Enter the name of a rules file or click on the Browse button to select a rules file to upload. Click on the Submit button to upload the selected rules file. If the rules file has no errors the number of rules in the file will be reported. It file has errors then they will be highlighted in red.
The rules file is a plain text file that may contain comments, variable assignments, threshold specifications and rules. The format of the rules file is based on the Snort® rule format.
The following example demonstrates the basic elements of the rule file:
#Rule example # define server network containing two subnets var SERVER_NET [10.0.0.0/24,10.0.1.0/24] # one event per source per rule per hour threshold gen_id 0, sig_id 0, type limit, track by_src, count 1, seconds 3600 # look for http traffic with cmd.exe in the url alert tcp $SERVER_NET any -> any 80 {\ msg:"cmd.exe";\ uricontent:"cmd.exe";\ nocase;\ classtype:attempted-user;\ sid:1000002;\ }
Each rule must have a unique sid (Snort ID) number. By convention, locally defined rules have sid numbers > 1,000,000. For more information on writing Snort rules and to obtain new rules, see Snort.org.
The variables $HOME_NET, $DNS_SERVERS, $SMTP_SERVERS, $HTTP_SERVERS, $SQL_SERVERS and $TELNET_SERVERS default to the list of CIDRs in the Traffic Sentinel configuration file (see File>Configure). The variable $EXTERNAL_NET defaults to !$HOME_NET. You can override these defaults by explicitly setting the value of any of these variables in the configuration file.
You can also refer to lists of CIDRs by the Zone and Group names specified
in the configuration file. Use the
formats:
enterprise>site
enterprise>site>zone
enterprise>site>zone>group
for example:
local>local>HQ
specifies the HQ zone on the local site. Using local in either the
enterprise or site positions refers to the local site.
The threshold keyword has been extended to include a new type.
A type of scan is used to look for scanning behavior.
threshold gen_id 0, sig_id 1000001, type scan, track by_src, count 10, seconds 600
identifies source addresses that send packets (matching rule sid:100001) to more than 10 different destination addresses in 10 minutes.
Traffic Sentinel supports the following Snort rule header fields:
- Rule actions (alert, log and pass)
- Protocols (tcp, udp, icmp, ip)
- IP addresses
- Port numbers
- Direction
- msg
- reference
- sid You must provide a unique SID for each rule.
- rev
- classtype
- priority
- content
- nocase
- depth
- offset
- distance
- within
- uricontent
- isdataat
- byte_test
- byte_jump
- fragoffset
- ttl
- tos
- id
- fragbits
- dsize
- flags
- flow
- seq
- ack
- itype
- icode
- icmp_id
- icmp_seq
- ip_proto
- sameip
Note sFlow captures packet headers, typically the first 128 bytes of the packet. Rules that look for patterns deeper in the packet will not fire. Because of the sampled nature of sFlow, rules that involve connection tracking are not supported.