Understand Snort3 Rules

Available Languages

Download Options

  • PDF     (78.3 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (109.6 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (91.7 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:October 26, 2022
Document ID:218349

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes rules for the Snort3 engine in the Cisco Secure Firewall Threat Defense (FTD).

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these topics:

    • Cisco Secure Firewall Threat Defense (FTD)
    • Intrusion Prevention System (IPS)
    • Snort2 syntax

    Licensing

    No specific license requirement, the base license is sufficient and the features mentioned are included in the Snort engine within the FTD and in the Snort3 open-source versions.

    Components Used

    The information in this document is based on these software and hardware versions:

    • Cisco Secure Firewall Threat Defense (FTD), Cisco Secure Firewall Management Center (FMC) version 7.0+ with Snort3.

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Background Information

    Snort is the Cisco IPS engine capable of real-time traffic analysis and packet logging.

    Snort can perform protocol analysis, content searching, and detect attacks.

    Snort3 is an updated version of the Snort2 IPS with a new software architecture that improves performance, detection, scalability, and usability.

    Snort3 rules

    They use that LUA format to make the Snort3 rules easier to read, write and verify.

    Rule actions

    This new version changes the rule actions, the new definitions are:

    • Pass: Stop evaluation of subsequent rules against packet
    • Alert: Generate event only
    • Block: Drop packet, block remainder session 
    • Drop: Drop packet only
    • Rewrite: Required if the replaces option is used
    • React: Send HTML block response page
    • Reject: Inject TCP RST or ICMP unreachable

    Rule anatomy

    The anatomy is:

    rule anatomy

    The rule header contains the action, protocol, source and destination network(s), and port(s).

    In Snort3, the rule header can be one of the next options:

    • Service rule header
    <iline" lang="lua">alert http 
( 
msg:"Alert HTTP rule";
flow:to_client,established;
content:"evil", nocase;
sid:1000001;
)
    • File rule header
    alert file 
( 
msg: “Alert File example”; 
file_data; 
content:”malicious_stuff”; 
sid:1000006; 
)
    • Conventional rule header
    alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS 
( 
msg:"Alert HTTP rule";
flow:to_client,established;
content:"evil", nocase;
sid:1000001;
)

    Rule features

    Some of the new features are:

    • Arbitrary whitespace (each option on its own line)
    alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS 
( 
msg:"Alert TCP rule";
flow:to_client,established;
content:"evil", nocase;
sid:1000000;
)
    • Consistent use of , and ;
    content:"evil", offset 5, depth 4, nocase;
    • Networks and ports are optional
    alert http ( Rule body )
    • Adds more sticky buffers (This is not the complete list)
    http_uri
http_raw_uri
http_header
http_raw_header
http_trailer
http_raw_trailer
http_cookie
http_raw_cookie
http_true_ip
http_client_body
http_raw_body
http_method
http_stat_code
http_stat_msg
http_version
http2_frama_header
script_data
raw_data
    • C Style comments
    alert http 
( 
msg:"Alert HTTP rule"; /* I can write a comment here */
...
)
    • Remark (rem) keyword
    alert http 
( 
msg:"Alert HTTP rule";
flow:to_client,established;
rem:"Put comments in the rule anywhere";
content:"evil", nocase;
sid:1000001;
)
    • appids keywords
    alert tcp $HOME_NET any -> $EXTERNAL_NET any
( 
msg:"Alert on apps";
appids:"Google, Google Drive";
content:"evil", nocase;
sid:1000000;
)
    • sd_pattern for sensitive data filtering
    • Regex keyword with the usage of hyperflex technology
    • Service keyword replaces metadata

    Examples

    Example with http service header and sticky buffer http_uri

    Task: Write a rule that detects the word malicious in the HTTP URI.

    Solution:

    alert http 
( 
msg:"Snort 3 http_uri sticky buffer"; 
flow:to_server,established; 
http_uri; 
content:"malicious", within 20; 
sid:1000010; 
)

    Example with file service header

    Task: Write a rule that detects PDF files.

    Solution:

    alert file 
( 
msg:"PDF File Detected"; 
file_type: "PDF"; 
sid:1000008; 
)

    Related Links

    Snort Rules and IDS Software Download

    Github

    Revision History

    Revision Publish Date Comments
    1.0
    26-Oct-2022
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Cesar Barrientos

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products