| Search Site |
| Search Rules |
| Account |
| not registered? |
| can't login? |
| user preferences |
 |
 |
|
|||||||||||||||||||
3. Writing Snort Rules
How to Write Snort Rules and Keep Your Sanity
Subsections
- 3.1 The Basics
- 3.2 Rules Headers
- 3.2.1 Rule Actions
- 3.2.2 Protocols
- 3.2.3 IP Addresses
- 3.2.4 Port Numbers
- 3.2.5 The Direction Operator
- 3.2.6 Activate/Dynamic Rules
- 3.3 Rule Options
- 3.4 Meta-Data Rule Options
- 3.5 Payload Detection Rule Options
- 3.5.1 content
- 3.5.2 nocase
- 3.5.3 rawbytes
- 3.5.4 depth
- 3.5.5 offset
- 3.5.6 distance
- 3.5.7 within
- 3.5.8 uricontent
- 3.5.9 isdataat
- 3.5.10 pcre
- 3.5.11 byte_test
- 3.5.12 byte_jump
- 3.5.13 ftpbounce
- 3.5.14 regex
- 3.5.15 content-list
- 3.6 Non-payload Detection Rule Options
- 3.6.1 fragoffset
- 3.6.2 ttl
- 3.6.3 tos
- 3.6.4 id
- 3.6.5 ipopts
- 3.6.6 fragbits
- 3.6.7 dsize
- 3.6.8 flags
- 3.6.9 flow
- 3.6.10 flowbits
- 3.6.11 seq
- 3.6.12 ack
- 3.6.13 window
- 3.6.14 itype
- 3.6.15 icode
- 3.6.16 icmp_id
- 3.6.17 icmp_seq
- 3.6.18 rpc
- 3.6.19 ip_proto
- 3.6.20 sameip
- 3.7 Post-Detection Rule Options
- 3.8 Event Thresholding
- 3.8.1 Standalone Options
- 3.8.2 Standalone Format
- 3.8.3 Rule Keyword Format
- 3.8.4 Rule Keyword Format
- 3.8.5 Examples
- 3.9 Event Suppression
- 3.10 Snort Multi-Event Logging (Event Queue)
- 3.11 Writing Good Rules
| site feedback | Terms of Use | Privacy Policy | forum archives ©2008 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved. |