Snort rule options, P-series rule syntax, P-series supported snort keywords – Force10 Networks PSeries 100-00055-01 User Manual
Page 66: Destination address and port
66
Writing Rules
Destination Address and Port
The destination address and port follow the direction operator. The syntax of these parameters are the same
as the source address and port. See
Snort Rule Options
Options are made of a keyword and an argument. An argument is the packet data against which the rule is
matched. Option keywords are followed by a colon, and each option is puncutated with a semi-colon.
lists the option keywords that the P-Series supports.
P-Series Rule Syntax
P-Series rules have a syntax that is slightly different from Snort rules. P-Series rules have the following
syntax:
capture/forward_policy on channel Snort_rule
•
capture/forward
policy can have four values: alert, permit, divert, or deny. These settings are
described in
•
channel
can be
c0
for Channel 0,
c1
for Channel 1, or
all
for both channels.
•
Snort_rule
is a rule written in Snort syntax.
shows an example P-Series rule.
P-Series Supported Snort Keywords
lists Snort keywords that the P-Series supports for both dynamic and static rules.
Table 18 P-Series Rule Example
alert on c1 any any -> any any (msg:"Z Default rule fragmented ip";)
Note: P-Series does not support the Snort action keywords log, pass, activate, and dynamic. P-Series
supports the action keywords alert, permit, divert, and deny.
Table 19 Supported Snort Keywords for Static and Dynamic Rules
Keyword
Static
Dynamic
ack
Yes
Yes
content
Yes, no negative.
No