Custom Rule Creation
You can create a custom intrusion rule by:
-
creating your own standard text rules
-
saving existing standard text rules as new
-
saving system-provided shared object rules as new
-
importing a local rule file
The system saves the custom rule in the local rule category, regardless of the method you used to create it.
When you create a custom intrusion rule, the system assigns it a
unique rule number, which has the format
GID:SID:Rev. The
elements of this number are:
- GID
-
Generator ID. For all standard text rules, this value is 1 (Global domain or legacy GID) or 1000 - 2000 (descendant domains). For all shared object rules you save as new, this value is 1.
- SID
-
Snort ID. Indicates whether the rule is a local rule of a system rule. When you create a new rule, the system assigns the next available SID for a local rule.
- Rev
-
The revision number. For a new rule, the revision number is one. Each time you modify a custom rule the revision number increments by one.
In a custom standard text rule, you set the rule header settings and the rule keywords and arguments. You can use the rule header settings to focus the rule to only match traffic using a specific protocol and traveling to or from specific IP addresses or ports.
In a custom system-provided standard text rule or shared object rule, you are limited to modifying rule header information such as the source and destination ports and IP addresses. You cannot modify the rule keywords or arguments.
Modifying header information for a shared object rule and saving your changes creates a new instance of the rule with a generator ID (GID) of 1 (Global domain) or 1000 - 2000 (descendant domains) and the next available SID for a custom rule. The system links the new instance of the shared object rule to the reserved soid keyword, which maps the rule you create to the rule created by the Talos Intelligence Group. You can delete instances of a shared object rule that you create, but you cannot delete shared object rules created by Talos.