|
| Snort instruction format | Definition |
|
| Option | |
| General | |
| msg | Message to record when Alert or logging |
| reference | References to additional information |
| gid | Alert generation module id |
| sid | Use to distinguish snort detection rules |
| rev | Display information about revision of rule with sid |
| classtype | Information that can classify an attack |
| priority | Show the importance (priority) of detection rules |
Payload
Detection | |
| content | Specific content looking for in the payload of a packet |
| content modifier | |
| nocase | Not classifying capital and small letter |
| rawbytes | Ignore the decoding process and check the raw packet data |
| offset | Specify whether to start pattern search after the first few bytes of the packet |
| depth | Specify how to compare pattern search from offset to how many bytes |
| distance | Specify whether to start pattern after how many bytes from previous pattern matching. |
| within | Specify how to compare pattern searches from distance to how many bytes |
| http_client_body | Search in body part of HTTP request |
| http_cookie | Search in the cookie portion of the HTTP header |
| http_header | Search in the HTTP header section |
| http_method | Search in the HTTP methods section |
| http_uri | Search in the HTTP URI section |
| fast_pattern | Specify the pattern to search first |
| uricontent | Retrieve patterns from URI information in HTTP |
| urilen | Check HTTP URI length |
| isdataat | Checks if the payload has a certain number of bytes |
| pcre | Search by regular expression |
| byte_test | Compare with specific value after specific byte operation |
| byte_jump | Jump as much as the operation result value after a certain byte operation |
| ftpbounce | FTP bounce attack detection |
| asn1 | Detect malicious encoding |
| cvs | Detect invalid Entry string in CVS |
| dce_iface | Detect traffic pattern requesting DCE/RPC |
| dce_opnum |
| dce_stup_data |
Non-Payload
Detection | |
| IP | |
| fragoffset | IP fragment offset field check |
| fragbits | IP fragment offset field check |
| tos | IP Service type field check |
| id | IP identification field check |
| ttl | IP Time To Live field check |
| ip_proto | IP protocol inspection |
| ipopts | IP Options field check |
| TCP | |
| seq | TCP sequence number check |
| ack | TCP acknowledge number check |
| flags | TCP flag bit field check |
| window | TCP window size check |
| ICMP | |
| itype | ICMP type check |
| icode | ICMP code check |
| icmp_id | ICMP identification check |
| icmp_seq | ICMP sequence number check |
| dsize | Detect the payload size of packets to detect abnormal size packets |
| flow | Defines the direction of the packet in relation to the client-server communication stream |
| flowbits | Options to support session-based detection |
| rpc | rpc service identification |
| sameip | Check if origin and destination IP are the same |
| stream_size | Check the size of the session according to the TCP sequence number |
| Thresholding | |
| limit | Only the first warning occurs when multiple identical events occur within a certain time |
| threshold | Alert when the number of the same events that occur within a certain time is exceeded |
|
