Koozali.org formerly Contribs.org

SNORT/acid default rules...

Guck Puppy

SNORT/acid default rules...
« on: May 12, 2003, 09:49:29 PM »
I just installed this IDS thingy and it's doing what it's supposed to do. The "Guardian" part of it (http://www.chaotic.org/guardian/) is also doing what it's supposed to do (block the IP address of the "attacker" for 24 hours).

I just wanted to point to anyone who fits into any of the following categories that the default setup may need a bit of tweaking :

- you host public websites you want spidered by search engines
- you host your own primary dns which you want seconded by an external nameserver

by default, snort & guardian will

- block any ip (for 24 hours) that asks for your robots.txt file
  (edit /etc/web-misc.rules)

- block any ip (for 24 hours) that attempts a dns zone transfer
  (edit /etc/dns.rules)

This is probably all fine and good for the majority that don't run dns or web - although even for them, the ports would not be open so why would you monitor?

Also I was surprised that the snort rules weren't templated... although I guess the automatic updating of the rules could have something to do with that. Actually, with that in mind, I wonder what will happen to the rules I have turned off once the weekly rule update happens?

G

Mark

Re: SNORT/acid default rules...
« Reply #1 on: May 15, 2003, 02:48:15 AM »
I think the snort rules are located under the "rules" directory and you define which rules to use in /etc/snort/snort.conf.  The snort.conf doesn't get updated with the weekly updated.  Just going from memory here since I'm away from my SME.

Guck Puppy

Re: SNORT/acid default rules...
« Reply #2 on: May 22, 2003, 06:55:39 AM »
You are correct.

That web-robots rule I mentioned... I'm trying to figure out how I can make sure it stays disabled (so guardian doesn't block the spider) while at the same time getting regular rule updates... perhaps some combination of grep and sed...?

G

Guck Puppy

Re: SNORT/acid default rules...
« Reply #3 on: May 24, 2003, 12:22:33 AM »
It's not pretty, but you can use grep to remove rules you don't want when the update happens.

I added these lines to update-rules.sh after the rules are copied in place :

# remove excluded rules
echo REMOVE EXCLUDED RULES
/bin/grep -v --extended-regex "WEB-MISC robots?.txt access" /etc/snort/web-misc.rules > /tmp/snort_web-misc.rules
/bin/grep -v --extended-regex "DNS zone transfer ..." /etc/snort/dns.rules > /tmp/snort_dns.rules
mv /tmp/snort_web-misc.rules /etc/snort/web-misc.rules
mv /tmp/snort_dns.rules /etc/snort/dns.rules

the "grep -v" thing means "give me everything in the file that doesn't match" effectively removing the rules you don't want.

G