Snort#

Snort is the long-running open-source network intrusion detection and prevention system. It reads packets off a span port (IDS) or sits inline (IPS), matches them against a rule set, and fires alerts or drops. Snort 3 is the current major version; many production deployments still run Snort 2, and the rule syntax between them differs in small but breaking ways.

Rule anatomy#

A rule is a header plus options. The header names the action, protocol, and direction; the options carry the detection logic.

action  proto  src_ip src_port  ->  dst_ip dst_port  (option_list)

action     alert | log | pass | drop | reject | sdrop
proto      tcp | udp | icmp | ip
directions ->  (one way)   <>  (bidirectional)

The option list carries the detection. The operator builds it from content matches, pcre regex, byte tests, flow state, and reference / metadata tags that downstream tooling reads.

Worked rule#

A detection for CVE-2016-8077 (IE CacheSize exploit), showing how flow, content distance, regex, and byte test compose.

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (
    msg:"BROWSER-IE Microsoft Internet Explorer CacheSize exploit attempt";
    flow:to_client,established;
    file_data;
    content:"recordset"; offset:14; depth:9;
    content:".CacheSize"; distance:0; within:100;
    pcre:"/CacheSize\s*=\s*/";
    byte_test:10,>,0x3fffffe,0,relative,string;
    metadata:policy max-detect-ips drop, service http;
    reference:cve,2016-8077;
    classtype:attempted-user;
    sid:65535; rev:1;
)

References#