title
ref [optional]
description
id
level
action
protocol
detection
{keyword_field:value} [optional]
protocol_field [optional]
{key:value}
stream [optional]
direction [optional]
flow [optional]
# optional if any, any
source [optional]
{adress:value} [optional]
{port: value} [optional]
destination [optional]
{adress:value} [optional]
{port: value} [optional]
A brief title to summarize the newtork detection
Here we have a dilemma.
Option 1: A unique identifier as an integer (it sucks as users have to check if their integer is already existing, but this is snort/suricata specification for sid).
Option2: An uuid, and in the process sid will be automatically generated (user can provide a range of sids to process from). Uuid will then be placed in metadata field.
Collaboration will be easier with option 2, but the user can be mistaken by rule 2
- stable
- test
- experimental
- deprecated
Description of the rule and its analysis process
Refrences for the rule
Level of the rule.
- critical
- high
- medium
- low
Usefull for ips to take action (drop packet for example)
- drop
- alert # this drops and generates alert
- pass (usefull ?)
The protocol targeted
protocol: tcpFields values targeted, organised in selections which are handled with condition field.
detection:
http.user_agent:
- content: "User-Agent|3A| Mozilla/5.0 |28|Windows|3B|"
- content: "Firefox/3."
dist: 0
- content|not: "Firefox/3.6.13"
dist: -10Network directions targeted
stream:
flow: to_client
direction: out
source:
address: $EXTERNAL_NET
port: any
destination:
address: $HOME_NET
port: anytitle: Outdated Firefox on Windows
id: 9000000
description: Detects outdated Firefox browsers (version 3.x except 3.6.13) on Windows.
level: high
action: alert
protocol: http
detection:
http.user_agent:
- content: "User-Agent|3A| Mozilla/5.0 |28|Windows|3B|"
- content: "Firefox/3."
dist: 0
- content|not: "Firefox/3.6.13"
dist: -10
stream:
direction: out
flow: from_client