Search Site

Search Rules

Account

email
password

not registered?

can't login?

user preferences

3.6 Non-Payload Detection Rule Options

3.6.1 fragoffset

The fragoffset keyword allows one to compare the IP fragment offset field against a decimal value. To catch all the first fragments of an IP session, you could use the fragbits keyword and look for the More fragments option in conjunction with a fragoffset of 0.

3.6.1.1 Format

fragoffset:[<|>]<number>

Figure: Fragoffset Usage Example

3.6.2 ttl

The ttl keyword is used to check the IP time-to-live value. This option keyword was intended for use in the detection of traceroute attempts.

3.6.2.1 Format

ttl:[[<number>-]><=]<number>;

3.6.2.2 Example

This example checks for a time-to-live value that is less than 3.

ttl:<3;

This example checks for a time-to-live value that between 3 and 5.

ttl:3-5;

3.6.3 tos

The tos keyword is used to check the IP TOS field for a specific value.

3.6.3.1 Format

tos:[!]<number>;

3.6.3.2 Example

This example looks for a tos value that is not 4

tos:!4;

3.6.4 id

The id keyword is used to check the IP ID field for a specific value. Some tools (exploits, scanners and other odd programs) set this field specifically for various purposes, for example, the value 31337 is very popular with some hackers.

3.6.4.1 Format

id:<number>;

3.6.4.2 Example

This example looks for the IP ID of 31337.

id:31337;

3.6.5 ipopts

The ipopts keyword is used to check if a specific IP option is present.

The following options may be checked:

rr

- Record route

eol

- End of list

nop

- No op

ts

- Time Stamp

sec

- IP security option

lsrr

- Loose source routing

ssrr

- Strict source routing

satid

- Stream identifier

any

- any IP options are set

The most frequently watched for IP options are strict and loose source routing which aren't used in any widespread internet applications.

3.6.5.1 Format

ipopts:<rr|eol|nop|ts|sec|lsrr|ssrr|satid|any>;

3.6.5.2 Example

This example looks for the IP Option of Loose Source Routing.

ipopts:lsrr;

3.6.5.3 Warning

Only a single ipopts keyword may be specified per rule.

3.6.6 fragbits

The fragbits keyword is used to check if fragmentation and reserved bits are set in the IP header.

The following bits may be checked:

M

- More Fragments

D

- Don't Fragment

R

- Reserved Bit

The following modifiers can be set to change the match criteria:

+

match on the specified bits, plus any others

*

match if any of the specified bits are set

!

match if the specified bits are not set

3.6.6.1 Format

fragbits:[+*!]<[MDR]>

3.6.6.2 Example

This example checks if the More Fragments bit and the Do not Fragment bit are set.

fragbits:MD+;

3.6.7 dsize

The dsize keyword is used to test the packet payload size. This may be used to check for abnormally sized packets. In many cases, it is useful for detecting buffer overflows.

3.6.7.1 Format

dsize: [<>]<number>[<><number>];

3.6.7.2 Example

This example looks for a dsize that is between 300 and 400 bytes.

dsize:300<>400;

3.6.7.3 Warning

dsize will fail on stream rebuilt packets, regardless of the size of the payload.

3.6.8 flags

The flags keyword is used to check if specific TCP flag bits are present.

The following bits may be checked:

F

- FIN (LSB in TCP Flags byte)

S

- SYN

R

- RST

P

- PSH

A

- ACK

U

- URG

1

- Reserved bit 1 (MSB in TCP Flags byte)

2

- Reserved bit 2

0

- No TCP Flags Set

The following modifiers can be set to change the match criteria:

+

- match on the specified bits, plus any others

*

- match if any of the specified bits are set

!

- match if the specified bits are not set

To handle writing rules for session initiation packets such as ECN where a SYN packet is sent with the previously reserved bits 1 and 2 set, an option mask may be specified. A rule could check for a flags value of S,12 if one wishes to find packets with just the syn bit, regardless of the values of the reserved bits.

3.6.8.1 Format

flags:[!|*|+]<FSRPAU120>[,<FSRPAU120>];

3.6.8.2 Example

This example checks if just the SYN and the FIN bits are set, ignoring reserved bit 1 and reserved bit 2.

alert tcp any any -> any any (flags:SF,12;)

3.6.9 flow

The flow rule option is used in conjunction with TCP stream reassembly (see Section ). It allows rules to only apply to certain directions of the traffic flow.

This allows rules to only apply to clients or servers. This allows packets related to $HOME_NET clients viewing web pages to be distinguished from servers running the $HOME_NET.

The established keyword will replace the flags: A+ used in many places to show established TCP connections.

