110

Chapter 3     Working with Snort Rules

3.6.30 The sid Keyword

The sid keyword is used to add a  Snort ID  to rules. Output modules or log scan 

ners can use SID to identify rules. Authors have reserved SID ranges for rules as shown

below:

  Range 0 99 is reserved for future use.

  Range 100 1,000,000 is reserved for rules that come with Snort distribution.

  All numbers above 1,000,000 can be used for local rules.

Refer to the list of rules that came with your Snort distribution for examples. The

only argument to this keyword is a number. The following rule adds SID equal to

1000001. 

alert ip any any  > any any (ipopts: lsrr; \

   msg: "Loose source routing attempt"; sid: 1000001;)

Using SID, tools like ACID can display the actual rule that generated a particular

alert.

3.6.31 The tag Keyword

The tag keyword is another very important keyword that can be used for logging

additional data from/to the intruder host when a rule is triggered. The additional data

can then be analyzed later on for detailed intruder activity. The general syntax of the

keyword is as follows:

tag: , , [, direction]

The arguments are explained in Table 3 5.

Table 3 5 Arguments used with tag keyword

Argument

Description

Type

You can use either  session  or  host  as the type argument. Using session, packets are 

logged from the particular session that triggered the rule. Using host, all packets from 

the host are logged.

Count

This indicates either the number of packets logged or the number of seconds during 

which packets will be logged. The distinction between the two is made by the metric 

argument.

Metric

You can use either  packets  or  seconds  as mentioned above.

Direction

This argument is optional. You can use either  src  to log packets from source or  dst  

to log packets from the destination.