match the port numbers on the left

Match the port numbers on the left

The rule header contains the information that defines the who, where, and what of a packet, as well as what to do in the event that a packet with all the attributes indicated in the rule should show up. The first item in a rule is the rule action. The rule action tells Snort what to do when it finds a packet that matches the rule criteria. There are 3 available default actions in Snort, alert, log, pass. In addition, if you are running Snort in inline mode, you have additional options which include drop, reject, and sdrop.

    alert – generate an alert using the selected alert method, and then log the packet

log – log the packet

pass – ignore the packet

drop – block and log the packet

reject – block the packet, log it, and then send a TCP reset if the protocol is TCP or an ICMP port unreachable message if the protocol is UDP.

sdrop – block the packet but do not log it.

You can also define your own rule types and associate one or more output plugins with them. You can then use the rule types as actions in Snort rules.

This example will create a type that will log to just tcpdump:

This example will create a rule type that will log to syslog and tcpdump: database:

The next field in a rule is the protocol. There are four protocols that Snort currently analyzes for suspicious behavior – TCP, UDP, ICMP, and IP. In the future there may be more, such as ARP, IGRP, GRE, OSPF, RIP, IPX, etc.

The next portion of the rule header deals with the IP address and port information for a given rule. The keyword any may be used to define any address. Snort does not have a mechanism to provide host name lookup for the IP address fields in the config file. The addresses are formed by a straight numeric IP address and a CIDR[3] block. The CIDR block indicates the netmask that should be applied to the rule’s address and any incoming packets that are tested against the rule. A CIDR block mask of /24 indicates a Class C network, /16 a Class B network, and /32 indicates a specific machine address. For example, the address/CIDR combination would signify the block of addresses from to Any rule that used this designation for, say, the destination address would match on any address in that range. The CIDR designations give us a nice short-hand way to designate large address spaces with just a few characters.

In Figure , the source IP address was set to match for any computer talking, and the destination address was set to match on the Class C network.

There is an operator that can be applied to IP addresses, the negation operator. This operator tells Snort to match any IP address except the one indicated by the listed IP address. The negation operator is indicated with a !. For example, an easy modification to the initial example is to make it alert on any traffic that originates outside of the local net with the negation operator as shown in Figure .

Figure: Example IP Address Negation Rule . 86 a5\vert”; msg:”external mountd access”;)\end \par\end


This rule’s IP addresses indicate any tcp packet with a source IP address not originating from the internal network and a destination address on the internal network.

You may also specify lists of IP addresses. An IP list is specified by enclosing a comma separated list of IP addresses and CIDR blocks within square brackets. For the time being, the IP list may not include spaces between the addresses. See Figure for an example of an IP list in action.

Figure: IP Address Lists
. . a5\vert”; \ msg:”external mountd access”;)\end \par\end


Port numbers may be specified in a number of ways, including any ports, static port definitions, ranges, and by negation. Any ports are a wildcard value, meaning literally any port. Static ports are indicated by a single port number, such as 111 for portmapper, 23 for telnet, or 80 for http, etc. Port ranges are indicated with the range operator :. The range operator may be applied in a number of ways to take on different meanings, such as in Figure .

Figure: Port Range Examples 1:1024\end“>

Port negation is indicated by using the negation operator !. The negation operator may be applied against any of the other rule types (except any, which would translate to none, how Zen. ). For example, if for some twisted reason you wanted to log everything except the X Windows ports, you could do something like the rule in Figure .

Figure: Example of Port Negation !6000:6010\end \par\end


The direction operator – $”> indicates the orientation, or direction, of the traffic that the rule applies to. The IP address and port numbers on the left side of the direction operator is considered to be the traffic coming from the source host, and the address and port information on the right side of the operator is the destination host. There is also a bidirectional operator, which is indicated with a $”> symbol. This tells Snort to consider the address/port pairs in either the source or destination orientation. This is handy for recording/analyzing both sides of a conversation, such as telnet or POP3 sessions. An example of the bidirectional operator being used to record both sides of a telnet session is shown in Figure .

Also, note that there is no – operator. In Snort versions before 1.8.7, the direction operator did not have proper error checking and many people used an invalid token. The reason the – does not exist is so that rules always read consistently.

Figure: Snort rules using the Bidirectional Operator 23\end \par\end


3 . 2 . 6 Activate/Dynamic Rules

Activate and Dynamic rules are phased out in favor of a combination of tagging ( ) and flowbits ( ).

3.2 Rules Headers

Firewall | Custom

Navigation: Firewall Profile | Custom

The tab lists custom firewall settings added to the firewall profile. The Add, Edit and Remove controls can be used to amend the settings in the list.

Example Custom Firewall Records

Dropping NetBIOS searches on an ISPs DNS :В

We suggest that the following filter is always added to the firewall facing the Internet to avoid costly but otherwise typically pointless requests from Windows machines making DNS searches on the DNS server at your ISP.

IP Protocol: 6 (TCP)

Match Offset: 20

Match Data: 00890035

Match Mask: FFFFFFFF

Browsing Non-Standard Port Numbers :В

The radio button for HTTP permits ports 80 and 443 through the firewall. Some hosts use non-standard ports for HTTP traffic, for example 8080, 8000, 8001, 8002, etc. You can add individual filters for these ports as you find them.

You wish to access a web page but you cannot because it uses TCP port 8000 instead of the more usual port 80, use the entry below.

IP Protocol: 6 (TCP)

Match Offset: 22

Match Data: 1F40

Match Mask: FFFF

A more general additional entry given below allows all TCP ports out.

IP Protocol: 6 (TCP)

Match Data: 00000000000000000000000000000000

Match Mask: 00000000000000000000000000000000

Routing All Internet Traffic through a WinProxy :В

If you wish to put WinProxy in front of all Internet traffic via the Control Unit. The following firewall allows only the WinProxy server to contact the Internet : –

Create a new Firewall profile and select Drop for all protocols

Under Custom create a new Firewall Entry

In Notes enter the name of the server allowed. Then use the default settings except in Local IP Address enter the IP address of the WinProxy Server, in Local IP Mask enter and in Direction select Both Directions.

Stopping PINGs :В

You wish to stop pings – this is ICMP Filtering. Using the data below can create a firewall filter that performs the following; Trap Pings; Trap Ping Replies; Trap Both.

Trap Pings: Protocol = 1, offset = 20, data = 08, mask = FF

Trap Ping Replies: Protocol = 1, offset = 20, data = 00, mask = FF

Trap Both: Protocol = 1, offset = 20, data = 00, mask = F7, Traps Both.

These settings are mergeable. Changes to these settings do not require a reboot of the system.

Firewall | Custom Navigation: Firewall Profile | Custom The tab lists custom firewall settings added to the firewall profile. The Add, Edit and Remove controls can be used to amend the