|-file <SNORT_CONFIG>||Process the rules located in snort.conf|
|-config <CONFIG>||Configuration for modification of rules|
|-verbose||Increases the debug verbose level|
|-directory <PATH>||Sets the output directory for generated rulesets (CWD by default)|
|-inline||Add snort-inline specific options. These include drop, sdrop, reject, replace, and replace_or_drop.|
Reverse source and destination IP addresses if both are using variables. Using -honeynet implies -inline
!!! WARNING!!! honeypots are designed to be attacked. while this tool may *HELP* reduce risk of running such a system, this is not a perfect solution. PLEASE check out http://www.honeynet.org for more information on the risks on running honeynets.
Configuration is done using a basic INI style configuration.
snortconfig supports three methods of configuration of rules. The methods are specifing what rules to apply changes to. These methods are files, sids, and classifications. This allows make broad changes to snort rules very quickly.
By specifing files, changes are made to any rules in the specified files. By specifing sids, changes are made to specific snort rules based on the sid rule option. By specifing classifications, changes are made to any rules that have the specified classtype rule option.
There are eight types of modifications that can be done on rules.
alert Set the rules action to alert, which will trigger the normal alerting mechanisms within snort. disable Disables the rule by commenting it out. drop Set the rules action to drop, which will cause snort to drop the packet in inline mode. (ONLY FOR SNORT-INLINE) log Set the rules action to log, which will trigger the normal logging mechanisms within snort. replace Modify the payload of the packet where each pattern match is made to a random string of bytes. This can be used to attempt to disable exploits from being successful. (ONLY FOR SNORT-INLINE) replace_or_drop Modify the payload of the packet where each pattern match is made to a random string of bytes. For rules that do not have content matches, the rule action is set to drop. This can be used to attempt to disable exploits from being successful, weither they have content matches or not. (ONLY FOR SNORT-INLINE) reject Set the rules action to reject, which will drop the packet and log it via normal logging mechanisms. Additionally, if the protocol is TCP then snort will send a TCP reset, otherwise it will send an icmp port unreachable. sdrop Set the rules action to sdrop, which will cause snort to drop the packet in inline mode and not log the alert. (ONLY FOR SNORT-INLINE)
[files] drop: porn.rules, virus.rules replace: rpc.rules, icmp.rules [sids] drop: 2122, 1866, 2108, 2109 disable: 300 [classifications] replace: shellcode-detect sdrop: kickass-porn, policy-violation
This tool does not handle multiline rules. Also, configuration is done all at once. It would be nice if each block was applied in order so you can apply multiple configurations in order for even more advanced configuration. Like I said, it would be nice, but its not there yet.
Brian Caswell <email@example.com>
Report bugs to <firstname.lastname@example.org>
Thanks to The Honeynet Project
Copyright (c) 2003 Brian Caswell
snortconfig doesnt handle multiline rules properly. Bad things may happen if you use em. You have been warned.
Since you probably didnt read this section of the manual until you ran into this bug, dont ask about it else Ill point and laugh because you didnt read the manual.
|perl v5.20.3||SNORTCONFIG (1)||2007-09-18|