adding own ids rules

[philipp]

for infos about the ids-rules, visit: http://www.snort.org/
create a root user.

create a ruleset on your desktop-pc and name it "something.rules"

login as root

mount the filesystem in read-write mode:

Code: Alles auswählen

mount -o remount,rw /

copy the file via sftp to /etc.orig/snort-rules/something.rules (and /etc/snort-rules/something.rules if you don't want to restart)

mount the filesytem in read-only mode

Code: Alles auswählen

mount -o remount,ro /

login as admin

show the current rules:

Code: Alles auswählen

show extc_value snort RULES_VALUES

copy the values and add the new rule by typing:

Code: Alles auswählen

change extc_text snort RULES_VALUES

paste the exisiting rules and add: "something", press
confirm by entering "**" and press
the system prints "**" and goes back to the cli

now you can activate the rule with the securepoint manager

don't forget to save your config.

example:

Code: Alles auswählen

firewall.foo.local> change extc_text snort RULES_VALUES
backdoor
bot
chat
ddos
dns
dos
exploit
finger
ftp
game
icmp-info
icmp
imap
inappropriate
info
mail-client
misc
multimedia
mysql
netbios
nntp
oracle
other-ids
p2p
policy
pop2
pop3
porn
rpc
rservices
shellcode
sip
smtp
snmp
sql-injection
sql
telnet
tftp
virus
web-attacks
web-cgi
web-client
web-coldfusion
web-dos
web-frontpage
web-iis
web-misc
web-php
x11
something
**
**
firewall.foo.local>