The following is an example of a simple rule, take from the current rule set, SID 109. It is implemented to work with the detection engine provided with snort.
The snort rule in normal format:
alert tcp $HOME_NET 12345:12346 -> $EXTERNAL_NET any \ (msg:"BACKDOOR netbus active"; flow:from_server,established; \ content:"NetBus"; reference:arachnids,401; classtype:misc-activity; \ sid:109; rev:5;)
This is the metadata for this rule library, defined in detection_lib_meta.h.
/* Version for this rule library */ #define DETECTION_LIB_MAJOR_VERSION 1 #define DETECTION_LIB_MINOR_VERSION 0 #define DETECTION_LIB_BUILD_VERSION 1 #define DETECTION_LIB_NAME "Snort_Dynamic_Rule_Example" /* Required version and name of the engine */ #define REQ_ENGINE_LIB_MAJOR_VERSION 1 #define REQ_ENGINE_LIB_MINOR_VERSION 0 #define REQ_ENGINE_LIB_NAME "SF_SNORT_DETECTION_ENGINE"
The definition of each data structure for this rule is in sid109.c.
Declaration of the data structures.
Define the FlowFlags structure and its corresponding RuleOption. Per the text version, flow is from_server,established.
static FlowFlags sid109flow =
{
FLOW_ESTABLISHED|FLOW_TO_CLIENT
};
static RuleOption sid109option1 =
{
OPTION_TYPE_FLOWFLAGS,
{
&sid109flow
}
};
Define the ContentInfo structure and its corresponding RuleOption. Per the text version, content is "NetBus", no depth or offset, case sensitive, and non-relative. Search on the normalized buffer by default. NOTE: This content will be used for the fast pattern matcher since it is the longest content option for this rule and no contents have a flag of CONTENT_FAST_PATTERN.
static ContentInfo sid109content =
{
"NetBus", /* pattern to search for */
0, /* depth */
0, /* offset */
CONTENT_BUF_NORMALIZED, /* flags */
NULL, /* holder for boyer/moore info */
NULL, /* holder for byte representation of "NetBus" */
0, /* holder for length of byte representation */
0 /* holder for increment length */
};
static RuleOption sid109option2 =
{
OPTION_TYPE_CONTENT,
{
&sid109content
}
};
Define the references.
static RuleReference sid109ref_arachnids =
{
"arachnids", /* Type */
"401" /* value */
};
static RuleReference *sid109refs[] =
{
&sid109ref_arachnids,
NULL
};
The list of rule options. Rule options are evaluated in the order specified.
RuleOption *sid109options[] =
{
&sid109option1,
&sid109option2,
NULL
};
The rule itself, with the protocol header, meta data (sid, classification, message, etc).
Rule sid109 =
{
/* protocol header, akin to => tcp any any -> any any */
{
IPPROTO_TCP, /* proto */
HOME_NET, /* source IP */
"12345:12346", /* source port(s) */
0, /* Direction */
EXTERNAL_NET, /* destination IP */
ANY_PORT, /* destination port */
},
/* metadata */
{
3, /* genid -- use 3 to distinguish a C rule */
109, /* sigid */
5, /* revision */
"misc-activity", /* classification */
0, /* priority */
"BACKDOOR netbus active", /* message */
sid109refs /* ptr to references */
},
sid109options, /* ptr to rule options */
NULL, /* Use internal eval func */
0, /* Holder, not yet initialized, used internally */
0, /* Holder, option count, used internally */
0, /* Holder, no alert, used internally for flowbits */
NULL /* Holder, rule data, used internally */
The NULL terminated list of rules. The InitializeDetection iterates through each Rule in the list and initializes the content, flowbits, pcre, etc.
extern Rule sid109;
extern Rule sid637;
Rule *rules[] =
{
&sid109,
&sid637,
NULL
};