Payload Detection Rule Options
Snort rules are best at evaluating a network packet's "payload" (e.g., the TCP or UDP data fields), and this chapter covers what are referred to as "payload detection" options. These options tell Snort what kind of packet data to look for, where to look for that data, and lastly how to look for said data.
A single Snort rule can contain multiple options, and those options are evaluated against the packet data in the order they are placed in the rule (except for certain fast_pattern matches).
Inspection Buffers
When Snort receives network traffic and begins processing, it places the packet data into various "buffers" that rule writers can evaluate payload options against. Snort provides buffers for the raw packet data, normalized packet data, "file" data, individual HTTP elements, like http_header and http_uri, and more. Not all buffers will be available for a given packet, and so rule writers should use table at the end of this page to make sure they are using the appropriate one(s).
As Snort evaluates payload options against a given buffer, it keeps track of its current location there with a detection-offset-end (DOE) pointer (also sometimes referred to as a cursor). By default, this pointer points to the start of the current buffer, but some rule options will "move" this pointer forward and backwards, which allow for the use of relative payload options.
Sticky buffers
By default, rule options are evaulated against data present in the pkt_data buffer. Looking for data in one of the other buffers is done by using what are called "sticky buffers", which are rule options that, when set, move the DOE pointer to the start of that particular buffer. Then, all subsequent payload options will be looked for in that buffer unless some other sticky buffer is specified.
One of those sticky buffers, for example, is http_uri, which contains the URI portion of an HTTP request. Setting this buffer and looking for data there might be done like so:
http_uri;
content:"/index.php";
Note: Depending on one's Snort configuration, Snort will place certain payload data—such as HTTP-specific elements—only in their respective buffers. This means, for example, that trying to look for HTTP request elements in the default, normalized packet data buffer will result in a detection failure.
This section breaks down each of those rule payload options to explain how they are used and how they work, starting with the content option.
Quick Reference
| keyword | description |
|---|---|
| content | content is used to perform basic string and/or hexadecimal pattern matching |
| fast_pattern | fast_pattern is a content modifier that tells Snort to use that particular match to determine if further rule processing should continue against the traffic |
| nocase | nocase is a content modifier that tells Snort to ignore case when looking for a specified pattern |
| offset | offset is a content modifier that specifies where to start searching for a pattern relative to the beginning of the packet or buffer |
| depth | depth is a content modifier that specifies how far into a Snort packet or buffer to look for the specified pattern relative to the beginning of the packet or buffer |
| distance | distance is a content modifier that specifies where to start searching for a pattern relative to the previous content match |
| within | within is a content modifier that specifies how far into a Snort packet or buffer to look for the specified pattern relative to the previous content match |
| HTTP buffers | http_* options are sticky buffer declarations that set the detection cursor to the beginning of the various HTTP parts |
| bufferlen | bufferlen checks the length of a given buffer |
| isdataat | isdataat verifies the payload data exists at a specified location |
| dsize | dsize tests packet payload size |
| pcre | pcre is used to create perl compatible regular expressions |
| regex | regex is used to create perl compatible regular expressions that are checked against payload data with the hyperscan engine |
| pkt_data | pkt_data is a sticky buffer declaration that sets the detection cursor to the beginning of the normalized packet data |
| raw_data | raw_data is a sticky buffer declaration that sets the detection cursor to the beginning of the raw packet data |
| file_data | file_data is a sticky buffer declaration that sets the detection cursor to either the HTTP response body for HTTP traffic or file data sent via other application protocols that has been processed and captured by Snort's "file API" |
| js_data | js_data is a sticky buffer declaration that sets the detection cursor to the normalized JavaScript data buffer |
| vba_data | vba_data is a sticky buffer declaration that sets the detection cursor to the buffer containing VBA macro code |
| base64_decode | base64_decode is used to decode base64-encoded data in a packet |
| base64_data | base64_data is a sticky buffer declaration that sets the detection cursor to the beginning of the base64 decoded buffer |
| byte_extract | byte_extract reads some number of bytes from packet data and stores the extracted byte or bytes into a named variable |
| byte_test | byte_test tests a byte or multiple bytes from the packet against a specific value with a specified operator |
| byte_math | byte_math extracts bytes from the packet and performs a mathematical operation on the extracted value, storing the result in a new variable |
| byte_jump | byte_jump reads some number of bytes from the packet, converts them from their numeric representation if necessary, and moves that many bytes forward |
| ber_data and ber_skip | ber_* rule options evaluate and work with BER-encoded data |
| ssl_state and ssl_version | ssl_* rule options evaluate and work with SSL/TLS sessions |
| DCE Specific Options | dce_* rule options evaluate and work with DCERPC traffic |
| SIP Specific Options | sip_* rule options evaluate and work with SIP traffic |
| sd_pattern | sd_pattern detects sensitive data, such as credit card and social security numbers |
| cvs | cvs looks for a specific attack types |
| md5, sha256, and sha512 | md5, sha256, and sha512 check payload data against a specified hash value |
| GTP Specific Options | gtp_* rule options evaluate specific elements of GTP traffic |
| DNP3 Specific Options | dnp3_* rule options evaluate specific elements of DNP3 traffic |
| CIP Specific Options | cip_* rule options evaluate specific elements of CIP traffic |
| IEC 104 Specific Options | iec104_* rule options evaluate specific elements of IEC 104 traffic |
| MMS Specific Options | mms_* rule options evaluate specific elements of MMS traffic |
| Modbus Specific Options | modbus_* rule options evaluate specific elements of Modbus traffic |
| S7CommPlus Specific Options | s7commplus_* rule options evaluate specific elements of S7CommPlus traffic |