| Both sides previous revisionPrevious revisionNext revision | Previous revision |
| pfsense:suricata:rules:breakdown_of_a_rule [2021/01/22 09:13] – [Rule Options] peter | pfsense:suricata:rules:breakdown_of_a_rule [2021/01/22 10:07] (current) – [Rule Options] peter |
|---|
| ====== PFSense - Suricata - Rules - Breakdown of a rule ====== | ====== PFSense - Suricata - Rules - Breakdown of a rule ====== |
| |
| |
| ===== Example Rule ===== | ===== Example Rule ===== |
| * **(msg:"ICMP detected"; sid:2; rev:1;)**: The options. | * **(msg:"ICMP detected"; sid:2; rev:1;)**: The options. |
| |
| | ---- |
| |
| <WRAP info> | <WRAP info> |
| |
| * **[[https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Meta-settings|meta-settings]]**: Options not pertaining to any specifics about the packet; including msg, sid, rev. | * **[[https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Meta-settings|meta-settings]]**: Options not pertaining to any specifics about the packet; including msg, sid, rev. |
| * **[[https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Payload_keywords|payload]]**: The packet data itself, such as IRC commands | * **[[https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Payload_keywords|payload]]**: The packet data itself. **content: "peter";**. |
| * **[[https://redmine.openinfosecfoundation.org/projects/suricata/wiki/HTTP-keywords|HTTP]]**: Heavily used when TCP protocol is set, useful for using Suricata as a content filtering system | * **[[https://redmine.openinfosecfoundation.org/projects/suricata/wiki/HTTP-keywords|HTTP]]**: Heavily used when TCP protocol is set, useful for using Suricata as a content filtering system. **GET, POST, index.html, cookies, user-agents, response-status 302, 500 etc.**. |
| * **[[https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Flow-keywords|flow]]**: More fine-grained control over the connection’s status and such | * **[[https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Flow-keywords|flow]]**: More fine-grained control over the connection’s status and such. **established, memory usage, timeouts, user logged in**. |
| * **[[https://redmine.openinfosecfoundation.org/projects/suricata/wiki/IPReputationRules|IP reputation]]**: Is an IP is legit or known to be associated with malware, spam, etc... | * **[[https://redmine.openinfosecfoundation.org/projects/suricata/wiki/IPReputationRules|IP reputation]]**: Is an IP legit or known to be associated with malware, spam, etc... |
| | |
| | ---- |
| |
| <code> | <code> |
| * **rev**: - Revision number/ID. | * **rev**: - Revision number/ID. |
| * Incremented by 1 every time the rule is changed. | * Incremented by 1 every time the rule is changed. |
| |
| ---- | |
| |
| |
