84


Chapter 3     Working with Snort Rules


  TCP


  UDP


If the protocol is IP, Snort checks the link layer header to determine the packet


type. If any other type of protocol is used, Snort uses the IP header to determine the pro 


tocol type. Different packet headers are discussed in Appendix C.


The protocols only play a role in specifying criteria in the header part of the rule.


The options part of the rule can have additional criteria unrelated to the specified proto 


col. For example, consider the following rule where the protocol is ICMP.


alert icmp any any  > any any (msg: "Ping with TTL=100"; \


 ttl: 100;)


The options part checks the TTL (Time To Live) value, which is not part of the


ICMP header. TTL is part of IP header instead. This means that the options part can


check parameters in other protocol fields as well. Header fields for common protocols


and their explanation is found in Appendix C.


3.5.3


Address


There are two address parts in a Snort rule. These addresses are used to check the


source from which the packet originated and the destination of the packet. The address


may be a single IP address or a network address. You can use  any keyword to apply a


rule on all addresses. The address is followed by a slash character and number of bits in


the netmask. For example, an address 192.168.2.0/24 represents C class network


192.168.2.0 with 24 bits in the network mask. A network mask with 24 bits is


255.255.255.0. Keep the following in mind about number of bits in the netmask:


  If the netmask consists of 24 bits, it is a C class network.


  If the netmask consists of 16 bits, it is a B class network.


  If the netmask consists of 8 bits, it is an A class network.


  For a single host, use 32 bits in the netmask field.


You can also use any number of bits in the address part allowed by Classless Inter 


Domain Routing or CIDR. Refer to RFC 791 at http://www.rfc editor.org/rfc/rfc791.txt


for structure of IP addresses and netmasks and to RFC 1519 at http://www.rfc edi 


tor.org/rfc/rfc1519.txt for more information on CIDR.


As mentioned earlier, there are two address fields in the Snort rule. One of them is


the source address and the other one is the destination address. The direction part of the








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      toronto web hosting

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Cheap Web Hosting
JSP Web Hosting
Ontario Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Java Hosting
Cheapest Hosting



Visionwebhosting.net Business web hosting division of Vision Web Hosting Inc.. All rights reserved