Differences

This shows you the differences between two versions of the page.

--- pfsense:suricata:rules:breakdown_of_a_rule [2021/01/21 10:54] – [Source and Destination IP and Port] peter
+++ pfsense:suricata:rules:breakdown_of_a_rule [2021/01/22 10:07] (current) – [Rule Options] peter
@@ Line 1: / Line 1: @@
 ====== PFSense - Suricata - Rules - Breakdown of a rule ======
 ===== Example Rule =====
@@ Line 15: / Line 14: @@
   * **(msg:"ICMP detected"; sid:2; rev:1;)**:  The options.
+----
 <WRAP info>
@@ Line 34: / Line 34: @@
 ----
-==== Actions ====
+===== Actions =====
 Actions are performed in the following precedence order by default if multiple rules exist; but can be changed through Action Order.
@@ Line 45: / Line 45: @@
 ----
-==== Protocol ====
+===== Protocol ====
   * **ip**:  Any packets on the network involving the adapter.
@@ Line 58: / Line 58: @@
 ----
-==== Source and Destination IP and Port ====
+===== Source IP and Port; Direction; Destination IP and Port =====
-From example there is:
+<code>
+any any -> any any
+</code>
-  **any any → any any**.
+Source and Destination IP can be configured as:
-In the example, **any any**, is used for both source and destination IPs and ports.
+  * **any**:  Any IP.
+  * **192.168.1.10**:  An actual IP.
+  * **10.0.1.0/8**:  A CIDR in the 10.0.1.0 subnet.
+  * **!192.168.1.10**:  An exclamation mark specifies “not”, so this means any IP but not 192.168.1.10.
+  * **!10.0.1.0/8**:  Any IP not in the 10.0.1.0 subnet.
+  * **[192.168.1.10, !192.168.1.10]**:  Multiple addresses.  You can also mix-and-match with the ! as well.
+  * **[$EXTERNAL_NET, !$HOME_NET]**:  Multiple addresses, using built-in variables.
+  * **![192.168.1.0/24,192.168.0.0/24]**:  Not with Multiple addresses.
-  * An exclamation mark specifies “not”, so “! 10.0.1.0/8” means any IP not in the 10.0.1.0 subnet.
+Ports act similarly:
-  * <nowiki>[]</nowiki> - t specify multiple IPs and ports.  They go inside the brackets and are comma-separated.
-    * You can also mix-and-match with the ! as well.
-    * For example, if you wanted the rule to match IP 192.168.0.5 but not 192.168.1.0/24, you would do “[! 192.168.1.0/24, 192.168.0.5]”. The value will be matched in the order you pass it.
-  * You can also throw in variables as well, like so: [$EXTERNAL_NET, !$HOME_NET] or if you want to exclude only two IP blocks from the rule: ![192.168.1.0/24,192.168.0.0/24] (this will match everything but IPs in the 192.168.1.0/24 and 192.168.0.0/24 ranges.
+  * **any**:  Any Port.
+  * **80**:  Port 80.
+  * **[80:85]**:  A range of ports.
+  * **[:1024]**:  Matches all ports from 0-1024.
+  * **[1024:]**:  Matches ports from 1024 to the highest (typically 65535).
-Ports act similarly but they have one additional sign that you can use:
-  *  <nowiki>:</nowiki> - Specifies a range of ports (i.e.: [80:82] will match ports 80-82).
+Direction Specification:
-    * If you want a non-specific range (i.e.: only a maximum or minimum port number), you can do this: [:1024] (matches everything from 0-1024) or [1024:] (matches from 1024 to the highest [typically 65535]).
+  *  **<nowiki>-></nowiki>**:  This is the most common and means only check if the source IP and port are coming in to the destination IP and port.
+  *  **<>**:  This will match packet flow in either direction.
-Direction Specification
+<WRAP info>
+**NOTE:**  Built-in Variables include:
+  * **HOME_NET**:
+  * **EXTERNAL_NET**:
+</WRAP>
+----
-  * Between the IP and ports is the direction of packet flow, in our case ->. There’s two options for this:
+===== Rule Options =====
-  *  -> - This is the most common and means only check if the source IP and port are coming in to the destination IP and port.
+Options fall into different categories:
-  *  <> - This will match packet flow in either direction.
-**NOTE:**  HOME_NET and EXTERNAL_NET can be used.
+  * **[[https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Meta-settings|meta-settings]]**:  Options not pertaining to any specifics about the packet; including msg, sid, rev.
+  * **[[https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Payload_keywords|payload]]**:  The packet data itself.  **content: "peter";**.
+  * **[[https://redmine.openinfosecfoundation.org/projects/suricata/wiki/HTTP-keywords|HTTP]]**:  Heavily used when TCP protocol is set, useful for using Suricata as a content filtering system.  **GET, POST, index.html, cookies, user-agents, response-status 302, 500 etc.**.
+  * **[[https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Flow-keywords|flow]]**:  More fine-grained control over the connection’s status and such.  **established, memory usage, timeouts, user logged in**.
+  * **[[https://redmine.openinfosecfoundation.org/projects/suricata/wiki/IPReputationRules|IP reputation]]**:   Is an IP legit or known to be associated with malware, spam, etc...
 ----
-Rule Options
+<code>
+msg:"IP detected"; sid:2; rev:1;
+</code>
   * The 3 most basic options are:
@@ Line 100: / Line 123: @@
   * **rev**: - Revision number/ID.
     *  Incremented by 1 every time the rule is changed.
-----
 ----
+==== Other Rule Examples ====
+<code>
 alert icmp any any -> \
       any any (msg:"PING detected"; \
@@ Line 133: / Line 155: @@
 alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:\".htpasswd access attempt\"; flow:to_server,established; content:\".htpasswd\"; nocase; sid:210503; rev:1;)
 </code>
-where:
-  * **Action**:  drop.
-  * **Header**:  tcp $HOME_NET any -> $EXTERNAL_NET any.
-  * **Options**:  (msg:"ALERT TCP port 22 but not SSH"; app-layer-protocol:!ssh; sid:2271009; rev:1;)
-----
 ----