02-02
Simple Intrusion Detection Rule Format Version 0.1
Data model
+-----------+
| rule_base |
+-----------+
/\
|
+-------+ +------+
| rule |<>-| name |
+-------+ +------+
| |
| | 0..* +-----------+
| |<>------| reference |
| | +-----------+
| | | | +----------------+
| | | |<>-| referencename |
| | | | +----------------+
| | | |
| | | | 0..1 +---------------+
| | | |<>-----| reference_url |
| | | | +---------------+
| | +-----------+
| |
| | 0..1 +--------+
| |<>------| impact |
| | +--------+
| |
| | +--------+
| |<>-| action |
| | +--------+
| | | | +-----+
| |<>-| action |<>-| log |
| | | | +-----+
| | | |
| | | | +---------+
| | | |<>-| discard |
| | | | +---------+
| | | |
| | | | +---------------+
| | | |<>-| activate_rule |
| | | | +---------------+
| | | |
| | | | +-----------------+
| | | |<>-| deactivate_rule |
| | | | +-----------------+
| | +--------+
| |
| | +-----------+
| |<>-| condition |
| | +-----------+
| |
| | +--------+
| |<>-| stream |
| | +--------+
| |
| | +------------------+
| |<>-| stream_condition |
| | +------------------+
+-------+
+-----------+
| condition |
+-----------+
| |
| | +-------------------+ +-------------------+
| |<>-| 'boolean element' |<>-| 'boolean element' |
| | +-------------------+ +-------------------+
| | | | +-----------------+
| | | |<>-| 'match element' |
| | | | +-----------------+
| | +-------------------+
| |
| | +-----------------+
| |<>-| 'match element' |
| | +-----------------+
+-----------+
+--------+
| stream |
+--------+
| | +-------------------+ +-------------------------------+
| |<>-| 'boolean element' |<>-| 'stream-subset match element' |
| | +-------------------+ +-------------------------------+
| |
| | +-------------------------------+
| |<>-| 'stream-subset match element' |
| | +-------------------------------+
+--------+
+------------------+
| stream-condition |
+------------------+
| | +-------------------+ +-------------------+
| |<>-| 'boolean element' |<>-| 'stream-condition |
| | +-------------------+ | match element' |
| | +-------------------+ +-------------------+
| |<>-| 'stream-condition'|
| | | match element' |
| | +-------------------+
+------------------+
rule_base
The top-level element. A rule_base must have at least one
rule.
rule
A rule associates a condition with classification and identification
information as well as an action that BENIDS will perform on
successful validation of the condition.
A rule has two attributes: state and type.
type (optional)
The type determines what kind of events the rules apply to. There
are two values for type: "stateless" and "stream".
Rules of type "stateless" apply to packets independently of
any correlations to saved information.
Rules of type "stateless" must have a condition. Also, the
stream and stream_condition elements are invalid inside of a
stateless rule. This is the default value.
Rules of type "stream" are applied to TCP or UDP data streams
(only TCP is currently implemented). Rules of type "stream"
require stream and stream_condition elements. Also, the
condition element is invalid inside of a stream rule.
state (optional)
The state determines the initial state for the rule. There are
two values for state: "active" and "inactive".
An active rule has its condition applied to the relevant event.
It remains active until BENIDS terminates or another rule
deactivates it (see the description of the action element).
This is the default value.
An inactive rule does not have its condition tested. It remains
inactive until another rule activates it.
name
The name is the internal name of the rule. In absence of a formal
classification using the reference element, the name will be used
to classify the rule.
The name must contain a string of arbitrary length.
reference
The reference is a formal classification of a rule. It must have
a rule_name element. Optionally it has a reference_url element.
A reference has one attribute: "origin"
origin (required)
The origin describes the origin of the reference information.
Origin directly corresponds to the origin attribute of the
Classification element in the IDMEF DTD.
Origin has five values: "unknown", "bugtraqid", "cve", and
"vendor-specific".
reference_name
The reference_name is the reference name of the rule.
reference_url
The reference_url is a url containing reference information
for the rule. If none is provided, an appropriate url will
be created using the reference origin and the name.
impact
The impact describes both the severity and probable completion
status of the event. Impact has three attributes, "type",
"completion", and "severity".
type (optional).
Type describes the type of event. There are six values for
type, "admin," "dos," "file," "recon," "user," and "other."
The value "other" is the default.
completion (optional)
Completion describes the probable completion status of the
event. There are three values for completion, "attempted,"
"successful," and "failed." The value "attempted" is the
default.
severity (optional)
Severity describes the severity of th event, there are
three values, "low," "med," and "high." The value "high"
is the default.
action
The action element describes what action BENIDS should perform
when the rules condition is met.
log
The log element specifies that BENIDS should log the
event. Combining this element with the "drop" element
in the same rule will cause the event not to be logged
and is logically invalid. The log element has one
attribute "capture."
capture (optional)
The capture element describes the amount of data (if
available) that will be logged. Capture has three
values, "none," "header," and "full." The value "none"
is the default. The value "header" is ignored for
stream rules as packet headers are not available.
drop
The drop element specifies that the event should be
ignored. No logging will occur, even if another rule
matches the event.
activate_rule
The activate_rule element contains the name of another rule
that will be activated. The rule named does not have to
proceed the rule referencing it in the rule document.
deactivate_rule
The deactivate_rule element contains the name of another
rule that will be deactivated. The rule named does not
have to proceed the rule referencing it in the rule
document.
condition
The condition element is the root of an arbitrarily
complex boolean expression that must be satisfied for
the actions specified in the rule to be executed.
