SNORTCONFIG(1) User Contributed Perl Documentation SNORTCONFIG(1)NAMEsnortconfig - a simple yet complicated rules maintance system
SYNOPSISsnortconfig-file <SNORT_CONFIG> -config <CONFIG> [-verbose]
[-directory <OUTPUT_DIRECTORY>] [-honeynet] [-inline]
DESCRIPTIONsnortconfig is a rules modification system for snort that is generated
from a configuration file. This allows a user to keep their ruleset
updated without too much of a headache.
OPTIONS-file <SNORT_CONFIG>
Process the rules located in snort.conf
-config <CONFIG>
Configuration for modification of rules
-verbose
Increases the debug verbose level
-directory <PATH>
Sets the output directory for generated rulesets (CWD by default)
-inline
Add snort-inline specific options. These include drop, sdrop,
reject, replace, and replace_or_drop.
-honeynet
Reverse source and destination IP addresses if both are using
variables. Using -honeynet implies -inline
!!! WARNING!!! honeypots are designed to be attacked. while this
tool may *HELP* reduce risk of running such a system, this is not a
perfect solution. PLEASE check out http://www.honeynet.org for
more information on the risks on running honeynets.
Configuration
Configuration is done using a basic INI style configuration.
snortconfig supports three methods of configuration of rules. The
methods are specifing what rules to apply changes to. These methods
are files, sids, and classifications. This allows make broad changes
to snort rules very quickly.
By specifing files, changes are made to any rules in the specified
files. By specifing sids, changes are made to specific snort rules
based on the sid rule option. By specifing classifications, changes
are made to any rules that have the specified classtype rule option.
There are eight types of modifications that can be done on rules.
alert
Set the rule's action to "alert", which will trigger the normal
alerting mechanisms within snort.
disable
Disables the rule by commenting it out.
drop
Set the rule's action to "drop", which will cause snort to drop the
packet in inline mode. (ONLY FOR SNORT-INLINE)
log Set the rule's action to "log", which will trigger the normal
logging mechanisms within snort.
replace
Modify the payload of the packet where each pattern match is made
to a random string of bytes. This can be used to attempt to
disable exploits from being successful. (ONLY FOR SNORT-INLINE)
replace_or_drop
Modify the payload of the packet where each pattern match is made
to a random string of bytes. For rules that do not have content
matches, the rule action is set to drop. This can be used to
attempt to disable exploits from being successful, weither they
have content matches or not. (ONLY FOR SNORT-INLINE)
reject
Set the rule's action to "reject", which will drop the packet and
log it via normal logging mechanisms. Additionally, if the
protocol is TCP then snort will send a TCP reset, otherwise it will
send an icmp port unreachable.
sdrop
Set the rule's action to "sdrop", which will cause snort to drop
the packet in inline mode and not log the alert. (ONLY FOR SNORT-
INLINE)
EXAMPLE
[files]
drop: porn.rules, virus.rules
replace: rpc.rules, icmp.rules
[sids]
drop: 2122, 1866, 2108, 2109
disable: 300
[classifications]
replace: shellcode-detect
sdrop: kickass-porn, policy-violation
NOTES
This tool does not handle multiline rules. Also, configuration is done
all at once. It would be nice if each block was applied in order so
you can apply multiple configurations in order for even more advanced
configuration. Like I said, it would be nice, but its not there yet.
AUTHOR
Brian Caswell <bmc@shmoo.com>
REPORTING BUGS
Report bugs to <bmc@shmoo.com>
THANKS
Thanks to The Honeynet Project
COPYRIGHT
Copyright (c) 2003 Brian Caswell
SEE ALSOsnort(8)BUGSsnortconfig doesn't handle multiline rules properly. Bad things may
happen if you use em. You have been warned.
Since you probably didn't read this section of the manual until you ran
into this bug, don't ask about it else I'll point and laugh because you
didn't read the manual.
perl v5.20.2 2007-09-18 SNORTCONFIG(1)
