P. 1
Snort Manual

Snort Manual

|Views: 362|Likes:
Published by Jose Chuncano

More info:

Published by: Jose Chuncano on Sep 11, 2012
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

06/02/2013

pdf

text

original

The following options to configure will enable decoder and preprocessor rules:

$ ./configure --enable-decoder-preprocessor-rules

The decoder and preprocessor rules are located in the preproc rules/ directory in the top level source tree, and
have the names decoder.rules and preprocessor.rules respectively. These files are updated as new decoder and
preprocessor events are added to Snort. The gen-msg.map under etc directory is also updated with new decoder and
preprocessor rules.

To enable these rules in snort.conf, define the path to where the rules are located and uncommentthe include lines
in snort.conf that reference the rules files.

var PREPROC_RULE_PATH /path/to/preproc_rules

...

include $PREPROC_RULE_PATH/preprocessor.rules

include $PREPROC_RULE_PATH/decoder.rules

To disable any rule, just comment it with a # or remove the rule completely from the file (commenting is recom-
mended).

To change the rule type or action of a decoder/preprocessor rule, just replace alert with the desired rule type. Any
one of the following rule types can be used:

alert

log

pass

drop

sdrop

reject

For example one can change:

alert ( msg: "DECODE_NOT_IPV4_DGRAM"; sid: 1; gid: 116; rev: 1; \

metadata: rule-type decode ; classtype:protocol-command-decode;)

to

drop ( msg: "DECODE_NOT_IPV4_DGRAM"; sid: 1; gid: 116; rev: 1; \

metadata: rule-type decode ; classtype:protocol-command-decode;)

to drop (as well as alert on) packets where the Ethernet protocol is IPv4 but version field in IPv4 header has a value
other than 4.

SeeREADME.decode, README.gre andthevariouspreprocessorREADMEsfordescriptionsoftherulesindecoder.rules
and preprocessor.rules.

The generator ids ( gid ) for different preprocessors and the decoder are as follows:

136

Generator Id Module

105

Back Orifice preprocessor

106

RPC Decode preprocessor

112

Arpspoof preprocessor

116

Snort Decoder

119

HTTP Inspect preprocessor ( Client )

120

HTTP Inspect preprocessor ( Server )

122

Portscan preprocessor

123

Frag3 preprocessor

124

SMTP preprocessor

125

FTP (FTP) preprocessor

126

FTP (Telnet) preprocessor

127

ISAKMP preprocessor

128

SSH preprocessor

129

Stream5 preprocessor

131

DNS preprocessor

132

Skype preprocessor

133

DceRpc2 preprocessor

134

PPM preprocessor

136

Reputation preprocessor

137

SSL preprocessor

139

SDF preprocessor

140

SIP preprocessor

141

IMAP preprocessor

142

POP preprocessor

143

GTP preprocessor

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->