Wiki

User Tools

Site Tools

Trace:
pfsense:suricata:rules:breakdown_of_a_rule

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
pfsense:suricata:rules:breakdown_of_a_rule [2021/01/21 12:50] – [Rule Options] peterpfsense:suricata:rules:breakdown_of_a_rule [2021/01/22 10:07] (current) – [Rule Options] peter
Line 1: Line 1:
 ====== PFSense - Suricata - Rules - Breakdown of a rule ====== ====== PFSense - Suricata - Rules - Breakdown of a rule ======
- 
  
 ===== Example Rule ===== ===== Example Rule =====
Line 15: Line 14:
   * **(msg:"ICMP detected"; sid:2; rev:1;)**:  The options.   * **(msg:"ICMP detected"; sid:2; rev:1;)**:  The options.
  
 +----
  
 <WRAP info> <WRAP info>
Line 34: Line 34:
 ---- ----
  
-==== Actions ====+===== Actions =====
  
 Actions are performed in the following precedence order by default if multiple rules exist; but can be changed through Action Order. Actions are performed in the following precedence order by default if multiple rules exist; but can be changed through Action Order.
Line 45: Line 45:
 ---- ----
  
-==== Protocol ====+===== Protocol ====
  
   * **ip**:  Any packets on the network involving the adapter.   * **ip**:  Any packets on the network involving the adapter.
Line 58: Line 58:
 ---- ----
  
-==== Source IP and Port; Direction; Destination IP and Port ====+===== Source IP and Port; Direction; Destination IP and Port =====
  
 <code> <code>
Line 99: Line 99:
 ---- ----
  
-==== Rule Options ====+===== Rule Options ====
 + 
 +Options fall into different categories: 
 + 
 +  * **[[https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Meta-settings|meta-settings]]**:  Options not pertaining to any specifics about the packet; including msg, sid, rev. 
 +  * **[[https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Payload_keywords|payload]]**:  The packet data itself.  **content: "peter";**. 
 +  * **[[https://redmine.openinfosecfoundation.org/projects/suricata/wiki/HTTP-keywords|HTTP]]**:  Heavily used when TCP protocol is set, useful for using Suricata as a content filtering system.  **GET, POST, index.html, cookies, user-agents, response-status 302, 500 etc.**. 
 +  * **[[https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Flow-keywords|flow]]**:  More fine-grained control over the connection’s status and such.  **established, memory usage, timeouts, user logged in**. 
 +  * **[[https://redmine.openinfosecfoundation.org/projects/suricata/wiki/IPReputationRules|IP reputation]]**:   Is an IP legit or known to be associated with malware, spam, etc... 
 + 
 +----
  
 <code> <code>
pfsense/suricata/rules/breakdown_of_a_rule.1611233446.txt.gz · Last modified: 2021/01/21 12:50 by peter
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki