{"id":378,"date":"2013-01-20T01:05:00","date_gmt":"2013-01-19T17:05:00","guid":{"rendered":"http:\/\/note.systw.net\/note\/?p=378"},"modified":"2025-07-27T18:26:25","modified_gmt":"2025-07-27T10:26:25","slug":"snort-rule","status":"publish","type":"post","link":"https:\/\/systw.net\/note\/archives\/378","title":{"rendered":"Snort Rule"},"content":{"rendered":"\n<p>Snort rule<\/p>\n\n\n\n<p><strong>snort rule\u683c\u5f0f:&nbsp;<\/strong>RulesHeader (RulesOption )<br>ex:root\u7528ftp\u767b\u5165<br>alert tcp any any -&gt; any any 21(content:&#8221;user root&#8221;)<\/p>\n\n\n\n<p>&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;..<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>RulesHeader<\/strong><\/h2>\n\n\n\n<p>\u683c\u5f0f\u70baaction protocol srcip srcport -> dstip dstport<br><strong>action<\/strong>:\u89f8\u767c\u898f\u5247\u5f8csnort\u9700\u8981\u505a\u7684\u52d5\u4f5c\uff0c\u901a\u5e38\u662f\u6307\u5b9aalert<br><strong>protocol<\/strong>:\u5354\u5b9a\u652f\u63f4tcp,udp,icmp,ip<br><strong>srcip<\/strong>:\u6307\u5b9a\u4f86\u6e90ip,\u652f\u63f4cidr\u683c\u5f0f,\u53ef\u4f7f\u7528$HOME_NET\u8b8a\u6578,\u652f\u63f4\u5426\u5b9a\u6a21\u5f0f<br><strong>srcport<\/strong>:\u6307\u5b9a\u4f86\u6e90port,\u652f\u63f4\u7bc4\u570d\u8a2d\u5b9a<br><strong>-><\/strong>:\u6307\u5b9a\u901a\u8a0a\u65b9\u5411,\u9084\u652f\u63f4&lt;-\u53ca&lt;>\u96d9\u5411<br><strong>dstip<\/strong>:\u6307\u5b9a\u76ee\u5730ip,\u652f\u63f4cidr\u683c\u5f0f,\u53ef\u4f7f\u7528$HOME_NET\u8b8a\u6578<br><strong>dstport<\/strong>:\u6307\u5b9a\u76ee\u5730port,\u652f\u63f4\u7bc4\u570d\u8a2d\u5b9a<\/p>\n\n\n\n<p>ps:<br>srcip,srcport,dstip,dstport<br>\u4f7f\u7528any,\u8868\u793a\u4efb\u4f55ip\u6216\u4efb\u4f55port<\/p>\n\n\n\n<p>ip\u5426\u5b9a\u6a21\u5f0f,\u4f7f\u7528( ! )<br>ex:! 10.1.1.1\u8868\u793a\u4e0d\u7b49\u65bc10.1.1.1<\/p>\n\n\n\n<p>port\u7bc4\u570d\u8a2d\u5b9a,\u4f7f\u7528( : )<br>ex:<br>1:1024\u8868\u793aport1\u5230port1024<br>:1024\u8868\u793a\u5c0f\u65bc\u7b49\u65bc1024\u7684port<br>1024:\u8868\u793a\u5927\u65bc\u7b49\u65bc1024\u7684port<\/p>\n\n\n\n<p>&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>RulesOption<\/strong><\/h2>\n\n\n\n<p>option\u6709\u4ee5\u4e0b:<br><strong>msg<\/strong>:\u898f\u5247\u540d\u7a31<br><strong>flow<\/strong>:<br><strong>to_server<\/strong>:\u7531client\u5411server\u767c\u51fa\u8acb\u6c42\u8a0a\u865f<br><strong>establised<\/strong>:\u5df1\u5efa\u7acb\u9023\u7dda\u4e4b\u901a\u8a0a<br><strong>content<\/strong>:\u6bd4\u5c0dpayload,\u670916\u9032\u4f4d\u683c\u5f0f\u548cascii\u683c\u5f0f<br><strong>classtype<\/strong>:\u898f\u5247\u5206\u985e<br><strong>gid<\/strong>:snort generator id,\u9810\u8a2d\u70ba1,\u4e00\u822c\u60c5\u6cc1\u4e0b\u4e0d\u7528\u53bb\u8a2d\u5b9a<br><strong>sid<\/strong>:snort signature\u7de8\u865f,&lt;100\u4fdd\u7559,100~1000000\u5b98\u65b9\u4f7f\u7528,>1000000\u70ba\u7528\u6236\u81ea\u8a02<br><strong>rev<\/strong>:\u5b9a\u7fa9\u76ee\u524drule\u7248\u672c<br><strong>uricontent<\/strong>:\u6383\u63cfuri\u4e2d\u7684\u653b\u64ca\u8a9e\u6cd5<br><strong>reference<\/strong>:\u6307\u5b9a\u5176\u4ed6\u76f8\u95dc\u53c3\u8003\u8cc7\u6599<\/p>\n\n\n\n<p>&#8230;&#8230;&#8230;&#8230;&#8230;.