Rule Syntax
An IPS rule must be represented with the following structure:
The action tells cognitix Threat Defender what operation to perform on a rule hit.
The header defines which protocol, IP network range, port ranges and which direction the rule will match.
The rule definition encodes all information specifying the rule.
Example:
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:”Example rule”; pcre:”/Pattern to match/i”; reference:url,example.org/rule-example; classtype:misc-activity; sid:9000000; rev:1;)
Action
Currently, only the alert action is supported. When a rule hit occurs with
this action, a log message is emitted to the reporting channels which have IPS
rule hit logging enabled.
To apply an action on flows matching a certain type of IPS rules, specify tags as an IPS condition in a rule.
Protocol
This protocol string instructs the cognitix Threat Defender IPS engine to match only on flows using a specific protocol such as:
tcp
udp
tls (ssl included)
http
smtp
ssh
dns
ip (matches any protocol above)
Source and Destination Address
The source and destination definition specifies on which IP address or networks the rule must be matched.
Operator |
Description |
|---|---|
../.. |
IP ranges (CIDR notation) |
! |
Negation |
[.., ..] |
IP set |
You can also use variables to reference internal or external IP
networks via $HOME_NET and $EXTERNAL_NET. Internal IP addresses can be
defined by including them in a network object marked as internal.
Source and Destination Ports
A port is a communication endpoint represented as a 16-bit unsigned integer which identifies a port number. Such port numbers are used on TCP and UDP based traffic. The Internet Assigned Number Authority (IANA) assigns and maintains port numbers to well-known services. The IANA Port Number Registry is available at https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml
Operator |
Description |
|---|---|
: |
Port ranges |
! |
Negation |
[.., ..] |
Port set |
Direction
The direction defines in which way the signature has to match. Currently, only
signatures with right arrow -> can be used:
source -> destination
Rule Options
Once the rule header is parsed, the rest of the rule is considered as options.
The rule options section is enclosed within parentheses and are separated by
semicolons. Some options follow a keyword: value syntax (e.g sid: 12345)
whereas some are flags (nocase):
<keyword>: <value>;
<keyword>;
Note
Some keywords accept multiple values. In this case, all values are comma-separated. For example:
byte_test: 1, -1, relative, big;
See the documentation of the respective keyword for more information.
Note
The characters ; and " are part of the rule options syntax.
If you want to match patterns containing these characters, they must
be escaped with a backslash \. For example:
content:"3rxtc\"\;Date";
As a consequence, the backslash character must be escaped with another one, if you want to use it.:
content:"HKLM\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\Main\\\\Start Page";
Modifier Keywords
Some keywords operate as modifiers. There are two types of modifiers:
Content modifiers look back in the rule, e.g.:
alert http any any -> any any (content:"index.html"; nocase; sid:1;)
In the above example, the pattern
index.htmlwill be case insensitive.Sticky buffers are placed before the keyword. This type of modifier is applied on all following keywords, for example:
alert http any any -> any any (http.uri; content:"index.html"; sid:1;)
In the above example, the pattern
index.htmlis inspected against the HTTP URI because it follows thehttp.urikeyword.Where relevant, both types can be used simultaneously. For example:
alert http any any -> any any (http.uri; content:"index.html"; nocase; sid:1;)