The Snort Configuration File


117


There may be additional steps to make the output module work properly. In the


case of MySQL database, you need to setup a database, create tables, create user, set


permissions and so on. More information on configuring output modules is found in


Chapter 4.


3.7.5


Defining New Action Types


You already know that the first part of each Snort rule is the action item. Snort has


predefined action types; however, you can also define your own action types in the con 


figuration file. A new action type may use multiple output modules. The following


action type creates alert messages that are logged into the database as well as in a file in


the tcpdump format.


ruletype dump_database


{


  type alert


  output database: alert, mysql, user=rr dbname=snort \


    host=localhost


  output log_tcpdump: tcpdump_log_file


}


This new action type can be used in rules just like other action types. 


dump_database icmp any any  > 192.168.1.0/24 any \


  (fragbits: D; msg: "Don't Fragment bit set";)


When a packet matches the criteria in this rule, the alert will be logged to the data 


base as well as to the tcpdump_log_file.


3.7.6


Rules Configuration


The rules configuration is usually the last part of the configuration file. You can


create as many rules as you like using variables already defined in the configuration file.


All of the previous discussion in this chapter was about writing new rules. The rules


configuration is the place in the configuration file where you can put your rules. How 


ever the convention is to put all Snort rules in different text files. You can include these


text files in the snort.conf file using the  include  keyword. Snort comes with


many predefined rule files. The names of these rule files end with .rule.  You have


already seen in the last chapter how to put these rule files in the proper place during the


installation process.


3.7.7


Include Files


You can include other files inside the main configuration file using the include


keyword. You can think of including a file as equivalent to inserting the contents of the








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      toronto web hosting

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Cheap Web Hosting
JSP Web Hosting
Ontario Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Java Hosting
Cheapest Hosting



Visionwebhosting.net Business web hosting division of Vision Web Hosting Inc.. All rights reserved