Protocols

The protocol field tells Snort what type of protocols a given rule should look at, and the currently supported ones include:

  • ip
  • icmp
  • tcp
  • udp

A rule can only have one protocol set, and the name of the protocol is placed after the action.

Examples:

alert udp $EXTERNAL_NET any -> $HOME_NET 53 (
alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (
alert ip any any -> $HOME_NET any (

Services in place of protocols

The above four protocols look for specific "Layer 3" (ip and icmp) and "Layer 4" (tcp and udp) protocols. However, rule writers also have the option of specifying application layer services here—instead of one of the four aforementioned protocols—to tell Snort to only match on traffic of the specified service. This means that not only must the networks, ports, and direction of the traffic match what's present in the header, but the specified service must also match the service that Snort detects in the traffic.

To utilize this, one must place the name of a given service where a protocol would usually go. For example, if we wanted to match only on traffic sent to destination port 443 that Snort detects as SSL/TLS, we would simply specify ssl in our rule header like so:

alert ssl any any -> any 443

It's important to reiterate that the service specified in the header MUST match the service detected in the traffic for a rule to be considered a match. This means, for example, that the above rule header can only match on traffic that Snort has detected as SSL/TLS.

The names of services that can be used here can be found by looking at the wizard entries in the snort_defauls.lua file included in the lua/ directory, as well as the curse service names present in the curse_map in src/service_inspectors/wizard/curses.cc.

Examples:

# will only run on HTTP traffic sent to destination port 8000
alert http $EXTERNAL_NET any -> $HOME_NET 8000 (
# will only run on SMTP traffic sent to destination port 5300
alert smtp $EXTERNAL_NET any -> $HOME_NET 5300 (