Snort® rules and configuration are added to the parsers/snort directory for Investigation and Decoder. Decoder supports the payload detection capabilities of Snort rules. The rules files must have the extension .rules and the configuration files must have the extension .conf. The Decoder implementation of Snort rules is centered on using the content strings defined in a Snort rule as a token. Once a token is matched, the rule header and additional rule options can be evaluated. Currently, rules that do not define any content (via content or uricontent rule options) are not supported.
The configuration files are loaded prior to loading rules.
Snort rules are parsed and loaded when PCS is loaded (any import or capture in Investigator, initial capture start and parser reload in Decoder).
- Any rule that does not properly parse is ignored.
- Any valid Snort rule should successfully parse; however, there are rule options, that are not supported by Decoder, that are not fully parsed.
Decoder utilizes the following general Snort rule options:
Decoder supports the following payload rule options.