The Snort Rule File

Midori Sour

2 parts Midori Melon Liquer
1 part Sweet and Sour
pour over ice and stir

The snort rule file (specified with the "-c" commandline option) is more than just a collection of rules. It is really a combination of configuration options and rules. This section will cover the numerous things that can be specified in the rules file. Many of these are covered in detail in later sections.

Config Options
Include Directives
Output Plugin Declarations
Preprocessor Declarations
Rules
Ruletype Declarations
Variable Definitions

Config Options

The config options are used to specify global configuration parameters for snort. Currently there are only two, although more will be added in the future to encompass many of the commandline options. The syntax for a config option is:

 config $option: $args

The available options are order and alertfile.

Order

The order option is used to specify the order that the various ruletypes are evaluated. If any of the ruletypes are not specified in the argument list then those types are added to the end of the list in the order there were created. The default order is:

activation->dynamic->alert->log->pass

To change this from the default, you would include a line like:

 config order: dynamic pass activation alert log

And specify the desired order. This option will be overidden if the -o commandline option is specified.

Alertfile

The alertfile option is used to specify the alertfile to use. This value will only be used if either, (1) one of the -A commandline options is specified, or (2) no alert commandline option is given AND there are no alert output plugins in the rule file. If the filename argument is relative, then either /var/log or the specified log directory is prepended to it. The default alert file is /var/log/snort.alert in daemon mode and $log_dir/alert otherwise. This example will set the alert file to /var/snort/snort.alert:

 config alertfile: /var/snort/snort.alert

Include Directives

Include allow for the rule file to be split up into multiple files. This can be useful for grouping different types of rules together in different files and collecting all the site specific information in another file. It is also useful when using a ready-made ruleset. The format for this option is:

 include $filename

Output Plugin Declarations

Output plugins are used to output alert and log messages. They are discussed in more detail in the Output Plugins section. The output plugin declaration is used to activate and configure a particular plugin. More than one plugin can be active at a time. In general, output plugins for log messages start with log_ and those for alert messages start with alert_. The format for specifying an output plugin is:

 output $name: $args

Preprocessor Declarations

Preprocessors are plugins that are allowed to manipulate a packet before it has been passed to the detection engine. They are discussed in more detail in the Preprocessor Plugins section. The preprocessor declaration serves to both activate and configure a particular preprocessor. The can be multiple preprocessors active at a time. The format for specifying a preprocessor is:

 preprocessor $name: $args

Rules

Rules are the method by which snort detects and logs possible attacks. There are five built-in ruletypes available in snort. These are: alert, log, pass, activation, and dynamic. The formats for writing the various rule types are discussed in detail in the sections Anatomy of a Rule and Advanced Rules.

Ruletype Declarations

Ruletype declarations provide a means to declare new keywords for any of the five built-in ruletypes. This new ruletype can then be ordered independently of the other ruletypes. It can also have its own set of alert and log output plugins associated with it. This provides a means to do implement both multiple alert levels and create more elaborate detection schemes. This feature is discussed in detail in the Advanced Rules section. In most snort deployments, this feature is not needed. If it is overused, it will make the rule file less readable and could impact performance.

Variable Definitions

Variable definitions are designed to make writing rules easier. They allow a value to be assigned to a symbolic name and then the name can be used in place of the value. Perhaps, the most popular use of this feature is the definition of the variable HOME_NET. By defining this to represent the local network address space, the variable name can be substituted in all of the rule definitions. This would create a set of rule definitions that are easily ported from one network to another with the change of a single line. The syntax for a variable declaration is:

 var VAR_NAME VALUE

To use this variable in a rule you would prepend the '$' character to its name. (ie. $VAR_NAME).