118

Chapter 3     Working with Snort Rules

included file into the main configuration file at the point where it is included. In fact,

most of the predefined rules that come with the Snort distribution are found in include

files. All files in the Snort distribution whose name ends with .rules contain rules

and they are included in the snort.conf file. These rule files are included in the

main snort.conf file using the  include  keyword. The following is an example of

including myrules.rules file in the main configuration file.

include myrules.rules

It is not necessary that the name of the rules file must end with .rule. You can

use a name of your choice for your rule file.

3.7.8

Sample snort.conf File

The following is a sample configuration file for Snort. All lines starting with the #

character are comment lines. Whenever you modify the configuration file, you have to

restart Snort for the changes to take effect.

# Variable Definitions

var HOME_NET 192.168.1.0/24

var EXTERNAL_NET any

var HTTP_SERVERS $HOME_NET

var DNS_SERVERS $HOME_NET

var RULE_PATH ./

# preprocessors

preprocessor frag2

preprocessor stream4: detect_scans

preprocessor stream4_reassemble

preprocessor http_decode: 80  unicode  cginull

preprocessor unidecode: 80  unicode  cginull

preprocessor bo:  nobrute

preprocessor telnet_decode

preprocessor portscan: $HOME_NET 4 3 portscan.log

preprocessor arpspoof

# output modules

output alert_syslog: LOG_AUTH LOG_ALERT

output log_tcpdump: snort.log

output database: log, mysql, user=rr password=boota \

   dbname=snort host=localhost

output xml: log, file=/var/log/snortxml

# Rules and include files

include $RULE_PATH/bad traffic.rules

include $RULE_PATH/exploit.rules