[Emerging-Sigs] The New Rulesets are Ready!!

waldo kitty wkitty42 at windstream.net
Wed Oct 13 21:08:05 EDT 2010


On 10/13/2010 20:23, Weir, Jason wrote:
> I looked quickly but could not find how to make snort look in multiple rules
> directories - point me in the right direction kemosabe

ahhh, grasshopper... something like this, perhaps?


var SNORT_HOME /var/snort
var ET_RULE_PATH $SNORT_HOME/et_rules
var VRT_RULE_PATH $SNORT_HOME/vrt_rules
var VRT_SO_RULE_PATH $SNORT_HOME/vrt_so_rules
var PREPROC_RULE_PATH $SNORT_HOME/preproc_rules
[...]

# VRT rules
include $VRT_RULE_PATH/attack-responses.rules
include $VRT_RULE_PATH/bad-traffic.rules
include $VRT_RULE_PATH/blacklist.rules
include $VRT_RULE_PATH/botnet-cnc.rules
[...]

# ET rules
include $ET_RULE_PATH/emerging-activex.rules
include $ET_RULE_PATH/emerging-attack_response.rules
include $ET_RULE_PATH/emerging-botcc.rules
[...]

###################################################
# Step #8: Customize your preprocessor and decoder alerts
# For more information, see README.decoder_preproc_rules
###################################################

# decoder and preprocessor event rules
include $PREPROC_RULE_PATH/preprocessor.rules
include $PREPROC_RULE_PATH/decoder.rules
include $PREPROC_RULE_PATH/sensitive-data.rules

###################################################
# Step #9: Customize your Shared Object Snort Rules
# For more information, see 
http://vrt-sourcefire.blogspot.com/2009/01/using-vrt-certified-shared-object-rules.html
###################################################

# dynamic library rules
include $VRT_SO_RULE_PATH/bad-traffic.rules
include $VRT_SO_RULE_PATH/chat.rules
include $VRT_SO_RULE_PATH/dos.rules
include $VRT_SO_RULE_PATH/exploit.rules
[...]

# Event thresholding or suppression commands. See threshold.conf
include $SNORT_HOME/threshold.conf
<eof>


More information about the Emerging-sigs mailing list