Snort Rules and Configuration

Snort^® rules and configuration are added to the parsers/snort directory for Investigator and Decoder. Decoder supports the payload detection capabilities of Snort rules. The rules files must have the extension .rules and the configuration files must have the extension .conf . The Decoder implementation of Snort rules is centered on using the content strings defined in a Snort rule as a token. Once a token is matched, the rule header and additional rule options can be evaluated. Currently, rules that do not define any content (via content or uricontent rule options) are not supported.

Configuration

The configuration files are loaded prior to loading rules.

Meta key usage

In earlier versions, an attempt has been made to align better the Snort parser's meta key usage with that of other parsers. As of the current version, the default mode operation continues to write to the legacy key set (consistent with previous releases). To use the aligned key set, set the udm option to true for the Snort parser in the parser.options configuration node. Refer to the General options section, below, for a description of how the two modes differ.

Rules

Any rule that does not properly parse is ignored.
Any valid Snort rule should successfully parse; however,there are rule options that are not supported by Decoder that are not fully parsed.

Snort rules are parsed and loaded when PCS is loaded (any import/capture in Investigator, initial capture start and parser reload in Decoder).

General options

Snort rule general options can result in different meta keys being written depending on whether the Snort parser is in legacy mode or not.

Aligned key mode:

Legacy key mode:

Payload options

Decoder supports the following payload rule options:

Snort Rules and Configuration