Difference between revisions of "SNORT-RULES: The Basics"
Onnowpurbo (talk | contribs) (Created page with " Snort uses a simple, lightweight rules description language that is flexible and quite powerful. There are a number of simple guidelines to remember when developing Snort rul...") |
Onnowpurbo (talk | contribs) |
||
| Line 1: | Line 1: | ||
| − | + | Snort menggunakan description language yang sederhana tapi flexible dan sangat power full. Ada beberapa aturan yang mudah di ingat. | |
| − | + | * Sebagian besar snort rules adalah single line. Di versi snort yang baru, kita bisa membuat rules dalam beberapa line dengan menambahkan backslash \ di akhir kalimat. | |
| − | Snort rules are divided into two logical sections, the rule header and the rule options. The rule header contains the rule's action, protocol, source and destination IP addresses and netmasks, and the source and destination ports information. The rule option section contains alert messages and information on which parts of the packet should be inspected to determine if the rule action should be taken. | + | * Snort rules are divided into two logical sections, the rule header and the rule options. The rule header contains the rule's action, protocol, source and destination IP addresses and netmasks, and the source and destination ports information. The rule option section contains alert messages and information on which parts of the packet should be inspected to determine if the rule action should be taken. |
Figure [*] illustrates a sample Snort rule. | Figure [*] illustrates a sample Snort rule. | ||
| − | + | alert tcp any any -> 192.168.1.0/24 111 (content:"|00 01 86 a5|"; msg:"mountd access";) | |
The text up to the first parenthesis is the rule header and the section enclosed in parenthesis contains the rule options. The words before the colons in the rule options section are called option keywords. | The text up to the first parenthesis is the rule header and the section enclosed in parenthesis contains the rule options. The words before the colons in the rule options section are called option keywords. | ||
Latest revision as of 05:30, 6 December 2018
Snort menggunakan description language yang sederhana tapi flexible dan sangat power full. Ada beberapa aturan yang mudah di ingat.
- Sebagian besar snort rules adalah single line. Di versi snort yang baru, kita bisa membuat rules dalam beberapa line dengan menambahkan backslash \ di akhir kalimat.
- Snort rules are divided into two logical sections, the rule header and the rule options. The rule header contains the rule's action, protocol, source and destination IP addresses and netmasks, and the source and destination ports information. The rule option section contains alert messages and information on which parts of the packet should be inspected to determine if the rule action should be taken.
Figure [*] illustrates a sample Snort rule.
alert tcp any any -> 192.168.1.0/24 111 (content:"|00 01 86 a5|"; msg:"mountd access";)
The text up to the first parenthesis is the rule header and the section enclosed in parenthesis contains the rule options. The words before the colons in the rule options section are called option keywords.
Note:
Note that the rule options section is not specifically required by any rule, they are just used for the sake of making tighter definitions of packets to collect or alert on (or drop, for that matter).
All of the elements in that make up a rule must be true for the indicated rule action to be taken. When taken together, the elements can be considered to form a logical AND statement. At the same time, the various rules in a Snort rules library file can be considered to form a large logical OR statement.