service
The service rule option is used to tell Snort what application-layer service or services you want your rule to apply to. When Snort receives traffic, one of the things it will do first is determine the service of the traffic so that it can process and parse it correctly, and rule writers can target those services using this service rule option.
This rule option takes as arguments one or more comma-separated service names. The names of services that can be used here can be found by looking at the wizard entries in the snort_defauls.lua file included in the lua/ directory, as well as the curse service names present in the curse_map in src/service_inspectors/wizard/curses.cc.
Note that Snort handles services specified in this rule option differently than how it handles a service specified in the rule header (as seen here and here). More specifically, with this rule option, the services specified do not have to match the actual service of the traffic as long as the ports match. Additionally, the converse of that statement is true as well; the ports do not have to match as long as the services match. Another way to look at the service option is like an "OR ports" statement.
For instance, if the source or destination ports present in a rule's header match those used in the traffic, but the service specified in the rule does not match the service present in the traffic, the rule can still match as long as the rest of the rule evaluates to true. The following rule, for example, will apply either to traffic Snort detects as HTTP or traffic that is destined for TCP port 8000:
alert tcp any any -> any any 8000 (
msg:"HTTP traffic or dst port 8000 please";
service:http;
sid:1000000;
)
Note that if you are already specifying a service in the rule header or creating a file rule, then you should not include this service rule option in your rule.
Note: This rule option should be used instead of placing service declarations in the
metadataoption like what was done in Snort 2.
Format:
service:service[,service]…;Examples:
service:http;
service:http,imap,pop3;