The Center of Snort’s Universe
You’ve already had some modest exposure to the snort.conf configuration file if you installed and configured Snort to run in your shop. It looks long, complicated, and riddled with hieroglyphics, but it isn’t nearly as bad as it seems.
Picking apart the snort.conf file
First off, the snort.conf file is divided into handy sections and organized very logically, even for nontechnoids. (The makers of Snort won’t have poorly built configuration files with their software.) The Snort makers break down your most likely edits into four basic steps, which they conveniently refer to at the top of the file. You’re interested in the Rules section, which is the last step in the snort.conf file.
Tip A simple four-step process can manage the configuration parameters in the snort.conf file:
-
Be like a Boy Scout: Be prepared by having a plan-of-action for what changes you want to make to snort.conf before touching the snort.conf file itself.
Tip Keep a notes file of any changes (both made and proposed) and settings you’re working with.
-
Back up the snort.conf file before you edit it.
We call ours snort.conf.bak and typically keep it in the same directory as the original snort.conf configuration file.
-
Use your favorite text editor to make your changes.
-
Run Snort with the “-T” flag to check snort.conf.
At the command prompt, run snort by typing the following:
snort -T
Running Snort with “-T” tests your snort.conf configuration file and rules for errors and tells you where the problems are. Testing your configuration and rules files before restarting Snort lets you correct errors before restarting Snort, thus keeping you from missing any alerts!
Technical Stuff Once you’ve made changes to snort.conf (or any configuration files), restart the Snort application (which geek-types affectionately refer to as "bouncing," "sig-hupping," or even "tickling" the running snort process). If you make changes without completing this step, nothing may happen until the next time you start your computer because Snort hasn’t re-read the configuration files and found the changes.
Playing by the rules
The rules section is the real meat of the snort.conf file. (Or should we say, "The real bacon"?) The snort.conf file has two important configuration entries for proper rule setup:
-
The location of the rules directory, configured under the snort.conf file’s main variable initialization section (Step 1).
In Step 1, the variable $RULE_PATH must be set to the location of Snort’s rules — for example /usr/local/snort/rules on Linux or D:\snortapps\rules on Windows.
-
Near the end of the snort.conf file, in Step 4, where line after line of rule reference is placed. Here’s a snippet of a few items in our list:
include $RULE_PATH/local.rules include $RULE_PATH/bad-traffic.rules include $RULE_PATH/exploit.rules
Warning Many of the configuration file’s parameters and settings have analogous command-line switches. When Snort is faced with two opposing instructions (for example, when you pass the "–fast" logging argument to Snort, but have the alert_full output module configured in the snort.conf file), Snort ignores the configuration file and executes according to what was present on the command line. For testing and isolated sensor installation, command-line options work well, but for larger deployments, use the configuration files to make the management, editing, and distribution far easier to handle.
'IT' 카테고리의 다른 글
| [3] Snort Configuration : Refinement (1) | 2008.10.14 |
|---|---|
| [2] Snort Configuration : Rule Installation (0) | 2008.10.14 |
| Snort Location (0) | 2008.10.14 |
| Snort Installation on CentOS 4.6 (0) | 2008.10.10 |
| Apple's Brick: A Radical New Laptop? (0) | 2008.10.07 |
