snort.compatibility

来自「Firestorm NIDS是一个性能非常高的网络入侵检测系统 (NIDS)。目」· COMPATIBILITY 代码 · 共 67 行

Snort Compatibility (Snort 1.9.x)

Rule features
=============
* Bidirectional rules
* Forwards rules (woop-de-doo)
* Backwards rules
* Variables (not perfect)
* Negation
* IP address lists/arrays

Rule "features"
===============
* Variables not supported everywhere
* Multiline rules not supported
* Not all escape characters escaped (lazy snort programmers,
  all you need to escape is double quotes)
* activate/dynamic/pass
* Probably other stuff...

===============================================================
Keyword		Plugin			Comments
===============================================================
dns_recursive	match_dns.so		***NEW***
dns_iterative	match_dns.so		***NEW***
http_method	match_http.so		***NEW***
rate		alerting subsystem	***NEW***
burst		alerting subsystem	***NEW***

msg		alerting subsystem
dsize  		match_std.so
ip_proto 	match_ip.so
tos 		match_ip.so
ttl 		match_ip.so
id 		match_ip.so		allows a range
sameip 		match_ip.so
ipoption 	match_ip.so
fragbits 	match_ip.so
fragoffset	match_ip.so		allows a range
flags		match_tcp.so
seq 		match_tcp.so 		allows a range
ack 		match_tcp.so		allows a range
flow		match_tcp.so		stream/no_stream not supported
stateless	match_tcp.so
itype		match_icmp.so
icode		match_icmp.so
icmp_id 	match_icmp.so		allows a range
icmp_seq 	match_icmp.so		allows a range
content		match_str.so
uricontent	match_str.so		A bit lame... Will get better with full HTTP decode.
offset		match_str.so
depth		match_str.so
nocase		match_str.so
regex		match_str.so
rpc		match_rpc.so
sid		alerting subsystem
rev		alerting subsystem
priority	alerting subsystem
classtype	alerting subsystem

reference	NOT IMPLEMENTED (pointless, keep them in a database)
tag		NOT IMPLEMENTED (pretty easy)
content-list	NOT IMPLEMENTED (easy, but hacky)
logto		could be useful?
resp		not likely
react		not likely