Rule Options

107

configure script. The following rule will send a TCP Reset packet to the sender when 

ever an attempt to reach TCP port 8080 on the local network is made.

alert tcp any any  > 192.168.1.0/24 8080 (resp: rst_snd;)

You can send multiple response packets to either sender or receiver by specifying

multiple responses to the resp keyword. The arguments are separated by a comma. The

list of arguments that can be used with this keyword is found in Table 3 4.

Table 3 4 Arguments to resp keyword

Argument

Description

rst_snd

Sends a TCP Reset packet to the sender of the packet

rst_rcv

Sends a TCP Reset packet to the receiver of the packet

rst_all

Sends a TCP Reset packet to both sender and receiver

icmp_net

Sends an ICMP Network Unreachable packet to sender

icmp_host

Sends an ICMP Host Unreachable packet to sender

icmp_port

Sends an ICMP Port Unreachable packet to sender

icmp_all

Sends all of the above mentioned packets to sender

3.6.24 The rev Keyword

The rev keyword is added to Snort rule options to show a revision number for the

rule. If you are updating rules, you can use this keyword to distinguish among different

revision. Output modules can also use this number to identify the revision number. The

following rule shows that the revision number is 2 for this rule:

alert ip any any  > any any (ipopts: lsrr; \

   msg: "Loose source routing attempt"; rev: 2;)

For more information, refer to the sid keyword, which is related to the rev key 

word.

3.6.25 The rpc Keyword

The rpc keyword is used to detect RPC based requests. The keyword accepts three

numbers as arguments:

  Application number