3.10 Default Snort Rules and Classes
Snort comes with a rich set of rules. These rules are divided into different files. Each file represents one class of rules. In the source code distribution of Snort, these files are present under the rules directory in the source code tree. The following is a list of the rule files in Snort 1.9.0 distribution:
attack-responses.rules backdoor.rules bad-traffic.rules chat.rules ddos.rules deleted.rules dns.rules dos.rules experimental.rules exploit.rules finger.rules ftp.rules icmp-info.rules icmp.rules imap.rules info.rules local.rules Makefile Makefile.am Makefile.in misc.rules multimedia.rules mysql.rules netbios.rules nntp.rules oracle.rules other-ids.rules p2p.rules policy.rules pop3.rules porn.rules rpc.rules rservices.rules scan.rules shellcode.rules smtp.rules snmp.rules sql.rules telnet.rules tftp.rules virus.rules web-attacks.rules web-cgi.rules web-client.rules web-coldfusion.rules web-frontpage.rules web-iis.rules web-misc.rules web-php.rules x11.rules
For example, all rules related to X-Windows attacks are combined in x11.rules file.
# (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al. # All rights reserved. # $Id: x11.rules,v 1.12 2002/08/18 20:28:43 cazz Exp $ #---------- # X11 RULES #---------- alert tcp $EXTERNAL_NET any -> $HOME_NET 6000 (msg:"X11 MIT Magic Cookie detected"; flow: established ; content: "MIT-MAGIC-COOKIE-1"; reference:arachnids,396; classtype:attempted-user; sid: 1225; rev:3; ) alert tcp $EXTERNAL_NET any -> $HOME_NET 6000 (msg:"X11 xopen"; flow:established; content: "|6c00 0b 00 0000 0000 0000 0000|"; reference:arachnids,395; classtype:unknown; sid:1226; rev:2;)
Similarly, each file contains rules specific to a particular class. The dns.rules file contains all rules related to attacks on DNS servers, the telnet.rules file contains all rules related to attacks on the telnet port, and so on.
3.10.1 The local.rules File
The local.rules file has no rules. This is meant to be used by Snort administrator for customized rules. However, you can use any file name for your own customized rules and include it in the main snort.conf file.