Traffic Sentinel : Help
Help Index Top > Signatures > Configure

The Configure page is used to view the current rules file and upload new rules files.

Topics:

See Also:


How do I install a new rules file?

Enter the name of a rules file or click on the Browse button to select a rules file to upload. Click on the Submit button to upload the selected rules file. If the rules file has no errors the number of rules in the file will be reported. It file has errors then they will be highlighted in red.

Back to Top

How do I download a copy of the rules file?

Click on the download link to download the current rules file.

Back to Top

How are rules specified in the rules file?

The rules file is a plain text file that may contain comments, variable assignments, threshold specifications and rules. The format of the rules file is based on the Snort® rule format.

The following example demonstrates the basic elements of the rule file:

#Rule example

# define server network containing two subnets
var SERVER_NET [10.0.0.0/24,10.0.1.0/24]

# one event per source per rule per hour
threshold gen_id 0, sig_id 0, type limit, track by_src, count 1, seconds 3600

# look for http traffic with cmd.exe in the url
alert tcp $SERVER_NET any -> any 80 {\
  msg:"cmd.exe";\
  uricontent:"cmd.exe";\
  nocase;\
  classtype:attempted-user;\
  sid:1000002;\
}

Each rule must have a unique sid (Snort ID) number. By convention, locally defined rules have sid numbers > 1,000,000. For more information on writing Snort rules and to obtain new rules, see Snort.org.

Back to Top

How are the variables defined?

The following variables are defined:

These variables default to the list of CIDRs in the Traffic Sentinel configuration file (see File>Configure). You can override these defaults by explicitly setting the value of any of these variables in the configuration file.

An additional variable, $EXTERNAL_NET, defaults to !$HOME_NET.

Back to Top

How do I reference address groups from the network hierarchy?

You can also refer to lists of CIDRs by the Zone and Group names specified in the configuration file (see File>Configure). Use the formats:
enterprise>site
enterprise>site>zone
enterprise>site>zone>group

for example:
local>local>HQ
specifies the HQ zone on the local site. Using local in either the enterprise or site positions refers to the local site.

Back to Top

How do I detect scanning behavior?

The threshold keyword has been extended to include a new type. A type of scan is used to look for scanning behavior.
threshold gen_id 0, sig_id 1000001, type scan, track by_src, count 10, seconds 600
identifies source addresses that send packets (matching rule sid:100001) to more than 10 different destination addresses in 10 minutes.

Back to Top

What keyworks are available in rules?

Traffic Sentinel supports the following Snort rule header fields:

the following meta rule options:

the following payload detection rule options:

and the following non-payload detection rule options:

Back to Top

Why isn't the rule triggering?

sFlow captures packet headers, typically the first 128 bytes of the packet. Rules that look for patterns deeper in the packet will not fire. Because of the sampled nature of sFlow, rules that involve connection tracking are not supported.

Back to Top

How can I specify how many packets are captured by a rule?

Packets are captured when a rule is triggered. The capture rule option can be used to specify the size of the capture files. For example, adding the option "capture:10000" to a rule sets the maximum capture file size for the rule to 10000 bytes; when the maximum file size is reached, a new capture file will be started. sFlow typically reports on the first 128 bytes of each packet, so a file size of 10000 would hold nearly 80 packets headers.

Back to Top