Snort + Rules

Rules規則

Rules header
[  Rule action     |     protocol     |     source     |     sport     |    方向    |     destination     |     dport  ]
        alert                   tcp                  any              any             <>               any                     any
警告並記錄，協定為tcp，任何來源端的任何port 到 任何目的端的任何port

        alert                   tcp                 10.10.1.1   12345           <>            10.10.1.2               80
警告並記錄，協定為tcp，來源為10.10.1.1的12345port到目的10.10.1.2的80port
 
方向有兩種
<> : 代表兩端互相往來
-> : 代表來源端存取目的端
 
Rules body
msg為此rules所代表的意義，最後記得有分號

   alert tcp any any -> any any (msg: "log tcp any"; )

警告並記錄來源丟個內容為123的封包
   alert tcp any any -> any any (msg:”log package content”; content:”123”;)
  
比較預設include的rules
snort-inline.conf裡有41個將偵測的rules，與snort 的tarball比較，
少了attack-responses.rules, bad-traffic.rules, deleted.rules, experimental.rules, local.rules, misc.rules, scan.rules

snort.conf裡有47個將偵測的rules，與tarball比，少了deleted.rules

tarball預設48個rules

### The Drop Rules
# Enabled
include $RULE_PATH/exploit.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/virus.rules
include $RULE_PATH/nntp.rules

### Disabled
include $RULE_PATH/other-ids.rules
include $RULE_PATH/backdoor.rules
include $RULE_PATH/shellcode.rules
include $RULE_PATH/policy.rules
include $RULE_PATH/porn.rules
include $RULE_PATH/info.rules
include $RULE_PATH/icmp-info.rules
include $RULE_PATH/chat.rules
include $RULE_PATH/multimedia.rules
include $RULE_PATH/p2p.rules

### Default not include
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/deleted.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/scan.rules

### Default not include and no content inside
include $RULE_PATH/experimental.rules
include $RULE_PATH/local.rules

### New rules
include $RULE_PATH/spyware-put.rules
include $RULE_PATH/specific-threats.rules

xxxx-xx-xx
include $RULE_PATH/spyware-put.rules

2007-03-09
specific-threats.rules