beautypg.com

Protocol, Source addresses – Force10 Networks PSeries 100-00055-01 User Manual

Page 64

background image

64

Writing Rules

pass

directs Snort to ignore the packet.

activate

directs Snort to generate an alert and activate another specified rule.

dynamic

directs Snort to disregard the rule until it is activated by another rule. Once activated, the

action defaults to log.

Protocol

Snort supports four protocols:

tcp

,

udp

,

icmp

, or

ip

. The protocol keyword follows the action keyword.

Source Addresses

The source address and port follow the protocol keyword. Addresses are written using dotted-decimal
notation with the subnet mask in CIDR block notation. For example, the address/CIDR combination
192.168.1.0/24 signifies a block of addresses from 192.168.1.1 to 192.168.1.255. The keyword any may be
used to define any source address.

The address field can be negated by placing an exclamation point before the address. This operator
specifes all addresses other than the one contained in the rule. The rule in

Table 13

indicates specifes all

traffic originating from outside the local network and destined for the local network.

Lists of IP addresses can be specified by placing the addresses in brackets and separating each address with
a comma; do not include spaces.

Table 14

shows an example of a rule containing multiple addresses.

Note: The default actions for the P-Series are different from Snort. See

“P-Series Rule Syntax” on page 66

.

The meaning of the Snort action keyword dynamic is not the same as P-Series dynamic rules. Dynamic
rules in Snort are rules that must be activated, where as with the P-Series, dynamic rules are any rules that
are uploaded to the FPGA without creating new firmware.

Note: The negation operator may not be placed before the keyword any.

Table 13 Rules Containing Address Negation

alert tcp !192.168.1.0/24 any -> 192.186.1.0/24 111(content:”| 00 01 86 a5 |”; msg:”mounted access”;)

Table 14 Rules Containing Multiple IP Addresses

alert tcp ![192.168.1.0/24,10.1.1.0/24] any -> [192.186.1.0/24,10.1.1.0/24] 111(content:”| 00 01 86 a5 |”;\
msg:”mounted access”;)

See also other documents in the category Force10 Networks Hardware: