Structure of a Rule

79

equal to 255.255.255.0. An individual host can be written using all of the netmask bits,

i.e., 32. The following rule shows that only those packets that go to a single host with IP

address192.168.2.113 will generate an alert: 

alert icmp any any  > 192.168.1.113/32 any \

   (msg: "Ping with TTL=100"; ttl:100;)

All addresses in Snort are written using the CIDR notation, which makes it very

convenient to monitor any subset of hosts.

3.4 Structure of a Rule

Now that you have seen some rules which are not so good but helpful in a way, let us

see the structure of a Snort rule. All Snort rules have two logical parts: rule  header and

rule options. This is shown in Figure 3 1.

Figure 3 1 Basic structure of Snort rules.

The rule header contains information about what action a rule takes. It also con 

tains criteria for matching a rule against data packets. The options part usually contains

an alert message and information about which part of the packet should be used to gen 

erate the alert message. The options part contains additional criteria for matching a rule

against data packets. A rule may detect one type or multiple types of intrusion activity.

Intelligent rules should be able to apply to multiple intrusion signatures.

The general structure of a Snort rule header is shown in Figure 3 2.

Figure 3 2 Structure of Snort rule header.

The action part of the rule determines the type of action taken when criteria are

met and a rule is exactly matched against a data packet. Typical actions are generating

an alert or log message or invoking another rule. You will learn more about actions later

in this chapter.