A condition may contain only one element which is
either one of the boolean elements or a match
element. Conditions are only valid inside of stateless
rules.
stream
The stream element is the root of an arbitrarily
complex boolean expression that defines a stream.
A packet satisfying this condition will be
processed by the appropriate stream assembler
(only TCP is currently implemented). The stream
element is similar to the condition element
but with the limit that the match elements it
contains must be common to all packets in a
stream. Valid child elements are ip_address,
tcp_port, and udp_port. The stream element is
only valid within a stream rule and must be
accompanied by a stream_condition.
stream_condition
The stream_condition is the the root of an
arbitrarily complex boolean expression evaluated
against the contents of streams that match
the boolean expression defined by the stream
element. The stream_condition element is
simmilair to condition but may only have
boolean or stream_data child elements. It
would also be appropriate to add application
specific match elements in the stream_condition
if they are implemented (i.e rpc channels).
The stream_condition element is only valid
within a stream rule and must be accompanied
by a stream element.
Boolean Elements
AND
The AND element one of the four boolean elements
that can occur within the condition, stream,
and stream_condition elements. All boolean elements
may contain themselves. There is no hard limit
on the depth of boolean expressions but
expressions that are too deep will likely be
very inefficient
The AND element must have at least two children
which may be any combination of boolean or
match elements. The AND condition evaluates
true if all of its children evaluate true.
OR
The OR condition is one of the four boolean
elements and is simmilair to AND. It
evaluates true if one or more than one of
its children evaluate true.
XOR
The XOR condition is one of the four boolean
elements and is simmilair to AND. The XOR
condition evaluates true if only one of its
children evaluate true.
NOT
The NOT condition is one of the four boolean
elements and is simmilair to AND. It differs
in that it may only have one child which
may be either a match or boolean element.
It evaluates true if its child evaluates false
Match Elements
packet_data
The packet_data element describes an arbitrary
string that will be matched within the data
section of a packet. The packet_data element
must have a pattern element child. Optionally it
has start_offset and/or stop_offset child
elements. It evaluates true if the pattern
matches anywhere from start_offset to stop_offset.
The packet_data element has one attribute, "case."
case (optional)
The case attribute determines if the pattern
is case sensitive. It has two values "no" and
"yes." The value "yes" is the default.
stream_data
The stream_data element describes an arbitrary
string that will be matched on a assembled
data stream. It is simmilair to the packet_data
element except that it may not contain the
start_offset and stop_offset elements.
case (optional)
The case attribute determines if the pattern
is case sensitive. It has two values "no" and
"yes." The value "yes" is the default.
pattern
The pattern element contains an arbitrary string
to be matched in the relevant data. The pattern
element may contain hex elements mixed with the
string.The pattern element has one attribute,
"encoding."
encoding (optional)
The encoding element specifies the encoding
of the string. This element is redundant with
the hex element and is supplied as a convenience.
The encoding attribute has two values "hex," and
"utf-8." The "utf-8" value is the default. Patterns
with "utf-8" encoding may contain any valid
alpha-numeric character. Patterns encoded with
"hex" may contain any valid hex character with
ignored whitespace. Case is also ignored for
"hex"patterns.
hex
Specifies that a section of a pattern is encoded
in hex. It may occur an arbitrary number of times
within the pattern.
start_offset
The start_offset element contains the location
(in bytes) in the packet data to begin matching
a pattern.
If it is not supplied, matching will start at
the start of the data. This never includes the
TCP/IP headers.
stop_offset
The stop_offset element contains the location
in the packet data to stop matching a pattern.
If it is no supplied, matching will stop at the
end of the packet data. Logically, the value
of stop offset should be greater then the
value of start_offset plus the length of the
pattern.
data_size
The data_size element contains the size of
the packet data. A range may be specified
using a hyphen (i.e. "50-80," or "50-"). The
data_size element evaluates true if the
data size is equal to the value or range of
values.
The following match elements correlate to header values in IP, TCP, UDP, or ICMP packets. In most cases, ranges may be specified using the hyphen.
ip_version
ip_header_length
ip_tos
ip_total_length
ip_identification
ip_reserved
ip_df
This is a flag element and any value it
contains will be ignored. It will evaluate
true if the IP don't fragment flag is true.
Like all match elements, it may be negated
with the NOT boolean element.
ip_mf
Flag element simmilair to ip_df...
ip_offset
ip_ttl
ip_protocol
ip_checksum
ip_source_address
The ip_source_address element may take a range
of values using a hyphen but will also take
a CIDR formated address. (i.e 10.5.0.0/16).
ip_destination_address
Similar to ip_source_address.
ip_address
The value contained in the ip_address element
will evaluate true if either the destination
of source IP address match.
tcp_source_port
tcp_destination_port
tcp_port
The value contained in the tcp_port element
will evaluate true if either the tcp destination
or source port match.
tcp_sequence_number
tcp_acknowledge_number
tcp_header_length
tcp_reserved
tcp_urg
Flag element simmilair to ip_df.
tcp_ack
Flag element simmilair to ip_df.
tcp_psh
Flag element simmilair to ip_df.
tcp_rst
Flag element simmilair to ip_df.
tcp_syn
Flag element simmilair to ip_df.
tcp_fin
Flag element simmilair to ip_df.
tcp_window_size
tcp_checksum
tcp_urgent_pointer
udp_source_port
udp_destination_port
udp_port
The value contained in the udp_port element
will evaluate true if either the udp destination
or source port match.
udp_length
udp_checksum
icmp_type
icmp_code
icmp_checksum