< Day Day Up > |
7.1 Downloading the RulesWhile the Snort source package includes a complete package of rules, you will need to upgrade your rules more often than you upgrade Snort itself. To download the latest rules for Snort 2.1.x, use the following link: There are a number of schools of thought on where to keep your rules. Some people say to put them in /etc/snort, others /usr/local/etc/snort. They also want you to copy the snort.conf file to one or another location, too. I've been running Snort on the same sensor systems for several years now and have tried several methods for updating and keeping track of my rules. I keep everything in /usr/local/share/snort_rules (I keep the Snort source code itself in /usr/local/src/snort). I make a directory with the month, day, and year, and download the rule archive to that directory. For example, if it's early April, 2004 and I want to update my rules, I download the latest snapshot (using wget) to /usr/local/share/snort_rules/april_1_2004/. I then extract the archive (which puts everything into a rules directory) using: tar -zxvf snortrules-snapshot-2_1.tar.gz Wherever you decide to put it, just make sure that you set the RULE_PATH variable in the snort.conf file to point to the directory containing the *.rules files. Below is a listing of the rules files (the archive also includes a snort.conf file template and several *.config files used by Snort): attack-responses.rules local.rules shellcode.rules backdoor.rules misc.rules smtp.rules bad-traffic.rules multimedia.rules snmp.rules chat.rules mysql.rules sql.rules ddos.rules netbios.rules telnet.rules deleted.rules nntp.rules tftp.rules dns.rules oracle.rules virus.rules dos.rules other-ids.rules web-attacks.rules experimental.rules p2p.rules web-cgi.rules exploit.rules policy.rules web-client.rules finger.rules pop2.rules web-coldfusion.rules ftp.rules pop3.rules web-frontpage.rules icmp-info.rules porn.rules web-iis.rules icmp.rules rpc.rules web-misc.rules imap.rules rservices.rules web-php.rules info.rules scan.rules x11.rules Each rule file includes a listing of rules that are organized according to the type of attack or type of traffic they watch for. To disable a rule set, comment out (with a # at the beginning of the line) the INCLUDE line in the snort.conf file that mentions the rule you want to turn off. To disable a particular rule within a rule set, comment out the line containing the rule (again, with a #). See Chapter 9 for a discussion of tuning your rules to match your environment and controlling false positives. |
< Day Day Up > |