Home > Articles > Security > Network Security

  • Print
  • + Share This
This chapter is from the book

3.10 Default Snort Rules and Classes

Snort comes with a rich set of rules. These rules are divided into different files. Each file represents one class of rules. In the source code distribution of Snort, these files are present under the rules directory in the source code tree. The following is a list of the rule files in Snort 1.9.0 distribution:

attack-responses.rules
backdoor.rules
bad-traffic.rules
chat.rules
ddos.rules
deleted.rules
dns.rules
dos.rules
experimental.rules
exploit.rules
finger.rules
ftp.rules
icmp-info.rules
icmp.rules
imap.rules
info.rules
local.rules
Makefile
Makefile.am
Makefile.in
misc.rules
multimedia.rules
mysql.rules
netbios.rules
nntp.rules
oracle.rules
other-ids.rules
p2p.rules
policy.rules
pop3.rules
porn.rules
rpc.rules
rservices.rules
scan.rules
shellcode.rules
smtp.rules
snmp.rules
sql.rules
telnet.rules
tftp.rules
virus.rules
web-attacks.rules
web-cgi.rules
web-client.rules
web-coldfusion.rules
web-frontpage.rules
web-iis.rules
web-misc.rules
web-php.rules
x11.rules

For example, all rules related to X-Windows attacks are combined in x11.rules file.

# (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.
#    All rights reserved.
# $Id: x11.rules,v 1.12 2002/08/18 20:28:43 cazz Exp $
#----------
# X11 RULES
#----------

alert tcp $EXTERNAL_NET any -> $HOME_NET 6000 (msg:"X11 MIT Magic Cookie detected"; flow:
graphics/ccc.gifestablished
   ; content: "MIT-MAGIC-COOKIE-1"; reference:arachnids,396; classtype:attempted-user; sid:
   graphics/ccc.gif1225; rev:3;
   )
   alert tcp $EXTERNAL_NET any -> $HOME_NET 6000 (msg:"X11 xopen"; flow:established; content:
   graphics/ccc.gif "|6c00 0b
   00 0000 0000 0000 0000|"; reference:arachnids,395; classtype:unknown; sid:1226; rev:2;)
   

Similarly, each file contains rules specific to a particular class. The dns.rules file contains all rules related to attacks on DNS servers, the telnet.rules file contains all rules related to attacks on the telnet port, and so on.

3.10.1 The local.rules File

The local.rules file has no rules. This is meant to be used by Snort administrator for customized rules. However, you can use any file name for your own customized rules and include it in the main snort.conf file.

  • + Share This
  • 🔖 Save To Your Account