Difference between revisions of "Snort"

From NST Wiki
Jump to navigationJump to search
(Added information about disabling specify rules)
 
m (Added external link)
 
(2 intermediate revisions by the same user not shown)
Line 12: Line 12:
 
</pre>
 
</pre>
  
NOTE: The file: "'''threshold.conf'''" is not loaded by default. So, you will also need to modify your  '''snort''' configuration file(s). Search for: "'''threshold.conf'''" and uncomment as shown below:
+
NOTE: The file: "'''threshold.conf'''" is not loaded by default. So, you will also need to modify your  '''snort''' configuration file(s). Search for: "'''threshold.conf'''" in the "'''snort.conf'''" file(s) and uncomment and modify it as shown below:
  
 
<pre class="programListing">
 
<pre class="programListing">
Line 22: Line 22:
 
# such as:  c:\snort\etc\threshold.conf
 
# such as:  c:\snort\etc\threshold.conf
 
# Uncomment if needed.
 
# Uncomment if needed.
include threshold.conf
+
include $RULE_PATH/threshold.conf
  
 
</pre>
 
</pre>
 +
 +
== References ==
 +
 +
: [http://www.snort.org/docs/snort_htmanuals/htmanual_2.4/rc1/node11.html#SECTION00317000000000000000 sfPortscan Module] ; Notes on fine tuning the port scan module in '''Snort'''.

Latest revision as of 10:12, 29 March 2007

Snort Configuration Tips

Disabling Rules By ID

One should be able to disable rules by adding the rule ID to the file: "threshold.conf" (located in the snort rules directory). For example, adding the following to the end of the file: "threshold.conf" should disable the: "http_inspect: DOUBLE DECODING ATTACK" and "http_inspect: OVERSIZE REQUEST-URI DIRECTORY" rules:


suppress gen_id 119, sig_id 2 # disable http_inspect: DOUBLE DECODING ATTACK alerts
suppress gen_id 119, sig_id 15 # disable http_inspect: OVERSIZE REQUEST-URI DIRECTORY alerts

NOTE: The file: "threshold.conf" is not loaded by default. So, you will also need to modify your snort configuration file(s). Search for: "threshold.conf" in the "snort.conf" file(s) and uncomment and modify it as shown below:


# Include any thresholding or suppression commands. See threshold.conf in the
# <snort src>/etc directory for details. Commands don't necessarily need to be
# contained in this conf, but a separate conf makes it easier to maintain them.
# Note for Windows users:  You are advised to make this an absolute path,
# such as:  c:\snort\etc\threshold.conf
# Uncomment if needed.
include $RULE_PATH/threshold.conf

References

sfPortscan Module ; Notes on fine tuning the port scan module in Snort.