The Configure page is used to view the current rules file and upload new rules files.
Topics:
- How do I install a new rules file?
- How do I download a copy of the rules file?
- How are rules specified in the rules file?
- How are the variables defined?
- How do I reference address groups from the network hierarchy?
- How do I detect scanning behavior?
- What keyworks are available in rules?
- Why isn't the rule triggering?
- How can I specify how many packets are captured by a rule?
See Also:
How do I install a new rules file?
Enter the name of a rules file or click on the Browse button to select a rules file to upload. Click on the Submit button to upload the selected rules file. If the rules file has no errors the number of rules in the file will be reported. It file has errors then they will be highlighted in red.
How do I download a copy of the rules file?
Click on the download link to download the current rules file.
How are rules specified in the rules file?
The rules file is a plain text file that may contain comments, variable assignments, threshold specifications and rules. The format of the rules file is based on the Snort® rule format.
The following example demonstrates the basic elements of the rule file:
#Rule example # define server network containing two subnets var SERVER_NET [10.0.0.0/24,10.0.1.0/24] # one event per source per rule per hour threshold gen_id 0, sig_id 0, type limit, track by_src, count 1, seconds 3600 # look for http traffic with cmd.exe in the url alert tcp $SERVER_NET any -> any 80 {\ msg:"cmd.exe";\ uricontent:"cmd.exe";\ nocase;\ classtype:attempted-user;\ sid:1000002;\ }
Each rule must have a unique sid (Snort ID) number. By convention, locally defined rules have sid numbers > 1,000,000. For more information on writing Snort rules and to obtain new rules, see Snort.org.
How are the variables defined?
The following variables are defined:
- $HOME_NET
- $DNS_SERVERS
- $SMTP_SERVERS
- $HTTP_SERVERS
- $SQL_SERVERS
- $TELNET_SERVERS
These variables default to the list of CIDRs in the Traffic Sentinel configuration file (see File>Configure). You can override these defaults by explicitly setting the value of any of these variables in the configuration file.
An additional variable, $EXTERNAL_NET, defaults to !$HOME_NET.
How do I reference address groups from the network hierarchy?
You can also refer to lists of CIDRs by the Zone and Group names specified
in the configuration file (see File>Configure). Use the
formats:
enterprise>site
enterprise>site>zone
enterprise>site>zone>group
for example:
local>local>HQ
specifies the HQ zone on the local site. Using local in either the
enterprise or site positions refers to the local site.
How do I detect scanning behavior?
The threshold keyword has been extended to include a new type.
A type of scan is used to look for scanning behavior.
threshold gen_id 0, sig_id 1000001, type scan, track by_src, count 10, seconds 600
identifies source addresses that send packets (matching rule sid:100001) to more than 10 different destination addresses in 10 minutes.
What keyworks are available in rules?
Traffic Sentinel supports the following Snort rule header fields:
- Rule actions (alert, log and pass)
- Protocols (tcp, udp, icmp, ip)
- IP addresses
- Port numbers
- Direction
the following meta rule options:
- msg
- reference
- sid You must provide a unique SID for each rule.
- rev
- classtype
- priority
- metadata
the following payload detection rule options:
- content
- nocase
- depth
- offset
- distance
- within
- uricontent
- isdataat
- byte_test
- byte_jump
and the following non-payload detection rule options:
- fragoffset
- ttl
- tos
- id
- fragbits
- dsize
- flags
- flow
- seq
- ack
- itype
- icode
- icmp_id
- icmp_seq
- ip_proto
- sameip
Why isn't the rule triggering?
sFlow captures packet headers, typically the first 128 bytes of the packet. Rules that look for patterns deeper in the packet will not fire. Because of the sampled nature of sFlow, rules that involve connection tracking are not supported.
How can I specify how many packets are captured by a rule?
Packets are captured when a rule is triggered. The capture rule option can be used to specify the size of the capture files. For example, adding the option "capture:10000" to a rule sets the maximum capture file size for the rule to 10000 bytes; when the maximum file size is reached, a new capture file will be started. sFlow typically reports on the first 128 bytes of each packet, so a file size of 10000 would hold nearly 80 packets headers.