The msg rule option tells the logging and alerting engine the message to print along with a packet dump or to an alert. It is a simple text string that utilizes the \ as an escape character to indicate a discrete character that might otherwise confuse Snort's rules parser (such as the semi-colon ; character).
msg: "<message text>";
The reference keyword allows rules to include references to external attack identification systems. The plugin currently supports several specific systems as well as unique URLs. This plugin is to be used by output plugins to provide a link to additional information about the alert produced.
Make sure to also take a look at http://www.snort.org/snort-db/
for a system that is indexing descriptions of alerts based off of
the sid (See Section ).
System | URL Prefix |
bugtraq | http://www.securityfocus.com/bid/ |
cve | http://cve.mitre.org/cgi-bin/cvename.cgi?name= |
nessus | http://cgi.nessus.org/plugins/dump.php3?id= |
arachnids | (currently down) http://www.whitehats.com/info/IDS |
mcafee | http://vil.nai.com/vil/dispVirus.asp?virus_k= |
url | http:// |
reference: <id system>,<id>; [reference: <id system>,<id>;]
The sid keyword is used to uniquely identify Snort rules. This information
allows output plugins to identify rules easily. This option should be used
with the rev keyword. (See section )
The file sid-msg.map contains a mapping of alert messages to Snort rule IDs. This information is useful when post-processing alert to map an ID to an alert message.
sid: <snort rules id>;
alert tcp any any -> any 80 (content:"BOB"; sid:1000983; rev:1;)
The sid keyword is used to uniquely identify revisions of Snort rules.
Revisions, along with Snort rule id's, allow signatures and descriptions to be
refined and replaced with updated information. This option should be used with
the sid keyword. (See section )
rev: <revision integer>
alert tcp any any -> any 80 (content:"BOB"; sid:1000983; rev:1;)
The classtype keyword categorizes alerts to be attack classes. By using the and prioritized. The user can specify what priority each type of rule classification has. Rules that have a classification will have a default priority set.
classtype: <class name>;Rule classifications are defined in the classification.config file. The config file uses the following syntax:
config classification: <class name>,<class description>,<default priority>The standard classifications included with Snort are listed in Table
Classtype | Description | Priority |
attempted-admin | Attempted Administrator Privilege Gain | high |
attempted-user | Attempted User Privilege Gain | high |
shellcode-detect | Executable code was detected | high |
successful-admin | Successful Administrator Privilege Gain | high |
successful-user | Successful User Privilege Gain | high |
trojan-activity | A Network Trojan was detected | high |
unsuccessful-user | Unsuccessful User Privilege Gain | high |
web-application-attack | Web Application Attack | high |
attempted-dos | Attempted Denial of Service | medium |
attempted-recon | Attempted Information Leak | medium |
bad-unknown | Potentially Bad Traffic | medium |
denial-of-service | Detection of a Denial of Service Attack | medium |
misc-attack | Misc Attack | medium |
non-standard-protocol | Detection of a non-standard protocol or event | medium |
rpc-portmap-decode | Decode of an RPC Query | medium |
successful-dos | Denial of Service | medium |
successful-recon-largescale | Large Scale Information Leak | medium |
successful-recon-limited | Information Leak | medium |
suspicious-filename-detect | A suspicious filename was detected | medium |
suspicious-login | An attempted login using a suspicious username was detected | medium |
system-call-detect | A system call was detected | medium |
unusual-client-port-connection | A client was using an unusual port | medium |
web-application-activity | access to a potentially vulnerable web application | medium |
icmp-event | Generic ICMP event | low |
misc-activity | Misc activity | low |
network-scan | Detection of a Network Scan | low |
not-suspicious | Not Suspicious Traffic | low |
protocol-command-decode | Generic Protocol Command Decode | low |
string-detect | A suspicious string was detected | low |
unknown | Unknown Traffic | low |
classtype uses classifications defined by the classification config option. The classifications used by the rules provided with Snort are defined in etc/classification.config
The priority tag assigns a severity level to rules. A classtype rule
assigns a default priority that may be overridden with a priority
rule. For an example in conjunction with a classification rule refer
to Figure . For use by itself,
see Figure
priority: <priority integer>;