Previous Section  < Day Day Up >  Next Section

7.1 Downloading the Rules

While the Snort source package includes a complete package of rules, you will need to upgrade your rules more often than you upgrade Snort itself. To download the latest rules for Snort 2.1.x, use the following link:

There are a number of schools of thought on where to keep your rules. Some people say to put them in /etc/snort, others /usr/local/etc/snort. They also want you to copy the snort.conf file to one or another location, too. I've been running Snort on the same sensor systems for several years now and have tried several methods for updating and keeping track of my rules. I keep everything in /usr/local/share/snort_rules (I keep the Snort source code itself in /usr/local/src/snort). I make a directory with the month, day, and year, and download the rule archive to that directory. For example, if it's early April, 2004 and I want to update my rules, I download the latest snapshot (using wget) to /usr/local/share/snort_rules/april_1_2004/. I then extract the archive (which puts everything into a rules directory) using:

tar -zxvf snortrules-snapshot-2_1.tar.gz

Wherever you decide to put it, just make sure that you set the RULE_PATH variable in the snort.conf file to point to the directory containing the *.rules files. Below is a listing of the rules files (the archive also includes a snort.conf file template and several *.config files used by Snort):

attack-responses.rules  local.rules       shellcode.rules

backdoor.rules          misc.rules        smtp.rules

bad-traffic.rules       multimedia.rules  snmp.rules

chat.rules              mysql.rules       sql.rules

ddos.rules              netbios.rules     telnet.rules

deleted.rules           nntp.rules        tftp.rules

dns.rules               oracle.rules      virus.rules

dos.rules               other-ids.rules   web-attacks.rules

experimental.rules      p2p.rules         web-cgi.rules

exploit.rules           policy.rules      web-client.rules

finger.rules            pop2.rules        web-coldfusion.rules

ftp.rules               pop3.rules        web-frontpage.rules

icmp-info.rules         porn.rules        web-iis.rules

icmp.rules              rpc.rules         web-misc.rules

imap.rules              rservices.rules   web-php.rules

info.rules              scan.rules        x11.rules

Each rule file includes a listing of rules that are organized according to the type of attack or type of traffic they watch for. To disable a rule set, comment out (with a # at the beginning of the line) the INCLUDE line in the snort.conf file that mentions the rule you want to turn off. To disable a particular rule within a rule set, comment out the line containing the rule (again, with a #). See Chapter 9 for a discussion of tuning your rules to match your environment and controlling false positives.

    Previous Section  < Day Day Up >  Next Section