• Getting Started
• Tutorials
• Server
• Configure
• Control
• Forwarding
• Password
• Performance
• Reports
• Security
• Status
• Upgrade
• Monitor
• Reports
• Queries
• Multi-Site
• Routing
• Security
• Support

Help : Server : Security

The following steps are needed to configure security rules on Traffic Server:

Construct a rules file for your site using a text editor on your PC. This file needs to be saved in plain text (do not store it as a Word document!).

1. Connect to the Traffic Server using your web browser.
2. Click on the Server button at the top of the page.
3. Provide the administrator user and password.
4. Click on the Security button on the left of the page.
5. Click on the Browse button and select the rules file you created in step 1.
6. Click on the Submit button to upload your rules file.
7. Wait until your rules file is displayed. If any errors are detected, they will be indicated on the page.

Note: Additional information on configuring Traffic Server can be found in the Intrusion Detection tutorial.

The rules file may contain comments, blank lines, variable assignments, threshold specifications and rules. The format of the rules file is based on the Snort® rule format.

The following example demonstrates these elements:

# Rule example

var HOME_NET [10.0.0.0/24,10.0.1.0/24]

# one event per source per rule per hour
threshold type limit, track by_src, count 1, seconds 3600

alert tcp $HOME_NET any -> any 80 (msg:"cmd.exe"; uri content:"cmd.exe"; nocase; classtype:attempted-user; sid:1000002)


Note: Rule lines cannot by split, each rule must be written as a single line in rule file. Also every rule must have an sid that uniquely identifies it. By convention locally defined rules have sid numbers > 1000000. For more information on writing Snort rules and to obtain rules for new rules, see Snort Users Manual.

Note: Rules are matched in order and only the first match is reported.

Note: The variable $HOME_NET defaults to the list of subnets in the configuration file. Only set it explicity if you want to override this behavior.

Traffic server supports the following Snort rule header fields:

• Rule actions (alert, log and pass only)
• Protocols (tcp, udp, icmp and ip only)
• IP Addresses
• Port Numbers
• Direction

the following meta rule options:

• msg:
• reference:
• sid: You must provide a unique SID for each rule, the SID numbers are used to associate events with rules withing Traffic Server.
• rev:
• classtype:
• priority:

the following payload detection rule options:

• content:
• nocase
• depth:
• offset:
• distance:
• within:
• uricontent:

and the following non-payload detection rule options:

• fragoffset:
• ttl:
• tos:
• id:
• fragbits:
• dsize:
• flags:
• flow: Only to_client, to_server, from_client, from_server and established flow options are supported. Note: The flags: option cannot be used in conjuction with the flow:established setting. Since Traffic Server is receiving sampled packets, it cannot follow all the packets in a connection to determine connection state, instead it uses the flag settings of each packet to determine connection state.
• seq:
• ack:
• itype:
• icode:
• icmp_id:
• icmp_seq:
• ip_proto:
• sameip

WARNING: sFlow and XRMON capture packet header information, typically the first 128 bytes of the packet. Rules that look for patterns deeper into the packet will never fire.