Differences

This shows you the differences between two versions of the page.

--- pfsense:suricata:rules:breakdown_of_a_rule [2021/01/21 12:11] – [Source IP and Port; Direction; Destination IP and Port] peter
+++ pfsense:suricata:rules:breakdown_of_a_rule [2021/01/22 10:07] (current) – [Rule Options] peter
@@ Line 1: / Line 1: @@
 ====== PFSense - Suricata - Rules - Breakdown of a rule ======
 ===== Example Rule =====
@@ Line 15: / Line 14: @@
   * **(msg:"ICMP detected"; sid:2; rev:1;)**:  The options.
+----
 <WRAP info>
@@ Line 34: / Line 34: @@
 ----
-==== Actions ====
+===== Actions =====
 Actions are performed in the following precedence order by default if multiple rules exist; but can be changed through Action Order.
@@ Line 45: / Line 45: @@
 ----
-==== Protocol ====
+===== Protocol ====
   * **ip**:  Any packets on the network involving the adapter.
@@ Line 58: / Line 58: @@
 ----
-==== Source IP and Port; Direction; Destination IP and Port ====
+===== Source IP and Port; Direction; Destination IP and Port =====
 <code>
@@ Line 85: / Line 85: @@
 Direction Specification:
-  * Between the IP and ports is the direction of packet flow:
   *  **<nowiki>-></nowiki>**:  This is the most common and means only check if the source IP and port are coming in to the destination IP and port.
@@ Line 101: / Line 99: @@
 ----
-==== Rule Options ====
+===== Rule Options =====
+Options fall into different categories:
+  * **[[https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Meta-settings|meta-settings]]**:  Options not pertaining to any specifics about the packet; including msg, sid, rev.
+  * **[[https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Payload_keywords|payload]]**:  The packet data itself.  **content: "peter";**.
+  * **[[https://redmine.openinfosecfoundation.org/projects/suricata/wiki/HTTP-keywords|HTTP]]**:  Heavily used when TCP protocol is set, useful for using Suricata as a content filtering system.  **GET, POST, index.html, cookies, user-agents, response-status 302, 500 etc.**.
+  * **[[https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Flow-keywords|flow]]**:  More fine-grained control over the connection’s status and such.  **established, memory usage, timeouts, user logged in**.
+  * **[[https://redmine.openinfosecfoundation.org/projects/suricata/wiki/IPReputationRules|IP reputation]]**:   Is an IP legit or known to be associated with malware, spam, etc...
+----
 <code>
@@ Line 119: / Line 127: @@
 ----
-----
+==== Other Rule Examples ====
-----
+<code>
 alert icmp any any -> \
       any any (msg:"PING detected"; \
@@ Line 148: / Line 155: @@
 alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:\".htpasswd access attempt\"; flow:to_server,established; content:\".htpasswd\"; nocase; sid:210503; rev:1;)
 </code>
-where:
-  * **Action**:  drop.
-  * **Header**:  tcp $HOME_NET any -> $EXTERNAL_NET any.
-  * **Options**:  (msg:"ALERT TCP port 22 but not SSH"; app-layer-protocol:!ssh; sid:2271009; rev:1;)
-----
 ----