Rule Search

Rule Search Introduction

The Snort Rule Search allows for full text searching for Snort rules, as well as searches against specific rule “fields”. Both full-text and field-based searches support boolean operators, using the OR operator as the default.

Full Text Searches

Full text search supports the following:

  • single keyword or SID search (ex – ‘windows’, ‘mysql’, ‘linux’)
  • multiple keyword search (ex – ‘windows 2000’, ‘mysql 4.10’)
  • multiple keyword search with terms joined by the AND, OR, and NOT boolean operators (ex – ‘windows AND 2000 NOT xp’)

The searches above will be run against the full text of the rule document. It is possible to narrow the focus of the search to specific parts of the document by doing a “field” search.

SID Composition In Searches

All SIDs are accompanied by a GID (Group ID). If a SID is presented or searched for without a GID prefix, the assumed GID is ‘1’. The GID is separated from the SID with a dash. The following searches are equivalent:

sid:12345
sid:1-12345

And the following are not:

sid:12345
sid:3-12345

The above example reinforces that For any other GID than 1 the prefix must be provided.

Field Searches

Field searches allow the scope of the search to be narrowed to specific parts of a document. The available fields are: keyword, cve, bugtraq, and sid. Boolean searches are possible with field searches just as with full text searches.

Do a field search by prepending the field type to the search value, separated by a colon, as shown in the following:

keyword:windows

keyword:windows AND keyword:2000 NOT keyword:xp

keyword:mysql cve:1234-5678

sid:3-1234

bugtraq:1234

The field ‘keyword’ searches the full text of the rule document just as with the full text search, while the cve, bugtraq, and sid searches limit the scope of their search to just those fields.

Search Results

When a search is executed that results in just a single document match, that document will be displayed. A field search by sid, for example, should result in this behavior. When a search is executed that results in multiple document matches, a paginated result list of matching rules will be displayed. The page sidebar displays a list of “associated terms” that, when clicked, are added to the search which is then re-run.

A single rule document will display the entire content of the rule, with links to relevant references.

Pages by “SID

An individual rule can be accessed by SID by simply typing the sid number into the search box. This should return the rule document.