In some chapters of the rules documentation, many sections used examples of rules, but these were inserted into images. These have been replaced by text and HTML emphasis.
Additionally, some tables embedded into images were also replaced by reST tables.
Header Keywords
===============
+.. role:: example-rule-emphasis
IP-keywords
-----------
Example of the ttl keyword in a rule:
-.. image:: header-keywords/ttl.png
+.. container:: example-rule
+
+ alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL MISC 0 ttl"; :example-rule-emphasis:`ttl:0;` reference:url,support.microsoft.com/default.aspx?scid=kb#-#-EN-US#-#-q138268; reference:url,www.isi.edu/in-notes/rfc1122.txt; classtype:misc-activity; sid:2101321; rev:9;)
Ipopts
^^^^^^
match on one option per rule. There are several options on which can
be matched. These are:
-.. image:: header-keywords/ipopts.png
+========= =============================
+IP Option Description
+========= =============================
+rr Record Route
+eol End of List
+nop No Op
+ts Time Stamp
+sec IP Security
+esec IP Extended Security
+lsrr Loose Source Routing
+ssrr Strict Source Routing
+satid Stream Identifier
+any any IP options are set
+========= =============================
Format of the ipopts keyword::
Example of ipopts in a rule:
-.. image:: header-keywords/ipopts_rule.png
+.. container:: example-rule
+
+ alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL MISC source route ssrr"; :example-rule-emphasis:`ipopts:ssrr;` reference:arachnids,422; classtype:bad-unknown; sid:2100502; rev:3;)
sameip
^^^^^^
Example of sameip in a rule:
-.. image:: header-keywords/sameip.png
+.. container:: example-rule
+
+ alert ip any any -> any any (msg:"GPL SCAN same SRC/DST"; :example-rule-emphasis:`sameip;` reference:bugtraq,2666; reference:cve,1999-0016; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:bad-unknown; sid:2100527; rev:9;)
ip_proto
^^^^^^^^
Example of ip_proto in a rule:
-.. image:: header-keywords/ip_proto.png
+.. container:: example-rule
+
+ alert ip any any -> any any (msg:"GPL MISC IP Proto 103 PIM"; :example-rule-emphasis:`ip_proto:103;` reference:bugtraq,8211; reference:cve,2003-0567; classtype:non-standard-protocol; sid:2102189; rev:4;)
The named variante of that example would be::
Example of id in a rule:
-.. image:: header-keywords/id.png
+.. container:: example-rule
+
+ alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED F5 BIG-IP 3DNS TCP Probe 1"; :example-rule-emphasis:`id: 1;` dsize: 24; flags: S,12; content:"\|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\|"; window: 2048; reference:url,www.f5.com/f5products/v9intro/index.html; reference:url,doc.emergingthreats.net/2001609; classtype:misc-activity; sid:2001609; rev:13;)
Geoip
^^^^^
Example of fragbits in a rule:
-.. image:: header-keywords/fragbits.png
+.. container:: example-rule
+
+ alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Invalid non-fragmented packet with fragment offset>0"; :example-rule-emphasis:`fragbits: M;` fragoffset: >0; reference:url,doc.emergingthreats.net/bin/view/Main/2001022; classtype:bad-unknown; sid:2001022; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
Fragoffset
^^^^^^^^^^
Example of fragoffset in a rule:
-.. image:: header-keywords/fragoffset.png
+.. container:: example-rule
+
+ alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Invalid non-fragmented packet with fragment offset>0"; fragbits: M; :example-rule-emphasis:`fragoffset: >0;` reference:url,doc.emergingthreats.net/bin/view/Main/2001022; classtype:bad-unknown; sid:2001022; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
TCP keywords
------------
Example of seq in a signature:
-.. image:: header-keywords/seq.png
+.. container:: example-rule
+
+ alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN NULL"; flow:stateless; ack:0; flags:0; :example-rule-emphasis:`seq:0;` reference:arachnids,4; classtype:attempted-recon; sid:2100623; rev:7;)
Example of seq in a packet (Wireshark):
Example of ack in a signature:
-.. image:: header-keywords/ack.png
+.. container:: example-rule
+
+ alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN NULL"; flow:stateless; :example-rule-emphasis:`ack:0;` flags:0; seq:0; reference:arachnids,4; classtype:attempted-recon; sid:2100623; rev:7;)
Example of ack in a packet (Wireshark):
Example of window in a rule:
-.. image:: header-keywords/Window.png
+.. container:: example-rule
+
+ alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED typot trojan traffic"; flow:stateless; flags:S,12; :example-rule-emphasis:`window:55808;` reference:mcafee,100406; classtype:trojan-activity; sid:2182; rev:8;)
ICMP keywords
-------------
Example of the itype keyword in a signature:
-.. image:: header-keywords/icmp_type.png
+.. container:: example-rule
+
+ alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN Broadscan Smurf Scanner"; dsize:4; icmp_id:0; icmp_seq:0; :example-rule-emphasis:`itype:8;` classtype:attempted-recon; sid:2100478; rev:4;)
+
+The following lists all ICMP types known at the time of writing. A recent table can be found `at the website of IANA <https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml>`_
+
