Order of Rules Based upon Action 119 include RULE_PATHscan.rules include RULE_PATHfinger.rules include RULE_PATHftp.rules include RULE_PATHtelnet.rules include RULE_PATHsmtp.rules include RULE_PATHrpc.rules include RULE_PATHdos.rules include RULE_PATHddos.rules include RULE_PATHdns.rules include RULE_PATHtftp.rules include RULE_PATHweb-cgi.rules include RULE_PATHweb-coldfusion.rules include RULE_PATHweb-iis.rules include RULE_PATHweb-frontpage.rules include RULE_PATHweb-misc.rules include RULE_PATHweb-attacks.rules include RULE_PATHsql.rules include RULE_PATHx11.rules include RULE_PATHicmp.rules include RULE_PATHnetbios.rules include RULE_PATHmisc.rules include RULE_PATHattack-responses.rules include RULE_PATHmyrules.rules

3.8 Order of Rules Based upon Action

The five types of the rules can be categorized into three basic types. 1. Alert rules

2. Pass rules

3. Log rules When a packet is received by Snort, it is checked in this order. Each packet has to go through all Alert rule checks before it is allowed to pass. This scheme is the most secure since no packet passes through without being checked against all alert types. However most of the packets are normal traffic and do not show any intruder activity. Testing all of the packets against all alert rules requires a lot of processing power. Snort provides a way to change this testing order to one which is more efficient, but more dangerous. 1. Pass rules

2. Alert rules

3. Log rules

120 Chapter 3 • Working with Snort Rules You must be careful when choosing this order because just one badly written pass rule may allow many alert packets to pass through without being checked. If you really know what you are doing, you can use the –o command line switch to disable the default order and enable the new order of applying rules. You can also use “config order” in the configuration file for this purpose. Again, this is dangerous and you have been warned twice now If you are sure of what you are doing, add this line in the snort.conf file: config order If you define your own rule types, they are checked last in the sequence. For exam- ple, if you have defined a rule type snmp_alerts, the order of rule application will be: Alert - Pass - Log -snmp_alerts

3.9 Automatically Updating Snort Rules

There are multiple tools available to update Snort signatures. When using any of these tools you must be careful because you may accidentally modify or delete your custom- ized rules. I shall discuss two methods of updating rules.

3.9.1 The Simple Method

This method consists of a simple shell script. It requires that you have wget pro- gram installed on your system. The wget program is used to retrieve any file using HTTP protocol. In essence, it is just like a web browser, but it retrieves one file from a command line argument. binsh Place of storing your Snort rules. Change these variables according to your installation. RULESDIR=etcsnort RULESDIRBAK=etcsnortbak Path to wget program. Modify for your system if needed. WGETPATH=usrbin URI for Snort rules RULESURI=http:www.snort.orgdownloadssnortrules.tar.gz Get and untar rules. cd tmp rm -rf rules WGETPATHwget RULESURI