Service Rules

Service rules are a new rule type in Snort 3 that allows rule writers to match on traffic of a particular service by using a rule header that consists of only an action and the name of an application-layer service. The difference between these headers and the "traditional" headers described here is that these ones do not require declarations of network addresses, ports, or a direction operator.

These service rules let rule writers target a particular service regardless of the IP addresses or ports being used in a given network flow. This type of rule is especially useful for services like HTTP where it's not uncommon to see web servers running on TCP ports other than 80.

For example, the following rule header tells Snort to apply this rule only to traffic that Snort detects as HTTP:

alert http (

Note however that with these rules, the service specified in the header MUST match the service detected in the traffic for a rule to be considered a match. To be more explicit, the above rule header can only match on traffic that Snort has detected as HTTP.

The names of services that can be used here can be found by looking at the wizard entries in the snort_defauls.lua file included in the lua/ directory, as well as the curse service names present in the curse_map in src/service_inspectors/wizard/curses.cc.

Format:

These rules are created with a rule header that includes only an action followed by a service name.

action service

Note: Service rules do not require a service option declaration in the rule.

Example:

The following rule would alert on matching HTTP traffic regardless of ports or IP addresses used in the communication:

alert http
(
    msg:"SERVER-WEBAPP This rule only looks at HTTP traffic";
    flow:to_server,established;
    http_uri;
    content:"/admin.php",fast_pattern,nocase;
    content:"cmd=",nocase;
    pcre:"/[?&]cmd=[^&]*?\x3b/i";
    sid:1;
)