Previous Section  < Day Day Up >  Next Section

5.5 File Inclusions

The final element used within a standard snort.conf file is the include item. The include command tells Snort to include the information in files located in the Snort sensor's filesystem. These files include configuration information and the files containing the rules that Snort uses to catch bad guys. The default path should have already been defined earlier in the configuration. Use the $RULE_PATH variable to refer to their location, or use relative or full pathnames to refer to the rules files you wish to use.

Multiple includes can be utilized within a configuration, one for each rules file cited. Consult the downloaded list of rules files for the exact spelling of each file. Disable any type of file by commenting out the appropriate line.

Here is an example of the include configurations that tell Snort which of the rule set files to use. The line containing the bad-traffic.rules file is commented out with a # character that tells Snort to exclude this file in the list of rules that Snort uses.

# include $RULE_PATH/bad-traffic.rules

include $RULE_PATH/exploit.rules

include $RULE_PATH/scan.rules

If you are using any classification and priority settings or referencing any systems, use the following items as well. Make certain these files exist before starting Snort. Default examples can be found packaged with the rules you downloaded and extracted. These files help classify and prioritize the alerts according to severity. You can edit the classification.config file to make custom prioritizations. You might find one group of rules to be particularly important for your environment and choose to make these higher priority. Once this file is configured according to your needs, you use your management console to search for high priority alerts.

The reference.config file includes links to web sites with information for all the alerts. It's very useful to include. Each official rule has a great deal of information on the Internet about the attack the rule is attempting to attack. It can help intrusion analysts determine if an alert is genuine.

# Include classification & priority settings

include classification.config

# Include reference systems

include reference.config

    Previous Section  < Day Day Up >  Next Section