S
t
e
p
Description Command Keys
5 Specify the given rule force. esr(config-ips-category-rule-
advanced)# rule-text <LINE>
<CONTENT> – text message in SNORT 2.X/
Suricata 4.X format, specified by a string of
up to 1024 characters.
6 Activate a rule. esr(config-ips-category-rule-
advanced)# enable
13.6.8 Extended user rules configuration example
Objective:
Write a rule detecting attack like Slowloris.
Solution:
Create a set of user rules:
esr(config)# security ips-category user-defined ADV
Create an extended rule:
esr(config-ips-category)# rule-advanced 1
esr(config-ips-category-rule-advanced)# description «Slow Loris rule 1»
esr(config-ips-category-rule-advanced)# rule-text "alert tcp any any -> any 80 (msg:'Possible
Slowloris Attack Detected';
flow:to_server,established; content:'X-a|3a|'; distance:0; pcre:'/\d\d\d\d/'; distance:0;
content:'|0d 0a|'; sid:10000001;)"
Create another extended rule that works on a similar algorithm to determine which rule will be more effective:
esr(config-ips-category)# rule-advanced 2
esr(config-ips-category-rule-advanced)# description «Slow Loris rule 2»
esr(config-ips-category-rule-advanced)# rule-text «alert tcp $EXTERNAL_NET any -> $HOME_NET
$HTTP_PORTS (msg:'SlowLoris.py DoS attempt'; flow:established,to_server,no_stream; content:'X-
a:'; dsize:<15; detection_filter:track by_dst, count 3, seconds 30; classtype:denial-of-
service; sid: 10000002; rev:1; )
When writing rules, the symbol ''
needs to be replaced with the
symbol '
To Next Page
Loading...
