GSP
Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages


Manual Reference Pages  -  SNORTCONFIG (1)

.ds Aq ’

NAME

snortconfig - a simple yet complicated rules maintance system

CONTENTS

SYNOPSIS

snortconfig -file <SNORT_CONFIG> -config <CONFIG> [-verbose]
[-directory <OUTPUT_DIRECTORY>] [-honeynet] [-inline]

DESCRIPTION

snortconfig is a rules modification system for snort that is generated from a configuration file. This allows a user to keep their ruleset updated without too much of a headache.

OPTIONS

-file <SNORT_CONFIG> Process the rules located in snort.conf
-config <CONFIG> Configuration for modification of rules
-verbose Increases the debug verbose level
-directory <PATH> Sets the output directory for generated rulesets (CWD by default)
-inline Add snort-inline specific options. These include drop, sdrop, reject, replace, and replace_or_drop.
-honeynet Reverse source and destination IP addresses if both are using variables. Using -honeynet implies -inline

!!! WARNING!!! honeypots are designed to be attacked. while this tool may *HELP* reduce risk of running such a system, this is not a perfect solution. PLEASE check out http://www.honeynet.org for more information on the risks on running honeynets.

Configuration

Configuration is done using a basic INI style configuration.

snortconfig supports three methods of configuration of rules. The methods are specifing what rules to apply changes to. These methods are files, sids, and classifications. This allows make broad changes to snort rules very quickly.

By specifing files, changes are made to any rules in the specified files. By specifing sids, changes are made to specific snort rules based on the sid rule option. By specifing classifications, changes are made to any rules that have the specified classtype rule option.

There are eight types of modifications that can be done on rules.
alert Set the rule’s action to alert, which will trigger the normal alerting mechanisms within snort.
disable Disables the rule by commenting it out.
drop Set the rule’s action to drop, which will cause snort to drop the packet in inline mode. (ONLY FOR SNORT-INLINE)
log Set the rule’s action to log, which will trigger the normal logging mechanisms within snort.
replace Modify the payload of the packet where each pattern match is made to a random string of bytes. This can be used to attempt to disable exploits from being successful. (ONLY FOR SNORT-INLINE)
replace_or_drop Modify the payload of the packet where each pattern match is made to a random string of bytes. For rules that do not have content matches, the rule action is set to drop. This can be used to attempt to disable exploits from being successful, weither they have content matches or not. (ONLY FOR SNORT-INLINE)
reject Set the rule’s action to reject, which will drop the packet and log it via normal logging mechanisms. Additionally, if the protocol is TCP then snort will send a TCP reset, otherwise it will send an icmp port unreachable.
sdrop Set the rule’s action to sdrop, which will cause snort to drop the packet in inline mode and not log the alert. (ONLY FOR SNORT-INLINE)

EXAMPLE



 [files]
 drop: porn.rules, virus.rules
 replace: rpc.rules, icmp.rules

 [sids]
 drop: 2122, 1866, 2108, 2109
 disable: 300

 [classifications]
 replace: shellcode-detect
 sdrop: kickass-porn, policy-violation



NOTES

This tool does not handle multiline rules. Also, configuration is done all at once. It would be nice if each block was applied in order so you can apply multiple configurations in order for even more advanced configuration. Like I said, it would be nice, but its not there yet.

AUTHOR

Brian Caswell <bmc@shmoo.com>

REPORTING BUGS

Report bugs to <bmc@shmoo.com>

THANKS

Thanks to The Honeynet Project

COPYRIGHT

Copyright (c) 2003 Brian Caswell

SEE ALSO

snort(8)

BUGS

snortconfig doesn’t handle multiline rules properly. Bad things may happen if you use em. You have been warned.

Since you probably didn’t read this section of the manual until you ran into this bug, don’t ask about it else I’ll point and laugh because you didn’t read the manual.

Search for    or go to Top of page |  Section 1 |  Main Index


perl v5.20.3 SNORTCONFIG (1) 2007-09-18

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with manServer 1.07.