Rule Options
93
config classification: string detect,A suspicious string was detected,3
config classification: suspicious filename detect,A suspicious filename
was detected,2
config classification: suspicious login,An attempted login using a
suspicious username was detected,2
config classification: system call detect,A system call was detected,2
config classification: tcp connection,A TCP connection was detected,4
config classification: trojan activity,A Network Trojan was detected, 1
config classification: unusual client port connection,A client was
using an unusual port,2
config classification: network scan,Detection of a Network Scan,3
config classification: denial of service,Detection of a Denial of
Service Attack,2
config classification: non standard protocol,Detection of a non
standard protocol or event,2
config classification: protocol command decode,Generic Protocol Command
Decode,3
config classification: web application activity,access to a potentially
vulnerable web application,2
config classification: web application attack,Web Application Attack,1
config classification: misc activity,Misc activity,3
config classification: misc attack,Misc Attack,2
config classification: icmp event,Generic ICMP event,3
config classification: kickass porn,SCORE! Get the lotion!,1
config classification: policy violation,Potential Corporate Privacy
Violation,1
config classification: default login attempt,Attempt to login by a
default username and password,2
3.6.3
The content Keyword
One important feature of Snort is its ability to find a data pattern inside a packet.
The pattern may be presented in the form of an ASCII string or as binary data in the
form of hexadecimal characters. Like viruses, intruders also have signatures and the
content keyword is used to find these signatures in the packet. Since Snort version 1.x
does not support application layer protocols, this keyword, in conjunction with the off
set keyword, can also be used to look into the application layer header.
The following rule detects a pattern GET in the data part of all TCP packets that
are leaving 192.168.1.0 network and going to an address that is not part of that network.
The GET keyword is used in many HTTP related attacks; however, this rule is only
using it to help you understand how the content keyword works.
alert tcp 192.168.1.0/24 any > ![192.168.1.0/24] any \
(content: "GET"; msg: "GET matched";)
footer
Our partners:
PHP: Hypertext Preprocessor Cheap Web Hosting
JSP Web Hosting
Ontario Web Hosting
Jsp Web Hosting
Cheapest Web Hosting
Java Hosting
Cheapest Hosting
Visionwebhosting.net Business web hosting division of Vision Web Hosting Inc.. All rights reserved