Koozali.org formerly Contribs.org

SNORT/acid default rules...

Guck Puppy

SNORT/acid default rules...
« on: May 12, 2003, 09:49:29 PM »
I just installed this IDS thingy and it's doing what it's supposed to do. The "Guardian" part of it (http://www.chaotic.org/guardian/) is also doing what it's supposed to do (block the IP address of the "attacker" for 24 hours).

I just wanted to point to anyone who fits into any of the following categories that the default setup may need a bit of tweaking :

- you host public websites you want spidered by search engines
- you host your own primary dns which you want seconded by an external nameserver

by default, snort & guardian will

- block any ip (for 24 hours) that asks for your robots.txt file
  (edit /etc/web-misc.rules)

- block any ip (for 24 hours) that attempts a dns zone transfer
  (edit /etc/dns.rules)

This is probably all fine and good for the majority that don't run dns or web - although even for them, the ports would not be open so why would you monitor?

Also I was surprised that the snort rules weren't templated... although I guess the automatic updating of the rules could have something to do with that. Actually, with that in mind, I wonder what will happen to the rules I have turned off once the weekly rule update happens?



Re: SNORT/acid default rules...
« Reply #1 on: May 15, 2003, 02:48:15 AM »
I think the snort rules are located under the "rules" directory and you define which rules to use in /etc/snort/snort.conf.  The snort.conf doesn't get updated with the weekly updated.  Just going from memory here since I'm away from my SME.

Guck Puppy

Re: SNORT/acid default rules...
« Reply #2 on: May 22, 2003, 06:55:39 AM »
You are correct.

That web-robots rule I mentioned... I'm trying to figure out how I can make sure it stays disabled (so guardian doesn't block the spider) while at the same time getting regular rule updates... perhaps some combination of grep and sed...?


Guck Puppy

Re: SNORT/acid default rules...
« Reply #3 on: May 24, 2003, 12:22:33 AM »
It's not pretty, but you can use grep to remove rules you don't want when the update happens.

I added these lines to update-rules.sh after the rules are copied in place :

# remove excluded rules
/bin/grep -v --extended-regex "WEB-MISC robots?.txt access" /etc/snort/web-misc.rules > /tmp/snort_web-misc.rules
/bin/grep -v --extended-regex "DNS zone transfer ..." /etc/snort/dns.rules > /tmp/snort_dns.rules
mv /tmp/snort_web-misc.rules /etc/snort/web-misc.rules
mv /tmp/snort_dns.rules /etc/snort/dns.rules

the "grep -v" thing means "give me everything in the file that doesn't match" effectively removing the rules you don't want.