Rule Options


89


and an argument. Arguments are separated from the option keyword by a colon. Con 


sider the following rule options that you have already seen:


msg: "Detected confidential";


In this option msg is the keyword and  Detected confidential  is the argument to


this keyword.


The remainder of this section describes keywords used in the options part of Snort


rules.


3.6.1


The ack Keyword


The TCP header contains an Acknowledgement Number field which is 32 bits


long. The field shows the next sequence number the sender of the TCP packet is expect 


ing to receive. This field is significant only when the ACK flag in the TCP header is set.


Refer to Appendix C and RFC 793 for more information about the TCP header.


Tools like nmap (http://www.nmap.org) use this feature of the TCP header to ping


a machine. For example, among other techniques used by nmap, it can send a TCP


packet to port 80 with ACK  flag set and sequence number 0. Since this packet is not


acceptable by the receiving side according to TCP rules, it sends back a RST packet.


When nmap receives this RST packet, it learns that the host is alive. This method works


on hosts that don't respond to ICMP ECHO REQUEST ping packets.


To detect this type of TCP ping, you can have a rule like the following that sends


an alert message:


alert tcp any any  > 192.168.1.0/24  any (flags: A; \


   ack: 0; msg: "TCP ping detected";)


This rule shows that an alert message will be generated when you receive a TCP


packet with the A flag set and the acknowledgement contains a value of 0. Other TCP


flags are listed in Table 3 2. The destination of this packet must be a host in network


192.168.1.0/24. You can use any value with the 


ACK


 keyword in a rule, however it is


added to Snort only to detect this type of attack. Generally when the A flag is set, the


ACK value is not zero.


3.6.2


The classtype Keyword


Rules can be assigned  classifications and priority numbers to group and distin 


guish them. To fully understand the classtype keyword, first look at the file classi 


fication.config which is included in the snort.conf file using the include


keyword. Each line in the classification.config file has the following syntax:


config classification: name,description,priority








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      toronto web hosting

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Cheap Web Hosting
JSP Web Hosting
Ontario Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Java Hosting
Cheapest Hosting



Visionwebhosting.net Business web hosting division of Vision Web Hosting Inc.. All rights reserved