Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
SNORTCONFIG(1)	      User Contributed Perl Documentation	SNORTCONFIG(1)

NAME
       snortconfig - a simple yet complicated rules maintance system

SYNOPSIS
       snortconfig -file <SNORT_CONFIG>	-config	<CONFIG> [-verbose]
		   [-directory <OUTPUT_DIRECTORY>] [-honeynet] [-inline]

DESCRIPTION
       snortconfig is a	rules modification system for snort that is generated
       from a configuration file.  This	allows a user to keep their ruleset
       updated without too much	of a headache.

OPTIONS
       -file <SNORT_CONFIG>
	   Process the rules located in	snort.conf

       -config <CONFIG>
	   Configuration for modification of rules

       -verbose
	   Increases the debug verbose level

       -directory <PATH>
	   Sets	the output directory for generated rulesets  (CWD by default)

       -inline
	   Add snort-inline specific options.  These include drop, sdrop,
	   reject, replace, and	replace_or_drop.

       -honeynet
	   Reverse source and destination IP addresses if both are using
	   variables.  Using -honeynet implies -inline

	   !!! WARNING!!!  honeypots are designed to be	attacked.  while this
	   tool	may *HELP* reduce risk of running such a system, this is not a
	   perfect solution.  PLEASE check out http://www.honeynet.org for
	   more	information on the risks on running honeynets.

Configuration
       Configuration is	done using a basic INI style configuration.

       snortconfig supports three methods of configuration of rules.  The
       methods are specifing what rules	to apply changes to.  These methods
       are files, sids,	and classifications.  This allows make broad changes
       to snort	rules very quickly.

       By specifing files, changes are made to any rules in the	specified
       files.  By specifing sids, changes are made to specific snort rules
       based on	the sid	rule option.  By specifing classifications, changes
       are made	to any rules that have the specified classtype rule option.

       There are eight types of	modifications that can be done on rules.

       alert
	   Set the rule's action to "alert", which will	trigger	the normal
	   alerting mechanisms within snort.

       disable
	   Disables the	rule by	commenting it out.

       drop
	   Set the rule's action to "drop", which will cause snort to drop the
	   packet in inline mode.  (ONLY FOR SNORT-INLINE)

       log Set the rule's action to "log", which will trigger the normal
	   logging mechanisms within snort.

       replace
	   Modify the payload of the packet where each pattern match is	made
	   to a	random string of bytes.	 This can be used to attempt to
	   disable exploits from being successful.   (ONLY FOR SNORT-INLINE)

       replace_or_drop
	   Modify the payload of the packet where each pattern match is	made
	   to a	random string of bytes.	 For rules that	do not have content
	   matches, the	rule action is set to drop.  This can be used to
	   attempt to disable exploits from being successful, weither they
	   have	content	matches	or not.	  (ONLY	FOR SNORT-INLINE)

       reject
	   Set the rule's action to "reject", which will drop the packet and
	   log it via normal logging mechanisms.  Additionally,	if the
	   protocol is TCP then	snort will send	a TCP reset, otherwise it will
	   send	an icmp	port unreachable.

       sdrop
	   Set the rule's action to "sdrop", which will	cause snort to drop
	   the packet in inline	mode and not log the alert.  (ONLY FOR SNORT-
	   INLINE)

EXAMPLE
	[files]
	drop: porn.rules, virus.rules
	replace: rpc.rules, icmp.rules

	[sids]
	drop: 2122, 1866, 2108,	2109
	disable: 300

	[classifications]
	replace: shellcode-detect
	sdrop: kickass-porn, policy-violation

NOTES
       This tool does not handle multiline rules.  Also, configuration is done
       all at once.  It	would be nice if each block was	applied	in order so
       you can apply multiple configurations in	order for even more advanced
       configuration.  Like I said, it would be	nice, but its not there	yet.

AUTHOR
       Brian Caswell <bmc@shmoo.com>

REPORTING BUGS
       Report bugs to <bmc@shmoo.com>

THANKS
       Thanks to The Honeynet Project

COPYRIGHT
       Copyright (c) 2003 Brian	Caswell

SEE ALSO
       snort(8)

BUGS
       snortconfig doesn't handle multiline rules properly.  Bad things	may
       happen if you use em.  You have been warned.

       Since you probably didn't read this section of the manual until you ran
       into this bug, don't ask	about it else I'll point and laugh because you
       didn't read the manual.

perl v5.32.0			  2007-09-18			SNORTCONFIG(1)

NAME | SYNOPSIS | DESCRIPTION | OPTIONS | Configuration | EXAMPLE | NOTES | AUTHOR | REPORTING BUGS | THANKS | COPYRIGHT | SEE ALSO | BUGS

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=snortconfig&sektion=1&manpath=FreeBSD+12.2-RELEASE+and+Ports>

home | help