Rule Headers


81


  Source address and source port. In this example both of them are set to  any ,


which means that the rule will be applied on all packets coming from any


source. Of course port numbers have no relevance to ICMP packets. Port


numbers are relevant only when protocol is either TCP or UDP.


  Direction. In this case the direction is set from left to right using the  > symbol.


This shows that the address and port number on the left hand side of the symbol


are source and those on the right hand side are destination. It also means that


the rule will be applied on packets traveling from source to destination. You can


also use a <  symbol to reverse the meaning of source and destination address


of the packet. Note that a symbol <> can also be used to apply the rule on


packets going in either direction.


  Destination address and port address. In this example both are set to  any ,


meaning the rule will be applied to all packets irrespective of their destination


address. The direction in this rule does not play any role because the rule is


applied to all ICMP packets moving in either direction, due to the use of the


keyword  any  in both source and destination address parts.


The options part enclosed in parentheses shows that an alert message will be gen 


erated containing the text string  Ping with TTL=100  whenever the condition of


TTL=100 is met. Note that TTL or Time To Live is a field in the IP packet header. Refer


to RFC 791 at http://www.rfc editor.org/rfc/rfc791.txt or Appendix C for information


on IP packet headers.


3.5 Rule Headers


As mentioned earlier, a rule header consists of the section of the rule before starting


parentheses and has many parts. Let us take a detailed look at different parts used in the


rule header, starting with rule actions.


3.5.1


Rule Actions


The action is the first part of a Snort rule. It shows what action will be taken when


rule conditions are met. An action is taken only when all of the conditions mentioned in


a rule are true. There are five predefined actions. However, you can also define your


own actions as needed. As a precaution, keep in mind that Snort versions 1.x and 2.x


apply rules in different ways. In Snort 1.x, if multiple rules match a given packet, only


the first one is applied. After applying the first rule, no further action is taken on the


packet. However in Snort version 2, all rules are applied before generating an alert mes 


sage. The most severe alert message is then generated.








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      toronto web hosting

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Cheap Web Hosting
JSP Web Hosting
Ontario Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Java Hosting
Cheapest Hosting



Visionwebhosting.net Business web hosting division of Vision Web Hosting Inc.. All rights reserved