Pseries Installation Guide

66 Writing Rules

Destination Address and Port

The destination address and port follow the direction operator. The syntax of these parameters are the same

as the source address and port. See “Source Addresses” on page 64, and “Ports” on page 65.

Snort Rule Options

Options are made of a keyword and an argument. An argument is the packet data against which the rule is

matched. Option keywords are followed by a colon, and each option is puncutated with a semi-colon.

Table 19 lists the option keywords that the P-Series supports.

P-Series Rule Syntax

P-Series rules have a syntax that is slightly different from Snort rules. P-Series rules have the following

syntax:

capture/forward_policy on channel Snort_rule

• capture/forward policy can have four values: alert, permit, divert, or deny. These settings are

described in

Table 5 on page 28.

• channel can be c0 for Channel 0, c1 for Channel 1, or all for both channels.

• Snort_rule is a rule written in Snort syntax.

Table 18 shows an example P-Series rule.

P-Series Supported Snort Keywords

Table 19 lists Snort keywords that the P-Series supports for both dynamic and static rules.

Table 18 P-Series Rule Example

alert on c1 any any -> any any (msg:"Z Default rule fragmented ip";)

Note: P-Series does not support the Snort action keywords log, pass, activate, and dynamic. P-Series

supports the action keywords alert, permit, divert, and deny.

Table 19 Supported Snort Keywords for Static and Dynamic Rules

Keyword Static Dynamic

ack Yes Yes

content Yes, no negative. No