Differences

This shows you the differences between two versions of the page.

--- pfsense:suricata:rules:breakdown_of_a_rule [2021/01/21 11:58] – [Source and Destination IP and Port] peter
+++ pfsense:suricata:rules:breakdown_of_a_rule [2021/01/22 10:07] (current) – [Rule Options] peter
@@ Line 1: / Line 1: @@
 ====== PFSense - Suricata - Rules - Breakdown of a rule ======
 ===== Example Rule =====
@@ Line 15: / Line 14: @@
   * **(msg:"ICMP detected"; sid:2; rev:1;)**:  The options.
+----
 <WRAP info>
@@ Line 34: / Line 34: @@
 ----
-==== Actions ====
+===== Actions =====
 Actions are performed in the following precedence order by default if multiple rules exist; but can be changed through Action Order.
@@ Line 45: / Line 45: @@
 ----
-==== Protocol ====
+===== Protocol ====
   * **ip**:  Any packets on the network involving the adapter.
@@ Line 58: / Line 58: @@
 ----
-==== Source and Destination IP and Port ====
+===== Source IP and Port; Direction; Destination IP and Port =====
+<code>
+any any -> any any
+</code>
 Source and Destination IP can be configured as:
@@ Line 71: / Line 75: @@
   * **![192.168.1.0/24,192.168.0.0/24]**:  Not with Multiple addresses.
-Ports act similarly but they have one additional sign that you can use:
+Ports act similarly:
-  *  **<nowiki>:</nowiki>** - Specifies a range of ports (i.e.: [80:82] will match ports 80-82).
+  * **any**:  Any Port.
-    * If you want a non-specific range (i.e.: only a maximum or minimum port number), you can do this: [:1024] (matches everything from 0-1024) or [1024:] (matches from 1024 to the highest [typically 65535]).
+  * **80**:  Port 80.
+  * **[80:85]**:  A range of ports.
+  * **[:1024]**:  Matches all ports from 0-1024.
+  * **[1024:]**:  Matches ports from 1024 to the highest (typically 65535).
 Direction Specification:
-  * Between the IP and ports is the direction of packet flow:
   *  **<nowiki>-></nowiki>**:  This is the most common and means only check if the source IP and port are coming in to the destination IP and port.
@@ Line 94: / Line 99: @@
 ----
-==== Rule Options ====
+===== Rule Options =====
+Options fall into different categories:
+  * **[[https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Meta-settings|meta-settings]]**:  Options not pertaining to any specifics about the packet; including msg, sid, rev.
+  * **[[https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Payload_keywords|payload]]**:  The packet data itself.  **content: "peter";**.
+  * **[[https://redmine.openinfosecfoundation.org/projects/suricata/wiki/HTTP-keywords|HTTP]]**:  Heavily used when TCP protocol is set, useful for using Suricata as a content filtering system.  **GET, POST, index.html, cookies, user-agents, response-status 302, 500 etc.**.
+  * **[[https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Flow-keywords|flow]]**:  More fine-grained control over the connection’s status and such.  **established, memory usage, timeouts, user logged in**.
+  * **[[https://redmine.openinfosecfoundation.org/projects/suricata/wiki/IPReputationRules|IP reputation]]**:   Is an IP legit or known to be associated with malware, spam, etc...
+----
+<code>
+msg:"IP detected"; sid:2; rev:1;
+</code>
   * The 3 most basic options are:
@@ Line 108: / Line 127: @@
 ----
-----
+==== Other Rule Examples ====
-----
+<code>
 alert icmp any any -> \
       any any (msg:"PING detected"; \
@@ Line 137: / Line 155: @@
 alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:\".htpasswd access attempt\"; flow:to_server,established; content:\".htpasswd\"; nocase; sid:210503; rev:1;)
 </code>
-where:
-  * **Action**:  drop.
-  * **Header**:  tcp $HOME_NET any -> $EXTERNAL_NET any.
-  * **Options**:  (msg:"ALERT TCP port 22 but not SSH"; app-layer-protocol:!ssh; sid:2271009; rev:1;)
-----
 ----