Attribute Table Affect on rules

Similar to the application layer preprocessors, rules configured for specific ports that have a service metadata will be processed based on the service identified by the attribute table.

When both service metadata is present in the rule and in the connection, Snort uses the service rather than the port. If there are rules that use the service and other rules that do not but the port matches, Snort will ONLY inspect the rules that have the service that matches the connection.

The following few scenarios identify whether a rule will be inspected or not.

• Alert: Rule Has Service Metadata, Connection Service Matches

  The following rule will be inspected and alert on traffic to host 192.168.1.234 port 2300 because it is identified as telnet.

  alert tcp any any -> any 23 (msg:"Telnet traffic"; flow:to_server,established;
  sid:10000001; metadata: service telnet;)
  

• Alert: Rule Has Multiple Service Metadata, Connection Service Matches One of them

  The following rule will be inspected and alert on traffic to host 192.168.1.234 port 2300 because it is identified as telnet.

  alert tcp any any -> any 23 (msg:"Telnet traffic"; flow:to_server,established;
  sid:10000002; metadata: service telnet, service smtp;)
  

• No Alert: Rule Has Service Metadata, Connection Service Does Not Match, Port Matches

  The following rule will NOT be inspected and NOT alert on traffic to host 192.168.1.234 port 2300 because that traffic is identified as telnet, but the service is ssh.

  alert tcp any any -> any 2300 (msg:"SSH traffic"; flow:to_server,established;
  sid:10000003; metadata: service ssh;)
  

• Alert: Rule Has No Service Metadata, Port Matches

  The following rule will be inspected and alert on traffic to host 192.168.1.234 port 2300 because the port matches.

  alert tcp any any -> any 2300 (msg:"Port 2300 traffic"; flow:to_server,established;
  sid:10000004;)
  

• Alert: Rule Has No Service Metadata, Packet has service + other rules with service

  The first rule will NOT be inspected and NOT alert on traffic to host 192.168.1.234 port 2300 because the service is identified as telnet and there are other rules with that service.

  alert tcp any any -> any 2300 (msg:"Port 2300 traffic"; flow:to_server,established;
  sid:10000005;)
  alert tcp any any -> any 2300 (msg:"Port 2300 traffic"; flow:to_server,established;
  sid:10000006; metadata: service telnet;)
  

• No Alert: Rule Has No Service Metadata, Port Does Not Match

  The following rule will NOT be inspected and NOT alert on traffic to host 192.168.1.234 port 2300 because the port does not match.

  alert tcp any any -> any 23 (msg:"Port 23 traffic"; flow:to_server,established;
  sid:10000007;)