+========== ==========================================================
+ICMP Type Name
+========== ==========================================================
+0 Echo Reply
+3 Destination Unreachable
+4 Source Quench
+5 Redirect
+6 Alternate Host Address
+8 Echo
+9 Router Advertisement
+10 Router Solicitation
+11 Time Exceeded
+12 Parameter Problem
+13 Timestamp
+14 Timestamp Reply
+15 Information Request
+16 Information Reply
+17 Address Mask Request
+18 Address Mask Reply
+30 Traceroute
+31 Datagram Conversion Error
+32 Mobile Host Redirect
+33 IPv6 Where-Are-You
+34 IPv6 I-Am-Here
+35 Mobile Registration Request
+36 Mobile Registration Reply
+37 Domain Name Request
+38 Domain Name Reply
+39 SKIP
+40 Photuris
+41 Experimental mobility protocols such as Seamoby
+========== ==========================================================
icode
^^^^^
Example of the icode keyword in a rule:
-.. image:: header-keywords/icode.png
+.. container:: example-rule
+
+ alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL MISC Time-To-Live Exceeded in Transit"; :example-rule-emphasis:`icode:0;` itype:11; classtype:misc-activity; sid:2100449; rev:7;)
+
+The following lists the meaning of all ICMP types. When a code is not listed,
+only type 0 is defined and has the meaning of the ICMP code, in the table above.
+A recent table can be found `at the website of IANA <https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml>`_
+
+========== ========== =========================================================================
+ICMP Code ICMP Type Description
+========== ========== =========================================================================
+3 - 0 - Net Unreachable
+ - 1 - Host Unreachable
+ - 2 - Protocol Unreachable
+ - 3 - Port Unreachable
+ - 4 - Fragmentation Needed and Don't Fragment was Set
+ - 5 - Source Route Failed
+ - 6 - Destination Network Unknown
+ - 7 - Destination Host Unknown
+ - 8 - Source Host Isolated
+ - 9 - Communication with Destination Network is Administratively Prohibited
+ - 10 - Communication with Destination Host is Administratively Prohibited
+ - 11 - Destination Network Unreachable for Type of Service
+ - 12 - Destination Host Unreachable for Type of Service
+ - 13 - Communication Administratively Prohibited
+ - 14 - Host Precedence Violation
+ - 15 - Precedence cutoff in effect
+5 - 0 - Redirect Datagram for the Network (or subnet)
+ - 1 - Redirect Datagram for the Host
+ - 2 - Redirect Datagram for the Type of Service and Network
+ - 3 - Redirect Datagram for the Type of Service and Host
+9 - 0 - Normal router advertisement
+ - 16 - Doest not route common traffic
+11 - 0 - Time to Live exceeded in Transit
+ - 1 - Fragment Reassembly Time Exceeded
+12 - 0 - Pointer indicates the error
+ - 1 - Missing a Required Option
+ - 2 - Bad Length
+40 - 0 - Bad SPI
+ - 1 - Authentication Failed
+ - 2 - Decompression Failed
+ - 3 - Decryption Failed
+ - 4 - Need Authentication
+ - 5 - Need Authorization
+========== ========== =========================================================================
icmp_id
^^^^^^^
Example of the icmp_id keyword in a rule:
-.. image:: header-keywords/icmp_id.png
+.. container:: example-rule
+
+ alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN Broadscan Smurf Scanner"; dsize:4; :example-rule-emphasis:`icmp_id:0;` icmp_seq:0; itype:8; classtype:attempted-recon; sid:2100478; rev:4;)
icmp_seq
^^^^^^^^
Example of icmp_seq in a rule:
-.. image:: header-keywords/icmp_seq.png
-
-Message types and numbers:
-
-.. image:: header-keywords/ICMP_types.png
-
-Meaning of type-numbers en codes combined:
+.. container:: example-rule
-.. image:: header-keywords/ICMP_type_code.png
+ alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN Broadscan Smurf Scanner"; dsize:4; icmp_id:0; :example-rule-emphasis:`icmp_seq:0;` itype:8; classtype:attempted-recon; sid:2100478; rev:4;)
HTTP Keywords
=============
+.. role:: example-rule-emphasis
There are additional content modifiers that can provide protocol-specific
capabilities at the application layer. More information can be found at
Example of ``uricontent``:
-.. image:: http-keywords/uricontent.png
+.. container:: example-rule
+
+ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Vundo Trojan Variant reporting to Controller"; flow:established,to_server; content:"POST "; depth:5; :example-rule-emphasis:`uricontent:"/frame.html?";` urilen: > 80; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009173; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Vundo; sid:2009173; rev:2;)
The difference between ``http_uri`` and ``uricontent`` is the syntax:
Example of ``urilen`` in a signature:
-.. image:: http-keywords/urilen1.png
+.. container:: example-rule
+
+ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Vundo Trojan Variant reporting to Controller"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/frame.html?"; :example-rule-emphasis:`urilen: > 80;` classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009173; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Vundo; sid:2009173; rev:2;)
You can also append ``norm`` or ``raw`` to define what sort of buffer you want
to use (normalized or raw buffer).
The action, header and rule-options.
+.. role:: example-rule-action
+.. role:: example-rule-header
+.. role:: example-rule-options
+.. role:: example-rule-emphasis
+
Example of a signature:
-.. image:: intro/intro_sig.png
+.. container:: example-rule
+
+ :example-rule-action:`drop` :example-rule-header:`tcp $HOME_NET any -> $EXTERNAL_NET any` :example-rule-options:`(msg:"ET TROJAN Likely Bot Nick in IRC (USA +..)"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"NICK "; pcre:"/NICK .*USA.*[0-9]{3,}/i"; reference:url,doc.emergingthreats.net/2008124; classtype:trojan-activity; sid:2008124; rev:2;)`
+
+In this example, :example-rule-action:`red` is the action,
+:example-rule-header:`green` is the header and :example-rule-options:`blue`
+are the options.
Action
------
For more information read 'Action Order' see
:ref:`suricata-yaml-action-order`.
-Example:
-
-.. image:: intro/action.png
+.. container:: example-rule
-In this example the red, bold-faced part is the action.
+ :example-rule-emphasis:`drop` tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely Bot Nick in IRC (USA +..)"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"NICK "; pcre:"/NICK .*USA.*[0-9]{3,}/i"; reference:url,doc.emergingthreats.net/2008124; classtype:trojan-activity; sid:2008124; rev:2;)
Protocol
--------
Example:
-.. image:: intro/protocol.png
+.. container:: example-rule
+
+ drop :example-rule-emphasis:`tcp` $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely Bot Nick in IRC (USA +..)"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"NICK "; pcre:"/NICK .*USA.*[0-9]{3,}/i"; reference:url,doc.emergingthreats.net/2008124; classtype:trojan-activity; sid:2008124; rev:2;)
In this example the red, bold-faced part is the protocol.
Example of source and destination in a signature:
-.. image:: intro/Source.png
+.. container:: example-rule
-The red, bold-faced part is the source.
+ drop tcp :example-rule-emphasis:`$HOME_NET` any -> :example-rule-emphasis:`$EXTERNAL_NET` any (msg:"ET TROJAN Likely Bot Nick in IRC (USA +..)"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"NICK "; pcre:"/NICK .*USA.*[0-9]{3,}/i"; reference:url,doc.emergingthreats.net/2008124; classtype:trojan-activity; sid:2008124; rev:2;)
-.. image:: intro/destination.png
-
-The red, bold-faced part is the destination.
+*The first emphasized part is the source, the second is the destination (note the direction of the directional arrow).*
Ports (source-and destination-port)
-----------------------------------
Example of ports in a signature:
-.. image:: intro/Source-port.png
+.. container:: example-rule
+ drop tcp $HOME_NET :example-rule-emphasis:`any` -> $EXTERNAL_NET :example-rule-emphasis:`any` (msg:"ET TROJAN Likely Bot Nick in IRC (USA +..)"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"NICK "; pcre:"/NICK .*USA.*[0-9]{3,}/i"; reference:url,doc.emergingthreats.net/2008124; classtype:trojan-activity; sid:2008124; rev:2;)
-.. image:: intro/Dest_port.png
+*The first emphasized part is the source, the second is the destination (note the direction of the directional arrow).*
In this example, the red, bold-faced part is the port.
Example of direction in a signature:
-.. image:: intro/Direction.png
+.. container:: example-rule
+
+ drop tcp $HOME_NET any :example-rule-emphasis:`->` $EXTERNAL_NET any (msg:"ET TROJAN Likely Bot Nick in IRC (USA +..)"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"NICK "; pcre:"/NICK .*USA.*[0-9]{3,}/i"; reference:url,doc.emergingthreats.net/2008124; classtype:trojan-activity; sid:2008124; rev:2;)
In this example the red, bold-faced part is the direction.
