108
Chapter 3 Working with Snort Rules
Procedure number
Version number
These arguments are separated by a comma. You can also use an asterisk to match
all numbers in a particular location of the arguments. The following rule detects RPC
requests for TPC number 10000, all procedures and version number 3.
alert ip any any > 192.168.1.0/24 any (rpc: 10000,*,3; \
msg: "RPC request to local network";)
3.6.26 The sameip Keyword
The sameip keyword is used to check if source and destination IP addresses are
the same in an IP packet. It has no arguments. Some people try to spoof IP packets to
get information or attack a server. The following rule can be used to detect these
attempts.
alert ip any any > 192.168.1.0/24 any (msg: "Same IP"; \
sameip;)
3.6.27 The seq Keyword
The seq keyword in Snort rule options can be used to test the sequence number of
a TCP packet. The argument to this keyword is a sequence number. The general format
is as follows:
seq: "sequence_number";
Sequence numbers are a part of the TCP header. More explanation of sequence
number is found in Appendix C where the TCP header is discussed.
3.6.28 The flow
4
Keyword
The flow keyword is used to apply a rule on TCP sessions to packets flowing in a
particular direction. You can use options with the keyword to determine direction. The
following options can be used with this keyword determine direction:
to_client
to_server
from_client
from_server
4.
This is available in Snort 1.9 and above.
footer
Our partners:
PHP: Hypertext Preprocessor Cheap Web Hosting
JSP Web Hosting
Ontario Web Hosting
Jsp Web Hosting
Cheapest Web Hosting
Java Hosting
Cheapest Hosting
Visionwebhosting.net Business web hosting division of Vision Web Hosting Inc.. All rights reserved