NAME

snortconfig - a simple yet complicated rules maintance system

SYNOPSIS

snortconfig -file <SNORT_CONFIG> -config <CONFIG> [-verbose] [-directory <OUTPUT_DIRECTORY>] [-honeynet] [-inline]

DESCRIPTION

snortconfig is a rules modification system for snort that is generated from a configuration file. This allows a user to keep their ruleset updated without too much of a headache.

OPTIONS

-file <SNORT_CONFIG>: Process the rules located in snort.conf
-config <CONFIG>: Configuration for modification of rules
-verbose: Increases the debug verbose level
-directory <PATH>: Sets the output directory for generated rulesets (CWD by default)
-inline: Add snort-inline specific options. These include drop, sdrop, reject, replace, and replace_or_drop.
-honeynet: Reverse source and destination IP addresses if both are using variables. Using -honeynet implies -inline
!!! WARNING!!! honeypots are designed to be attacked. while this tool may *HELP* reduce risk of running such a system, this is not a perfect solution. PLEASE check out http://www.honeynet.org for more information on the risks on running honeynets.

Configuration

Configuration is done using a basic INI style configuration.

snortconfig supports three methods of configuration of rules. The methods are specifing what rules to apply changes to. These methods are files, sids, and classifications. This allows make broad changes to snort rules very quickly.

By specifing files, changes are made to any rules in the specified files. By specifing sids, changes are made to specific snort rules based on the sid rule option. By specifing classifications, changes are made to any rules that have the specified classtype rule option.

There are eight types of modifications that can be done on rules.

alert: Set the rule's action to "alert", which will trigger the normal alerting mechanisms within snort.
disable: Disables the rule by commenting it out.
drop: Set the rule's action to "drop", which will cause snort to drop the packet in inline mode. (ONLY FOR SNORT-INLINE)
log: Set the rule's action to "log", which will trigger the normal logging mechanisms within snort.
replace: Modify the payload of the packet where each pattern match is made to a random string of bytes. This can be used to attempt to disable exploits from being successful. (ONLY FOR SNORT-INLINE)
replace_or_drop: Modify the payload of the packet where each pattern match is made to a random string of bytes. For rules that do not have content matches, the rule action is set to drop. This can be used to attempt to disable exploits from being successful, weither they have content matches or not. (ONLY FOR SNORT-INLINE)
reject: Set the rule's action to "reject", which will drop the packet and log it via normal logging mechanisms. Additionally, if the protocol is TCP then snort will send a TCP reset, otherwise it will send an icmp port unreachable.
sdrop: Set the rule's action to "sdrop", which will cause snort to drop the packet in inline mode and not log the alert. (ONLY FOR SNORT-INLINE)

EXAMPLE

 [files]
 drop: porn.rules, virus.rules
 replace: rpc.rules, icmp.rules

 [sids]
 drop: 2122, 1866, 2108, 2109
 disable: 300

 [classifications]
 replace: shellcode-detect
 sdrop: kickass-porn, policy-violation

NOTES

This tool does not handle multiline rules. Also, configuration is done all at once. It would be nice if each block was applied in order so you can apply multiple configurations in order for even more advanced configuration. Like I said, it would be nice, but its not there yet.

AUTHOR

Brian Caswell <bmc@shmoo.com>

REPORTING BUGS

Report bugs to <bmc@shmoo.com>

THANKS

Thanks to The Honeynet Project

COPYRIGHT

BUGS

snortconfig doesn't handle multiline rules properly. Bad things may happen if you use em. You have been warned.

Since you probably didn't read this section of the manual until you ran into this bug, don't ask about it else I'll point and laugh because you didn't read the manual.