Allows user to assign an appropriate message to the output of a triggered rule. Alert or log entries only give the packet, not the rule that was triggered.
Snort Rules Rule Options Msg Option alert udp any any -> 126.96.36.199 / 24 31337 \ (msg: “Back Orifice”;) [**] Back Orifice [**] 05/10-08:44:26.398345 188.8.131.52:60256 -> 184.108.40.206:31337 UDP TTL:41 TOS:0x0 ID:49951 Len: 8 Rule: Log:
Snort Rules Rule Options Logto Option Specifies filename to which to log the activity. Allows to separate the annoyances from the truly dangerous. alert udp any any -> 220.127.116.11 / 24 31335 \ (msg: “trinoo port”; logto “DDoS”)
Snort Rules Rule Options TTL option Allows to use the time to live field in packet Format: ttl: number alert udp any any -> 18.104.22.168 / 24 33000;34000 \ (msg: “Unix traceroute”; ttl: 1;)
Snort Rules Rule Options ID option 16-bit value found in the IP header of each datagram. alert udp any any -> 22.214.171.124 / 24 33000;34000 \ (msg: “Suspicious IP Identification”; ID: 0;)
Snort Rules Rule Options Dsize option Size of payload alert icmp any any -> 126.96.36.199 / 24 any \ (msg: “Large ICMP payload”; dsize: >1024;)
Snort Rules Rule Options Sequence Option Value of tcp sequence number Ack option Value of ack number in tcp alert tcp any any -> any any \ (msg: “Possible Shaft DDoS”; seq: 0x28374839;) alert tcp any any -> any any \ (msg: “nmap tcp ping”; flags: A; ack: 0;)
Snort Rules Rule Options Itype and Icode Options Select ICMP message type and operations code alert icmp 188.8.131.52/24 any -> 184.108.40.206 / 24 any \ (msg: “port unreachable”; itype: 3; icode: 3;)
Snort Rules Rule Options Flags option alert tcp any any -> any any \ (msg: “null scan”; flags: 0;)
Snort Rules Rule Options Content Option alert udp $EXTERNAL_NET any -> $HOME_NET 53 \ (msg: “Exploit bind tsig Overflow attempt”; \ content: “|00 FA 00 FF|”; content: “/bin/sh”;)
Snort Rules Rule Options Offset option Specifies offset of content Depth option Specifies how far into packet to search for content Nocase option Makes content searches case insensitive Regex Option Allows wildcards in content searches
Snort Rules Rule Options Session Options Allows to capture TCP session. Rest Option Allows an automatic active response Tag Option Allows to dynamically capture additional packages after a rule triggers.
You've reached the end of your free preview.
Want to read all 50 pages?
- Spring '20
- Transmission Control Protocol