Snort rules and configuration are added to the parsers/snort directory for Investigator and Decoder. Decoder supports the payload detection capabilities of Snort rules. The rules files must have the extension
.rules and the configuration files must have the extension
.conf . The Decoder implementation of Snort rules is centered on using the content strings defined in a Snort rule as a token. Once a token is matched, the rule header and additional rule options can be evaluated. Currently, rules that do not define any content (via
uricontent rule options) are not supported.
The configuration files are loaded prior to loading rules.
Meta key usage
Starting with the 11.3 release, an attempt has been made to align better the Snort parser's meta key usage with that of other parsers. As of the 11.3 release, the default mode operation continues to write to the legacy key set (consistent with previous releases). To use the aligned key set, set the
udm option to
true for the Snort parser in the
parser.options configuration node. Refer to the General options section, below, for a description of how the two modes differ.
- Any rule that does not properly parse is ignored.
- Any valid Snort rule should successfully parse; however,there are rule options that are not supported by Decoder that are not fully parsed.
Snort rules are parsed and loaded when PCS is loaded (any import/capture in Investigator, initial capture start and parser reload in Decoder).
Snort rule general options can result in different meta keys being written depending on whether the Snort parser is in legacy mode or not.
Aligned key mode:
Legacy key mode:
Decoder supports the following payload rule options: