Next: The Basics Up: SNORTUsers Manual 2.9.4 Previous: Rule Actions Contents

Writing Snort Rules

Subsections

The Basics
Rules Headers
Rule Options
General Rule Options
- msg
  - Format
- reference
  - Format
  - Examples
- gid
  - Format
  - Example
- sid
  - Format
  - Example
- rev
  - Format
  - Example
- classtype
- priority
  - Format
  - Examples
- metadata
  - Format
  - Examples
- General Rule Quick Reference
Payload Detection Rule Options
- content
  - Format
  - Examples
  - Changing content behavior
- nocase
  - Format
  - Example
- rawbytes
  - format
  - Example
- depth
  - Format
- offset
  - Format
  - Example
- distance
  - Format
  - Example
- within
  - Format
  - Examples
- http_client_body
  - Format
  - Examples
- http_cookie
  - Format
  - Examples
- http_raw_cookie
  - Format
  - Examples
- http_header
  - Format
  - Examples
- http_raw_header
  - Format
  - Examples
- http_method
  - Format
  - Examples
- http_uri
  - Format
  - Examples
- http_raw_uri
  - Format
  - Examples
- http_stat_code
  - Format
  - Examples
- http_stat_msg
  - Format
  - Examples
- http_encode
  - Format
  - Examples
- fast_pattern
  - Format
  - Examples
- uricontent
  - Format
- urilen
  - Format
- isdataat
  - Format
  - Example
- pcre
  - Format
  - Example
- pkt_data
  - Format
  - Example
- file_data
  - Format
  - Example
- base64_decode
  - Format
  - Examples
- base64_data
  - Format
  - Example
- byte_test
  - Format
  - Examples
- byte_jump
  - Format
  - Example
- byte_extract
  - Format
  - Other options which use byte_extract variables
  - Examples
- ftpbounce
  - Format
  - Example
- asn1
  - Format
  - Examples
- cvs
  - Format
  - Examples
- dce_iface
- dce_opnum
- dce_stub_data
- sip_method
- sip_stat_code
- sip_header
- sip_body
- gtp_type
- gtp_info
- gtp_version
- ssl_version
- ssl_state
- Payload Detection Quick Reference
Non-Payload Detection Rule Options
- fragoffset
  - Format
  - Example
- ttl
  - Format
  - Example
- tos
  - Format
  - Example
- id
  - Format
  - Example
- ipopts
  - Format
  - Example
  - Warning
- fragbits
  - Format
  - Example
- dsize
  - Format
  - Example
  - Warning
- flags
  - Format
  - Example
- flow
  - Options
  - Format
  - Examples
- flowbits
  - General Format
  - set
  - setx
  - unset
  - toggle
  - isset
  - isnotset
  - noalert
  - reset
  - Examples
- seq
  - Format
  - Example
- ack
  - Format
  - Example
- window
  - Format
  - Example
- itype
  - Format
  - Example
- icode
  - Format
  - Example
- icmp_id
  - Format
  - Example
- icmp_seq
  - Format
  - Example
- rpc
  - Format
  - Example
  - Warning
- ip_proto
  - Format
  - Example
- sameip
  - Format
  - Example
- stream_reassemble
  - Format
  - Example
- stream_size
  - Format
  - Example
- Non-Payload Detection Quick Reference
Post-Detection Rule Options
- logto
  - Format
- session
- resp
- react
- tag
  - Format
  - Example
- activates
  - Format
- activated_by
  - Format
- count
  - Format
- replace
- detection_filter
- Post-Detection Quick Reference
Rule Thresholds
- Format
- Examples
Writing Good Rules

Eugene Misnik 2013-05-08