Snort IDS tips for VARs a

IDS Snort rules: Loading rules

When Snort is started, its output reveals several clues regarding the rules it recognizes.

Here we see Snort recognizing the snort.conf file as containing rules, thereby triggering IDS mode.

Mar 20 16:59:26 cel433 snort[77406]: Parsing Rules file /usr/local/etc/nsm/snort.conf

Here Snort recognizes a RULE_PATH, meaning the actual rules we're using will be found (assuming they live in the directory specified).

Mar 20 16:59:26 cel433 snort[77406]:Var 'RULE_PATH' defined, value len=17 cha
rs
Mar 20 16:59:26 cel433 snort[77406]: , value = /nsm/rules/cel433

When run in the foreground, Snort reports the number of rules loaded. This information does not appear when Snort is run as a daemon and messages are sent to /var/log/messages, as was the case with the previous message examples. The following shows Snort recognized 8352 rules when Snort is run in the foreground.

8352 Snort rules read...
8352 Option Chains linked into 680 Chain Headers

Stay tuned for a future Snort Report on rules and rule management.


Snort Report -- IDS Snort rules

 Introduction
 False positives
 Sourcefire rules
 Bleeding Edge Threats rules
 Acquiring Snort rules
 Activating Snort rules
 Loading rules

About the author
Richard Bejtlich is founder of TaoSecurity, author of several books on network security monitoring, including Extrusion Detection: Security Monitoring for Internal Intrusions, and operator of the TaoSecurity blog.


This was first published in April 2007

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: