GSP
Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages
SNORTCONFIG(1) User Contributed Perl Documentation SNORTCONFIG(1)

snortconfig - a simple yet complicated rules maintance system

snortconfig -file <SNORT_CONFIG> -config <CONFIG> [-verbose] [-directory <OUTPUT_DIRECTORY>] [-honeynet] [-inline]

snortconfig is a rules modification system for snort that is generated from a configuration file. This allows a user to keep their ruleset updated without too much of a headache.

-file <SNORT_CONFIG>
Process the rules located in snort.conf
-config <CONFIG>
Configuration for modification of rules
-verbose
Increases the debug verbose level
-directory <PATH>
Sets the output directory for generated rulesets (CWD by default)
-inline
Add snort-inline specific options. These include drop, sdrop, reject, replace, and replace_or_drop.
-honeynet
Reverse source and destination IP addresses if both are using variables. Using -honeynet implies -inline

!!! WARNING!!! honeypots are designed to be attacked. while this tool may *HELP* reduce risk of running such a system, this is not a perfect solution. PLEASE check out http://www.honeynet.org for more information on the risks on running honeynets.

Configuration is done using a basic INI style configuration.

snortconfig supports three methods of configuration of rules. The methods are specifing what rules to apply changes to. These methods are files, sids, and classifications. This allows make broad changes to snort rules very quickly.

By specifing files, changes are made to any rules in the specified files. By specifing sids, changes are made to specific snort rules based on the sid rule option. By specifing classifications, changes are made to any rules that have the specified classtype rule option.

There are eight types of modifications that can be done on rules.

alert
Set the rule's action to "alert", which will trigger the normal alerting mechanisms within snort.
disable
Disables the rule by commenting it out.
drop
Set the rule's action to "drop", which will cause snort to drop the packet in inline mode. (ONLY FOR SNORT-INLINE)
log
Set the rule's action to "log", which will trigger the normal logging mechanisms within snort.
replace
Modify the payload of the packet where each pattern match is made to a random string of bytes. This can be used to attempt to disable exploits from being successful. (ONLY FOR SNORT-INLINE)
replace_or_drop
Modify the payload of the packet where each pattern match is made to a random string of bytes. For rules that do not have content matches, the rule action is set to drop. This can be used to attempt to disable exploits from being successful, weither they have content matches or not. (ONLY FOR SNORT-INLINE)
reject
Set the rule's action to "reject", which will drop the packet and log it via normal logging mechanisms. Additionally, if the protocol is TCP then snort will send a TCP reset, otherwise it will send an icmp port unreachable.
sdrop
Set the rule's action to "sdrop", which will cause snort to drop the packet in inline mode and not log the alert. (ONLY FOR SNORT-INLINE)

 [files]
 drop: porn.rules, virus.rules
 replace: rpc.rules, icmp.rules

 [sids]
 drop: 2122, 1866, 2108, 2109
 disable: 300

 [classifications]
 replace: shellcode-detect
 sdrop: kickass-porn, policy-violation

This tool does not handle multiline rules. Also, configuration is done all at once. It would be nice if each block was applied in order so you can apply multiple configurations in order for even more advanced configuration. Like I said, it would be nice, but its not there yet.

Brian Caswell <bmc@shmoo.com>

Report bugs to <bmc@shmoo.com>

Thanks to The Honeynet Project

Copyright (c) 2003 Brian Caswell

snort(8)

snortconfig doesn't handle multiline rules properly. Bad things may happen if you use em. You have been warned.

Since you probably didn't read this section of the manual until you ran into this bug, don't ask about it else I'll point and laugh because you didn't read the manual.

2007-09-18 perl v5.32.1

Search for    or go to Top of page |  Section 1 |  Main Index

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with ManDoc.