Search Site

Search Rules

Account

email
password

not registered?

can't login?

user preferences

Subsections

3.4 Meta-Data Rule Options

3.4.1 msg

The msg rule option tells the logging and alerting engine the message to print along with a packet dump or to an alert. It is a simple text string that utilizes the \ as an escape character to indicate a discrete character that might otherwise confuse Snort's rules parser (such as the semi-colon ; character).

3.4.1.1 Format

msg: "<message text>";

3.4.2 reference

The reference keyword allows rules to include references to external attack identification systems. The plugin currently supports several specific systems as well as unique URLs. This plugin is to be used by output plugins to provide a link to additional information about the alert produced.

Make sure to also take a look at http://www.snort.org/pub-bin/sigs-search.cgi/ for a system that is indexing descriptions of alerts based off of the sid (See Section 3.4.3).

**Table 3.1:** Supported Systems
System	URL Prefix
bugtraq	http://www.securityfocus.com/bid/
cve	http://cve.mitre.org/cgi-bin/cvename.cgi?name=
nessus	http://cgi.nessus.org/plugins/dump.php3?id=
arachnids	(currently down) http://www.whitehats.com/info/IDS
mcafee	http://vil.nai.com/vil/dispVirus.asp?virus_k=
url	http://

3.4.2.1 Format

reference: <id system>,<id>; [reference: <id system>,<id>;]

**Figure 3.8:** Reference Usage Examples
$\begin{figure}\begin{verbatim}alert tcp any any -> any 7070 (msg:''IDS411/dos-... ...:bugtraq,1387; \ reference:cve,CAN-2000-1574;)\end{verbatim} \par\end{figure}$

3.4.3 sid

The sid keyword is used to uniquely identify Snort rules. This information allows output plugins to identify rules easily. This option should be used with the rev keyword. (See section 3.4.4)

100 Reserved for future use
100-1,000,000 Rules included with the Snort distribution
1,000,000 Used for local rules

The file sid-msg.map contains a mapping of alert messages to Snort rule IDs. This information is useful when post-processing alert to map an ID to an alert message.

3.4.3.1 Format

sid: <snort rules id>;

3.4.3.2 Example

This example is a rule with the Snort Rule ID of 1000983.

alert tcp any any -> any 80 (content:"BOB"; sid:1000983; rev:1;)

3.4.4 rev

The sid keyword is used to uniquely identify revisions of Snort rules. Revisions, along with Snort rule id's, allow signatures and descriptions to be refined and replaced with updated information. This option should be used with the sid keyword. (See section 3.4.3)

3.4.4.1 Format

rev: <revision integer>

3.4.4.2 Example

This example is a rule with the Snort Rule Revision of 1.

alert tcp any any -> any 80 (content:"BOB"; sid:1000983; rev:1;)

3.4.5 classtype

The classtype keyword categorizes alerts to be attack classes. By using the and prioritized. The user can specify what priority each type of rule classification has. Rules that have a classification will have a default priority set.

3.4.5.1 Format

classtype: <class name>;

Rule classifications are defined in the classification.config file. The config file uses the following syntax:

config classification:  <class name>,<class description>,<default priority>

The standard classifications included with Snort are listed in Table 3.2. The standard classifications are ordered with 3 default priorities currently. A priority 1 is the most severe priority level of the default rule set and 4 is the least severe.

**Table 3.2:** Snort Default Classifications
Classtype	Description	Priority
attempted-admin	Attempted Administrator Privilege Gain	high
attempted-user	Attempted User Privilege Gain	high
shellcode-detect	Executable code was detected	high
successful-admin	Successful Administrator Privilege Gain	high
successful-user	Successful User Privilege Gain	high
trojan-activity	A Network Trojan was detected	high
unsuccessful-user	Unsuccessful User Privilege Gain	high
web-application-attack	Web Application Attack	high
attempted-dos	Attempted Denial of Service	medium
attempted-recon	Attempted Information Leak	medium
bad-unknown	Potentially Bad Traffic	medium
denial-of-service	Detection of a Denial of Service Attack	medium
misc-attack	Misc Attack	medium
non-standard-protocol	Detection of a non-standard protocol or event	medium
rpc-portmap-decode	Decode of an RPC Query	medium
successful-dos	Denial of Service	medium
successful-recon-largescale	Large Scale Information Leak	medium
successful-recon-limited	Information Leak	medium
suspicious-filename-detect	A suspicious filename was detected	medium
suspicious-login	An attempted login using a suspicious username was detected	medium
system-call-detect	A system call was detected	medium
unusual-client-port-connection	A client was using an unusual port	medium
web-application-activity	access to a potentially vulnerable web application	medium
icmp-event	Generic ICMP event	low
misc-activity	Misc activity	low
network-scan	Detection of a Network Scan	low
not-suspicious	Not Suspicious Traffic	low
protocol-command-decode	Generic Protocol Command Decode	low
string-detect	A suspicious string was detected	low
unknown	Unknown Traffic	low

**Figure 3.9:** Example Classtype Rules
$\begin{figure}\begin{verbatim}alert tcp any any -> any 80 (msg:''EXPLOIT ntpdx... ...nt:''expn root''; nocase; classtype:attempted-recon;)\end{verbatim} \end{figure}$

3.4.5.2 Warnings

classtype uses classifications defined by the classification config option. The classifications used by the rules provided with Snort are defined in etc/classification.config

3.4.6 Priority

The priority tag assigns a severity level to rules. A classtype rule assigns a default priority that may be overridden with a priority rule. For an example in conjunction with a classification rule refer to Figure 3.9. For use by itself, see Figure 3.10

3.4.6.1 Format

priority: <priority integer>;

**Figure 3.10:** Example Priority Rule
$\begin{figure}\begin{verbatim}alert TCP any any -> any 80 (msg: ''WEB-MISC phf... ...A+; \ content: ''/cgi-bin/phf''; priority:10;)\end{verbatim} \par\end{figure}$