C

H A P T E R

3

Working with

Snort Rules

ike viruses, most intruder activity has some sort of signature. Infor 

L

mation about these signatures is used to create Snort rules. As men 

tioned in Chapter 1, you can use honey pots to find out what intruders are

doing and information about their tools and techniques. In addition to

that, there are databases of known vulnerabilities that intruders want to

exploit. These known attacks are also used as signatures to find out if

someone is trying to exploit them. These signatures may be present in the

header parts of a packet or in the payload. Snort's detection system is

based on rules. These rules in turn are based on intruder signatures. Snort

rules can be used to check various parts of a data packet. Snort 1.x ver 

sions can analyze layer 3 and 4 headers but are not able to analyze appli 

cation layer protocols. Upcoming Snort version 2 is expected to add

support of application layer headers as well. Rules are applied in an

orderly fashion to all packets depending on their types.

A rule may be used to generate an alert message, log a message, or, in

terms of Snort, pass the data packet, i.e., drop it silently. The word pass

here is not equivalent to the traditional meaning of pass as used in fire 

walls and routers. In firewalls and routers, pass and drop are opposite to

each other. Snort rules are written in an easy to understand syntax. Most

of the rules are written in a single line. However you can also extend rules

to multiple lines by using a backslash character at the end of lines. Rules

75