option |
description |
content |
content:"/etc/passwd" ¹× "|fffe 011 f|" °°ÀÌ ÆäÀ̷εå ÁöÁ¤ ¹®ÀÚ¿¿¡ ¡®;¡¯, ¡®|¡¯, '"' Æ÷ÇÔ ½Ã ¹®ÀÚ ¾Õ¿¡ ¡®₩¡¯(escape) Ãß°¡ |
uricontent |
ÆÐŶÀÇ ¸®Äù½ºÆ® URI ºÎºÐ¸¸ ´ë»ó, ¹ÙÀ̳ʸ® ÁöÁ¤Àº ¾ÈµÊ |
depth |
ÆÐŶÀÇ depth bite ¾È¿¡¼ ÁöÁ¤µÈ ¹®ÀÚ¿À» °Ë»ö |
offset |
ÆÐŶ¿¡¼ ¹®ÀÚ¿ °Ë»ö ½ÃÀÛÀ§Ä¡¸¦ ÁöÁ¤(bite) |
nocase |
contentÀÇ ´ë¼Ò¹®ÀÚ ±¸ºÐÀ» ¾ø¾ÖÁÜ. nocase; ·Î ¾²ÀÓ. |
session |
telnet,tfp µî TCP Session ÁßÀÇ »ç¿ëÀÚ ÀÔ·Â µ¥ÀÌÅ͸¦ »Ì¾Æ³½´Ù. Printable/all Áß ¼±ÅÃ, allÀº ¹®ÀÚ¿ Ç¥ÇöÀÌ ¾ÈµÇ¸é 16Áø¼ö·Î ³ªÅ¸³» ÁÜ |
regex |
Á¤±ÔÇ¥Çö½ÄÀ» À§ÇÑ optionÀ¸·Î, ¾ÆÁ÷ Ç¥ÁØÀÌ ¾ø´Â µí ÇÏ´Ù. |
flow |
TCP°èÃþÀÇ reassembly ½Ã ÇÔ²² µ¿ÀÛÇÑ´Ù. to_server, to_client, from_server, from_client only_stream rebuildµÈ ÆÐŶ ¸¸ no_stream rebuildµÇÁö ¾ÊÀº ÆÐŶ ¸¸ established Åë½ÅÀÌ established µÈ ÆÐŶ¸¸ stateless »óÅ »ó°ü¾øÀÌ È°¼ºÈ µÇ¸ç, ºñÁ¤»ó ¹«ÀÛÀ§°ø°Ý¿¡ ´ëºñ |
fragbits(IP) |
IPÇì´õ¿¡¼ ÁöÁ¤µÈ fragment ¹× ¿¹¾à bit üũ M ºÐÇÒÀÌ ´ú µÆÀ½, D ºÐÇÒÇÏÁö ¾ÊÀ½, R ¿¹¾àºñÆ® (*,+,-,! »ç¿ë°¡´É) ex) fragbits:MD+ =>³²Àº fragment³ª fragment ÇÏÁö¾ÊÀº bit°¡ ÁöÁ¤ µÇ¾î ÀÖ³ª üũ |
sameip(IP) |
sameip; ¶ó°í ÁöÁ¤Çϸç src ip¿Í dst ip°¡ µ¿ÀÏÇÑÁö üũ |
ipopt(IP) |
IP optionÀÌ Á¸ÀçÇÏ´ÂÁö üũ(IP optionÀº µû·Î..) |
tos, ID, ttl(IP) |
ttl:3-5; tos:4; ·Î ÁöÁ¤ÇÏ¸ç °¢°¢ÀÇ filed ¿¡ ´ëÇÑ value°ªÀ» üũ tos ´Â !»ç¿ë°¡´ÉÇϸç, ttlÀº ><= - »ç¿ë°¡´É |
seq(TCP) |
seq:½ÃÄö½º³Ñ¹ö; ·Î ÁöÁ¤Çϸç ÁöÁ¤µÈ ½ÃÄö½º¹øÈ£ üũ |
ack(TCP) |
ack:¿¡Å©³Ñ¹ö; ·Î ÁöÁ¤Çϸç ÁöÁ¤µÈ ¿¡Å©¹øÈ£ üũ |
flags(TCP) |
flags:[!|*|+]<FSRPAU120>[,<FSRPAU120>]; TCP Ç÷¡±×¸¦ üũ |
icmp_id(ICMP) |
icmp_seq:ICMP IP°ª; À̸ç ICMP ECHOÀÇ ICMP ID Çʵ尪À» üũÇÑ´Ù. |
icmp_seq(ICMP) |
À§¿Í ºñ½ÁÇϸç ICMPÀÇ identification sequence field°ªÀ» üũÇÔ. static ICMP filed¸¦ »ç¿ëÇÏ´Â Àº´Ðä³Î ŽÁö¿¡ À¯¿ë(stacheldraht DDoS agen) |
icode(ICMP) |
icode:[<|>]<number>[<><number>]; ÁöÁ¤µÈ ICMP code °ª üũ |
itype(ICMP) |
itype:[<|>]<number>[<><number>]; ÁöÁ¤µÈ ICMP type °ª üũ |
sid |
½Ã±×´ÏÃÄÀÇ ID¸¦ ÁöÁ¤ÇÔ. 0 ~ 99 £º ¿¹¾àÀÌ ³¡³ »óÅ 100 ~ 1,000,000 £º Snort.org °ø½Ä ¹èÆ÷·ê ¿ë 1,000,000 ~ £º Ä¿½ºÅÒ·ê ¿ë (ÀÛ¼ºÇÑ ·ê) |
rev |
sid:1000983;rev:1; Á¤º¸ ¾÷µ«À» À§ÇÑ revirsion ¹øÈ£¸¦ ÁöÁ¤Çϸç, sid¿Í ÇÔ²² ¾²ÀδÙ. |
priority |
priority :¼ýÀÚ; À§Çèµµ¸¦ ÁöÁ¤ÇÑ´Ù. |
classtype |
classification.configÀÇ »ç¿ëÀÌ snort.conf¿¡ Á¤ÀÇ µÇ ÀÖ¾î¾ß ÇÔ. configclassification:<classname>,<classdescription>,<defaultpriority> classtype:<classname>; |
reference |
reference:cve,CAN-2000-1574; ¿ÜºÎÂüÁ¶¸¦ ³ªÅ¸³¿. bugtraq http://www.securityfocus.com/bid/ cve http://cve.mitre.org/cgi-bin/cvename.cgi?name= nessus http://cgi.nessus.org/plugins/dump.php3?id= arachnids (currentlydown)http://www.whitehats.com/info/IDS mcafee http://vil.nai.com/vil/dispVirus.asp?virus k= |
logto |
logto:"filename"; ½Ã±×´ÏÃÄ¿¡ ¸ÅÄ¡µÇ¸é ÆÄÀÏ·Î Ãâ·ÂÇÑ´Ù. ½ºÄÉ´×°°Àº º¹ÇÕÀûÀÎ µ¥ÀÌÅ͸¦ ´Ù·ê ¶§ ¿ëÀÌÇϸç, snort°¡ ¹ÙÀ̳ʸ® ·Î±ë ¸ðµåÀ϶© ÀÛµ¿ÇÏÁö ¾Ê´Â´Ù. |