adding own ids rules
Verfasst: Fr 27.04.2007, 13:09
for infos about the ids-rules, visit: http://www.snort.org/
create a root user.
create a ruleset on your desktop-pc and name it "something.rules"
login as root
mount the filesystem in read-write mode:
copy the file via sftp to /etc.orig/snort-rules/something.rules (and /etc/snort-rules/something.rules if you don't want to restart)
mount the filesytem in read-only mode
login as admin
show the current rules:
copy the values and add the new rule by typing:
paste the exisiting rules and add: "something", press
confirm by entering "**" and press
the system prints "**" and goes back to the cli
now you can activate the rule with the securepoint manager
don't forget to save your config.
example:
create a root user.
create a ruleset on your desktop-pc and name it "something.rules"
login as root
mount the filesystem in read-write mode:
Code: Alles auswählen
mount -o remount,rw /
mount the filesytem in read-only mode
Code: Alles auswählen
mount -o remount,ro /
show the current rules:
Code: Alles auswählen
show extc_value snort RULES_VALUES
Code: Alles auswählen
change extc_text snort RULES_VALUES
confirm by entering "**" and press
the system prints "**" and goes back to the cli
now you can activate the rule with the securepoint manager
don't forget to save your config.
example:
Code: Alles auswählen
firewall.foo.local> change extc_text snort RULES_VALUES
backdoor
bot
chat
ddos
dns
dos
exploit
finger
ftp
game
icmp-info
icmp
imap
inappropriate
info
mail-client
misc
multimedia
mysql
netbios
nntp
oracle
other-ids
p2p
policy
pop2
pop3
porn
rpc
rservices
shellcode
sip
smtp
snmp
sql-injection
sql
telnet
tftp
virus
web-attacks
web-cgi
web-client
web-coldfusion
web-dos
web-frontpage
web-iis
web-misc
web-php
x11
something
**
**
firewall.foo.local>