SNORT – Effective Rule Writing Techniques – Constraining Snort Content Matches with Keyword Modifiers

By | July 31, 2015

Snort IDS and IPS Toolkit (Jay Beale’s Open Source Security)

You can constrain the location and case-sensitivity of content searches with options that
modify the content keyword. Some examples are as follows:

Nocase – You can instruct the detection engine to ignore case when searching for content
matches in ASCII strings.

Offset -The offset keyword allows you to specify where the detection engine should
start searching for content within a packet, measured in bytes (note that the byte count
starts at byte 0). For example, if you added a content match with an offset value of 5, the
detection engine starts searching for the content at the fifth byte counting from 0.
By using the offset keyword it will promote more efficient searches by constraining the portion
of packet payload that is searched and is useful in instances where you know that the
matching content will not appear in the first part of the packet. Conversely, you should be
sure not to set the offset value too stringently, because the detection engine will not inspect
the bytes that appear before the specified offset value.

Snort IDS and IPS Toolkit (Jay Beale’s Open Source Security)

Depth – The depth keyword allows you to specify the maximum search depth, in bytes,
from the beginning of the offset value, or, if no offset is configured, from the beginning of
the payload.

Distance – The distance keyword instructs the detection engine to identify subsequent
content matches that occur a specified number of byes after the previous content match.
For example, if you set a distance value of 4, the detection engine starts searching for
content matches four bytes after the previous content match.

Within – The within keyword indicates that, to trigger the rule, the next content match
must occur within the specified number of bytes after distance. However, if no distance is defined
then the value is from the end of the previous content match. For example, if you specify a
within value of 8 and no distance, the next content match must occur within the next eight
bytes of the previous content match or it does not meet the criteria that triggers the rule.
The entire content string must be within the value you specified.

Flow – You can use the flow keyword to leverage the work performed by the stream reassembly
preprocessor. Note that if you enabled stream processing of UDP or ICMP in the stream
preprocessor, you can use this option for those protocols as well even though they are not
connection-oriented protocols. The flow keyword allows you to specify the direction of the
traffic flow to which a rule applies, applying rules to either the client flow or server flow.

By adding these keyword modifiers to your rules you will enhance the overall performance of Snort by consuming less system resources.

Share Button

3 thoughts on “SNORT – Effective Rule Writing Techniques – Constraining Snort Content Matches with Keyword Modifiers

  1. Skyhost92

    Thanks! Happy you enjoyed the post. We’ll absolutely generate a lot more content about related topics.
    This is a wonderful blog which provides us latest information about the world. I am happy after studding your good blog. There is very good information about different topics. I liked it very much, so I preferred that you write more blogs about these topics.
    I also study this wonderful information from this page Sky Host :web hosting in Pakistan

    Reply
  2. Pingback: Margaret Cunniffe and David Brown are Australian Fraudsters based in Melbourne Victoria claim to raise money for charities via Synergize Vip Vip Club and Connect Network Fundraise but are nothing more than con-artists.

  3. Pingback: Joseph de Saram#Rhodium

Leave a Reply

Your email address will not be published. Required fields are marked *