts | IP Options field check |
TCP | |
seq | TCP sequence number check |
ack | TCP acknowledge number check |
flags | TCP flag bit field check |
window | TCP window size check |
ICMP | |
itype | ICMP type check |
icode | ICMP code check |
icmp_id | ICMP identification check |
icmp_seq | ICMP sequence number check |
dsize | Detect the payload size of packets to detect abnormal size packets |
flow | Defines the direction of the packet in relation to the client-server communication stream |
flowbits | Options to support session-based detection |
rpc | rpc service identification |
sameip | Check if origin and destination IP are the same |
stream_size | Check the size of the session according to the TCP sequence number |
Thresholding | |
limit | Only the first warning occurs when multiple identical events occur within a certain time |
threshold | Alert when the number of the same events that occur within a certain time is exceeded |
|