[Snort-sigs] Adding Changing Snort Rules

Russell Fulton r.fulton at ...575...
Sun Jun 9 20:29:01 EDT 2002


On Fri, 2002-06-07 at 22:06, Matt wrote:
> Hello I was wondering if there is a down and dirty "howto" on
> adding/changing new rules?
> I have been using snort for a little over a month and would like to start
> tweaking my rules a little. I have noticed some nice rules come thru here
> that I think would be nice to try out on my home system(winxp/snort1.8.6)
> and have struggled with an efficient way to go about adding/changing rules,
> I end up taking two steps forward and ten steps back it seems and would like
> to know if there is a better way?

Hmmm... there are a whole bunch of issues that might be relevant here.

If you want to add rules you can use the local rules file (jst make sure
it does not get overwritten when you update your rule file).  As others
have noted the snort manual gives detailed instructions on writing your
own rules (a basic understanding of how TCP/IP works in needed).

I have written a script (best described as alpha software -- some
features are not fully tested and are almost certainly broken) that down
loads a new rule set and then runs a batch editor that can edit the
control file and or rules files.  You can delete rules or modify their
headers or attributes.  I mostly use the facilities to delete noisy
rules and have just started using it to alter the header of some rules. 
Fiddling with attributes has not been tested.

The script takes a mods file like this:
# changes to control file.  indexed on first two tokens

rep var HOME_NET [130.216.0.0/16,202.37.88.0/24]
rep var SMTP [130.216.1.4,130.216.1.1]
rep var DNS_SERVERS  [130.216.1.4,130.216.1.1]
rep var RULE_PATH /home/snort/snort-rules/current
del include $RULE_PATH/web-xxx.rules
...
#rules indexed by sid:revision
5xx:2 discard
5yy:1 discard
5aa:2 discard
5bb:2 src !$HOME_NET 
5cc:1 discard
5dd:1 discard
....

-- 
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand





More information about the Snort-sigs mailing list