Intrusion Rule Types
An intrusion rule is a specified set of keywords and arguments that the system uses to detect attempts to exploit vulnerabilities in your network. As the system analyzes network traffic, it compares packets against the conditions specified in each rule, and triggers the rule if the data packet meets all the conditions specified in the rule.
An intrusion policy contains:
-
intrusion rules, which are subdivided into shared object rules and standard text rules
-
preprocessor rules, which are associated with a detection option of the packet decoder or with one of the preprocessors included with the system
The following table summarizes attributes of these rule types:
|
Type |
Generator ID (GID) |
Snort ID (SID) |
Source |
Can Copy? |
Can Edit? |
|---|---|---|---|---|---|
|
shared object rule |
3 |
lower than 1000000 |
Talos Intelligence Group |
yes |
limited |
|
standard text rule |
1 (Global domain or legacy GID) |
lower than 1000000 |
Talos |
yes |
limited |
|
1000 - 2000 (descendant domain) |
1000000 or higher |
Created or imported by user |
yes |
yes | |
|
preprocessor rule |
decoder- or preprocessor- specific |
lower than 1000000 |
Talos |
no |
no |
|
1000000 or higher |
Generated by the system during option configuration |
no |
no |
You cannot save changes to any rule created by Talos, but you can save a copy of a modified rule as a custom rule. You can modify either variables used in the rule or rule header information (such as source and destination ports and IP addresses).
For the rules it creates, Talos assigns default rule states in each default intrusion policy. Most preprocessor rules are disabled by default and must be enabled if you want the system to generate events for preprocessor rules and, in an inline deployment, drop offending packets.