Decoder: Snort Parsers

Document created by RSA Information Design and Development on Sep 11, 2018
Version 1Show Document
  • View in full screen mode
 

Snort® rules and configuration are added to the parsers/snort directory for Investigation and Decoder. Decoder supports the payload detection capabilities of Snort rules. The rules files must have the extension .rules and the configuration files must have the extension .conf. The Decoder implementation of Snort rules is centered on using the content strings defined in a Snort rule as a token. Once a token is matched, the rule header and additional rule options can be evaluated. Currently, rules that do not define any content (via content or uricontent rule options) are not supported.

Configuration

The configuration files are loaded prior to loading rules.

                                           

Configuration Options

Description

Variable Definitions

Description

ipvar The full language for defining IP address variables is supported, including lists, CIDR, and negation.
portvar The full language for defining IP address variables is supported, including lists, ranges, and negation.
var Not supported; use ipvar or portvar.

Action Definitions

Description

ruletype The definition of additional ruletypes is supported. However, only rules that have a base rule type of alert are supported.

General Configuration

Description

nopcre This configuration option disables all rules with pcre's.

Rules

Snort rules are parsed and loaded when PCS is loaded (any import or capture in Investigator, initial capture start and parser reload in Decoder).

  • Any rule that does not properly parse is ignored.
  • Any valid Snort rule should successfully parse; however, there are rule options, that are not supported by Decoder, that are not fully parsed.
                                   

Section

Description

HeaderThe header conditions are evaluated when a rule receives the first token callback for a stream. The header is evaluated once per stream, and prevents any further consideration of a rule against a specific stream if the conditions are not met.
ActionsThe specified action or a rule must be defined (either one of the native Snort actions, or defined in the configuration using the ruletype statement) for the rule to be considered valid. Decoder only utilizes rules with alert actions.
ProtocolsDecoder supports the current Snort protocol keywords (tcp, udp, icmp, ip).
IP AddressesThe full language for defining IP addresses is supported, including lists, CIDR, and negation.
Port NumbersThe full language for defining port numbers is supported, including lists, ranges and negation.
Direction OperatorThe directional operator supports the from-to (‘->’) and bidirectional (‘<>’) values. The to-from (‘<-’) value is invalid and will cause the rule to fail to load.

General Options

Decoder utilizes the following general Snort rule options:

                           

Option

Description

msg

If the rule matches, the msg value is added as risk.info, risk.warning, or risk.suspicious meta, depending on rule priority.

sid If the rule matches, the sid value is added as meta.

classtype

If the rule matches, the classtype name is added as threat.cat meta.

priority If the rule matches and it has a priority option, it is used to determine the type of risk meta associated with the msg value.

Payload Options

Decoder supports the following payload rule options.

                                               

Option

Description

content The content option creates a token for Decoder to match. Only tokens of three or more bytes are accepted. It is also important to note that Decoder differs from Snort in that rules are evaluated across the payload of the reconstructed stream and not just a single packet. This can result in differences in rules matches between Snort and Decoder, especially when considering positional options.

nocase

Currently not supported. This option is ignored and case-sensitive matching is used.

depth This option is applied to the distance of the token from the beginning of the stream. If the token position is greater than this value, it is not a match.

offset

This option is applied to the distance of the token from the beginning of the stream. If the token position is less than this value, it is not a match.

distance This option is applied to the distance of the token from the end of the previous token match. If the relative token position is less than this value, it is not a match.

within

This option is applied to the distance of the token from the end of the previous token match. If the relative token position is greater than this value, it is not a match.

http_uri Any token that hits is verified to fall within an http_uri as indicated by the HTTP parser. No URI normalization is applied.

uricontent

There is no URI normalization applied. Otherwise, this is equivalent to the content option with the http_uri modifier.

pcre Currently, PCREs are only applied to URIs and must specify the U option.

Non-payload Options

                                                       

Option

Description

flow Verifies that the rule is only applied to the client or server stream.

to_client

Limits the rule to only matching on a stream that Decoder has defined as Server.

from_server Synonym for to_client.

from_client

Limits the rule to only matching on a stream that Decoder has defined as Client.

flowbits

Maintains state per session and are reset at the end of each session.

set When the rule matches, the specified flowbit is set.

unset

When the rule matches, the specified flowbit is cleared.

toggle When the rule matches, the specified flowbit is flipped.

isset

When the rule is evaluated, the specified flowbit state must be set for the rule to match.

isnotset When the rule is evaluated, the specified flowbit state must not be set for the rule to match.

noalert

Prevents the rule from generating meta data if it matches.

Previous Topic:Lua Parsers
Next Topic:Search Parser
You are here
Table of Contents > Feed and Parser References > Snort Parsers

Attachments

    Outcomes