Meta-settings
=============
+.. role:: example-rule-emphasis
+
Meta-settings have no effect on Suricata's inspection; they do have an effect on the way Suricata reports events.
msg (message)
Another example of msg in a signature:
+.. container:: example-rule
+
+ drop tcp $HOME_NET any -> $EXTERNAL_NET any (:example-rule-emphasis:`msg:"ET TROJAN Likely Bot Nick in IRC (USA +..)";` flow:established,to_server; flowbits:isset,is_proto_irc; content:"NICK "; pcre:"/NICK .*USA.*[0-9]{3,}/i"; reference:url,doc.emergingthreats.net/2008124; classtype:trojan-activity; sid:2008124; rev:2;)
+
In this example the red, bold-faced part is the msg.
.. note:: The following characters must be escaped inside the msg:
Example of sid in a signature:
-.. image:: meta/sid.png
+.. container:: example-rule
+
+ drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely Bot Nick in IRC (USA +..)"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"NICK "; pcre:"/NICK .*USA.*[0-9]{3,}/i"; reference:url,doc.emergingthreats.net/2008124; classtype:trojan-activity; :example-rule-emphasis:`sid:2008124;` rev:2;)
In this example the red, bold-faced part is the sid.
Example of rev in a signature:
-.. image:: meta/rev.png
+.. container:: example-rule
+
+ drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely Bot Nick in IRC (USA +..)"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"NICK "; pcre:"/NICK .*USA.*[0-9]{3,}/i"; reference:url,doc.emergingthreats.net/2008124; classtype:trojan-activity; sid:2008124; :example-rule-emphasis:`rev:2;`)
In this example the red, bold-faced part is the rev.
Example of gid in a signature:
-.. image:: meta/gid.png
+.. container:: example-rule
+
+ 10/15/09-03:30:10.219671 [**] [:example-rule-emphasis:`1`:2008124:2] ET TROJAN Likely Bot Nick in IRC (USA +..) [**] [Classification: A Network Trojan was Detected]
+ [Priority: 3] {TCP} 192.168.1.42:1028 -> 72.184.196.31:6667
This is an example from the fast.log.
In the part [1:2008124:2], 1 is the gid (2008124 is the the sid and 2 the rev).
config classification: web-application-attack,Web Application Attack,1
config classification: not-suspicious,Not Suspicious Traffic,3
-.. image:: meta/classification.png
+======================= ====================== ===========
+classtype Alert Priority
+======================= ====================== ===========
+web-application-attack Web Application Attack 1
+not-suspicious Not Suspicious Traffic 3
+======================= ====================== ===========
In this example you see how classtype appears in signatures, the
classification.config and the alert.
Another example of classtype in a signature:
-.. image:: meta/classtype.png
+.. container:: example-rule
+
+ drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely Bot Nick in IRC (USA +..)"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"NICK "; pcre:"/NICK .*USA.*[0-9]{3,}/i"; reference:url,doc.emergingthreats.net/2008124; :example-rule-emphasis:`classtype:trojan-activity;` sid:2008124; rev:2;)
In this example the red, bold-faced part is the classtype.
Example of reference in a signature:
-.. image:: meta/reference.png
+.. container:: example-rule
+
+ drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely Bot Nick in IRC (USA +..)"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"NICK "; pcre:"/NICK .*USA.*[0-9]{3,}/i"; :example-rule-emphasis:`reference:url,doc.emergingthreats.net/2008124;` classtype:trojan-activity; sid:2008124; rev:2;)
In this example the red, bold-faced part is the action.
Payload Keywords
================
+.. role:: example-rule-emphasis
.. toctree::
:maxdepth: 2
Example:
-.. image:: payload-keywords/content.png
+.. container:: example-rule
+
+ drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely Bot Nick in IRC (USA +..)"; flow:established,to_server; flowbits:isset,is_proto_irc; :example-rule-emphasis:`content:"NICK ";` pcre:"/NICK .*USA.*[0-9]{3,}/i"; reference:url,doc.emergingthreats.net/2008124; classtype:trojan-activity; sid:2008124; rev:2;)
In this example, the red, bold-faced part is the content.
example of dsize in a rule:
-.. image:: payload-keywords/dsize.png
+.. container:: example-rule
+
+ alert udp $EXTERNAL_NET any -> $HOME_NET 65535 (msg:"GPL DELETED EXPLOIT LANDesk Management Suite Alerting Service buffer overflow"; :example-rule-emphasis:`dsize:>268;` reference: bugtraq,23483; reference: cve,2007-1674; classtype: attempted-admin; sid:100000928; rev:1;)
rpc
----
Example of the rpc keyword in a rule:
-.. image:: payload-keywords/rpc.png
+.. container:: example-rule
+
+ alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request yppasswdd"; :example-rule-emphasis:`rpc:100009,*,*;` reference:bugtraq,2763; classtype:rpc-portmap-decode; sid:1296; rev:4;)
Replace
-------
projects / thirdparty / suricata.git / commitdiff
