Snort#
Snort is the long-running open-source network intrusion detection and prevention system. It reads packets off a span port (IDS) or sits inline (IPS), matches them against a rule set, and fires alerts or drops. Snort 3 is the current major version; many production deployments still run Snort 2, and the rule syntax between them differs in small but breaking ways.
Rule anatomy#
A rule is a header plus options. The header names the action, protocol, and direction; the options carry the detection logic.
action proto src_ip src_port -> dst_ip dst_port (option_list)
action alert | log | pass | drop | reject | sdrop
proto tcp | udp | icmp | ip
directions -> (one way) <> (bidirectional)
The option list carries the detection. The operator builds it
from content matches, pcre regex, byte tests, flow state,
and reference / metadata tags that downstream tooling reads.
Worked rule#
A detection for CVE-2016-8077 (IE CacheSize exploit), showing
how flow, content distance, regex, and byte test compose.
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (
msg:"BROWSER-IE Microsoft Internet Explorer CacheSize exploit attempt";
flow:to_client,established;
file_data;
content:"recordset"; offset:14; depth:9;
content:".CacheSize"; distance:0; within:100;
pcre:"/CacheSize\s*=\s*/";
byte_test:10,>,0x3fffffe,0,relative,string;
metadata:policy max-detect-ips drop, service http;
reference:cve,2016-8077;
classtype:attempted-user;
sid:65535; rev:1;
)
References#
YARA for the host-side classification equivalent.