Options

Option	Description
to_client	Trigger on server responses from A to B
to_server	Trigger on client requests from A to B
from_client	Trigger on client requests from A to B
from_server	Trigger on server responses from A to B
established	Trigger only on established TCP connections
stateless	Trigger regardless of the state of the stream processor (useful for packets that are designed to cause machines to crash)
no_stream	Do not trigger on rebuilt stream packets (useful for dsize and stream4)
only_stream	Only trigger on rebuilt stream packets

3.6.9.1 Format

flow: [(established|stateless)] 
      [,(to_client|to_server|from_client|from_server)]
      [,(no_stream|only_stream)]

Figure: Flow usage examples

3.6.10 flowbits

The flowbits rule option is used in conjunction with conversation tracking from the Flow preprocessor (see Section). It allows rules to track states across transport protocol sessions. The flowbits option is most useful for TCP sessions, as it allows rules to generically track the state of an application protocol.

There are seven keywords associated with flowbits. Most of the options need a user-defined name for the specific state that is being checked. This string should be limited to any alphanumeric string including periods, dashes, and underscores.

Option	Description
set	Sets the specified state for the current flow.
unset	Unsets the specified state for the current flow.
toggle	Sets the specified state if the state is unset, otherwise unsets the state if the state is set.
isset	Checks if the specified state is set.
isnotset	Checks if the specified state is not set.
noalert	Cause the rule to not generate an alert, regardless of the rest of the detection options.

3.6.10.1 Format

flowbits: [set|unset|toggle|isset,reset,noalert][,<STATE_NAME>];

Figure: Flowbits Usage Examples

3.6.11 seq

The seq keyword is used to check for a specific TCP sequence number.

3.6.11.1 Format

seq:<number>;

3.6.11.2 Example

This example looks for a TCP sequence number of 0.

seq:0;

3.6.12 ack

The ack keyword is used to check for a specific TCP acknowledge number.

3.6.12.1 Format

ack: <number>;

3.6.12.2 Example

This example looks for a TCP acknowledge number of 0.

ack:0;

3.6.13 window

The window keyword is used to check for a specific TCP window size.

3.6.13.1 Format

window:[!]<number>;

3.6.13.2 Example

This example looks for a TCP window size of 55808.

window:55808;

3.6.14 itype

The itype keyword is used to check for a specific ICMP type value.

3.6.14.1 Format

itype:[<|>]<number>[<><number>];

3.6.14.2 Example

This example looks for an ICMP type greater than 30.

itype:>30;

3.6.15 icode

The itype keyword is used to check for a specific ICMP code value.

3.6.15.1 Format

icode: [<|>]<number>[<><number>];

3.6.15.2 Example

This example looks for an ICMP code greater than 30.

code:>30;

3.6.16 icmp_id

The itype keyword is used to check for a specific ICMP ID value.

This is useful because some covert channel programs use static ICMP fields when they communicate. This particular plugin was developed to detect the stacheldraht DDoS agent.

3.6.16.1 Format

icmp_id:<number>;

3.6.16.2 Example

This example looks for an ICMP ID of 0.

icmp_id:0;

3.6.17 icmp_seq

The itype keyword is used to check for a specific ICMP sequence value.

This is useful because some covert channel programs use static ICMP fields when they communicate. This particular plugin was developed to detect the stacheldraht DDoS agent.

3.6.17.1 Format

icmp_seq: <number>;

3.6.17.2 Example

This example looks for an ICMP Sequence of 0.

icmp_seq:0;

3.6.18 rpc

The rpc keyword is used to check for a RPC application, version, and procedure numbers in SUNRPC CALL requests.

Wildcards are valid for both version and procedure numbers by using '*';

3.6.18.1 Format

rpc: <application number>, [<version number>|*], [<procedure number>|*]>;

3.6.18.2 Example

The following example looks for an RPC portmap GETPORT request.

alert tcp any any -> any 111 (rpc: 100000,*,3;);

3.6.18.3 Warning

Because of the fast pattern matching engine, the RPC keyword is slower than looking for the RPC values by using normal content matching.

3.6.19 ip_proto

The ip_proto keyword allows checks against the IP protocol header. For a list of protocols that may be specified by name, see /etc/protocols.

3.6.19.1 Format

ip_proto:[!><] <name or number>;

3.6.19.2 Example

This example looks for IGMP traffic.

alert ip any any -> any any (ip_proto:igmp;)

3.6.20 sameip

The sameip keyword allows rules to check if the source ip is the same as the destination IP.

3.6.20.1 Format

sameip;

3.6.20.2 Example

This example looks for any traffic where the Source IP and the Destination IP is the same.

alert ip any any -> any any (sampeip;)

site feedback | Terms of Use | Privacy Policy | forum archives ©2008 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.