<\/p>\n\n\n\n<p><strong>content\u6bd4\u5c0d<\/strong><br>\u683c\u5f0f\u70bacontent:&#8221;payload&#8221;<br>payload\u683c\u5f0f\u6709\u4ee5\u4e0b<br>|hex| \u8868\u793a16\u9032\u4f4d\u683c\u5f0f<br>ascii \u8868\u793aascii\u683c\u5f0f<br>ex:<br>content:&#8221;|00|&#8221; \u8868\u793a00,16\u9032\u4f4d\u683c\u5f0f<br>content:&#8221;SMB&#8221; \u8868\u793aSMB,ascii\u78bc\u683c\u5f0f<br>content:&#8221;|53 4D 42|&#8221; \u8868\u793aSMB,16\u9032\u4f4d\u683c\u5f0f<\/p>\n\n\n\n<p>ps<br>nocase \u6bd4\u5c0d\u8cc7\u6599\u4e2dascii\u78bc\u4e0d\u8ad6\u5927\u5c0f\u5beb\u90fd\u7b26\u5408\u7279\u5fb4\u503c<\/p>\n\n\n\n<p><strong>content\u5b9a\u4f4doption<\/strong><br>offset:\u7d55\u5c0d\u4f4d\u79fb\u6307\u6a19,\u8d77\u59cb\u4f4d\u7f6e\u662fpayload\u958b\u59cb\u4f4d\u7f6e,\u9810\u8a2d\u70ba0<br>depth:offset\u9577\u5ea6<br>ps:\u82e5payload\u4e0d\u5728\u8a72\u8cc7\u6599\u6216\u8d85\u51fa\u7bc4\u570d\u90fd\u8868\u793a\u4e0d\u7b26\u5408\u8a72rule<br>distance:\u76f8\u5c0d\u4f4d\u79fb\u6307\u6a19,\u8d77\u59cb\u4f4d\u7f6e\u662f\u4e0a\u6b21\u7b26\u5408content\u4f4d\u7f6e\u52a0\u4e0adistance\u9577\u5ea6<br>within:distance\u9577\u5ea6<br>ps:\u82e5payload\u4e0d\u5728\u8a72\u8cc7\u6599\u6216\u8d85\u51fa\u7bc4\u570d\u90fd\u8868\u793a\u4e0d\u7b26\u5408\u8a72rule<\/p>\n\n\n\n<p><strong>content\u5224\u65b7\u5f0f\u6bd4\u5c0d<\/strong><br>byte_test:&lt; bytes_to_convert&gt;,&lt; operator&gt;,&lt; value&gt;,&lt; offset&gt; [,[relative],[big],[little][string],[hex],[dec],[oct]]<br>bytes_to_convert<br>operator:\u6bd4\u8f03\u5f0f,\u6709&lt;, &gt;, =, !<br>value:\u689d\u4ef6\u503c<br>offset:\u7d55\u5c0d\u4f4d\u79fb\u6307\u6a19<br>relative:\u76f8\u5c0d\u4f4d\u79fb\u6307\u6a19<br>big:big endian\u904b\u7b97<br>little:little endian\u904b\u7b97<br>string:ascii\u6578\u503c<br>hex:\u5c07\u6578\u503c\u8f49\u621016\u9032\u4f4d<br>dec:\u5c07\u6578\u503c\u8f49\u621010\u9032\u4f4d,\u9810\u8a2d\u503c<br>oct:\u5c07\u6578\u503c\u8f49\u62108\u9032\u4f4d<\/p>\n\n\n\n<p><strong>\u8df3\u904ex byte\u4e0d\u6383\u63cf<\/strong><br>byte_jump:&lt; bytes_to_convert&gt;,&lt; offset&gt; [,[relative],[big],[little][string],[hex],[dec],[oct],[align],[from_beginning]]<br>align:\u5c07byte_jump\u6240\u53d6\u5f97\u7684\u904b\u7b97\u503c,\u81ea\u52d5\u88dc\u6578\u70ba4\u7684\u500d\u6578 ex:\u904b\u7b97\u503c\u70ba13,\u81ea\u52d5\u88dc\u6578\u70ba16<br>from_beginning:\u4f4d\u79fb\u6307\u6a19\u56de\u5230packet payload\u8d77\u9ede\u958b\u59cb\u8df3\u8e8d<\/p>\n\n\n\n<p><strong>pcre\u6bd4\u5c0d<\/strong><br>\u683c\u5f0f\u70bapcre:&#8221;\/re\/parameter&#8221;<br>parameter:\u53c3\u6578,i\u8868\u793a\u4e0d\u5206\u5927\u5c0f\u5beb,R\u8868\u793a\u53c3\u6578\u540c\u898f\u5247\u9078\u9805<br>ps:snort2.x\u5f8c\u652f\u63f4pcre\u8a9e\u6cd5<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Snort rule snort rule\u683c\u5f0f:&nbsp; &#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[370],"tags":[],"class_list":["post-378","post","type-post","status-publish","format-standard","hentry","category-blue-team"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/378","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=378"}],"version-history":[{"count":1,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/378\/revisions"}],"predecessor-version":[{"id":2422,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/378\/revisions\/2422"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=378"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=378"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=378"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}