Snort IDS tips for VARs a

IDS Snort rules: Activating Snort rules

Snort rules are simply text files named by the convention RULETYPE.rules, e.g., web-attacks.rules or bleeding-web.rules. They are typically activated by including a reference to them in the snort.conf. First, include a directive in snort.conf telling Snort where to find the rules directory:

var RULE_PATH /nsm/rules/sensorname

Later in the snort.conf file, include references to the desired rules.

include $RULE_PATH/x11.rules
#include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules

In the example above this sensor will run x11.rules and netbios.rules, but not icmp.rules. Including BET rules is just as easy, with one twist. The snort.conf file would contain the following:

include /usr/local/etc/nsm/bleeding.conf

include $RULE_PATH/bleeding-attack_response.rules
include $RULE_PATH/bleeding-botcc.rules
include $RULE_PATH/bleeding-dos.rules

The first statement above points to a file called bleeding.conf that defines specific variables use by BET rules. At present it only has this entry:

var SSH_PORTS 22

This means BET rules where SSH_PORTS is mentioned translate that variable into meaning port 22.

Snort Report -- IDS Snort rules

 False positives
 Sourcefire rules
 Bleeding Edge Threats rules
 Acquiring Snort rules
 Activating Snort rules
 Loading rules

About the author
Richard Bejtlich is founder of TaoSecurity, author of several books on network security monitoring, including Extrusion Detection: Security Monitoring for Internal Intrusions, and operator of the TaoSecurity blog.

This was first published in April 2007

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: