First i was using Snort Registered user rule from official snort website ( snort.org) after that i found Emerging Threats rule from my friend blog.
You can download Emerging Threats rule depends upon the snort version. You will use below link
I was using Snort 2.9. So i download ET rule using below link
[root@snort_install]# wget http://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz
[root@snort_install]# tar -zxvf emerging.rules.tar.gz
Copy all the rules from rules directory to /etc/snort/rules
[root@snort_install]# mv rules/* /etc/snort/rules/
Now we need to change rules path settings in snort.conf file
[root@iitb-st snort_install]# vim /etc/snort/snort.conf
################################################### # Step #7: Customize your rule set # For more information, see Snort Manual, Writing Snort Rules # # NOTE: All categories are enabled in this conf file ################################################### # site specific rules include $RULE_PATH/local.rules include $RULE_PATH/emerging-ftp.rules include $RULE_PATH/emerging-policy.rules include $RULE_PATH/emerging-trojan.rules include $RULE_PATH/emerging-games.rules include $RULE_PATH/emerging-pop3.rules include $RULE_PATH/emerging-user_agents.rules ##include $RULE_PATH/emerging-activex.rules #include $RULE_PATH/emerging-rpc.rules include $RULE_PATH/emerging-attack_response.rules include $RULE_PATH/emerging-icmp.rules include $RULE_PATH/emerging-scan.rules include $RULE_PATH/emerging-scada.rules #include $RULE_PATH/emerging-voip.rules include $RULE_PATH/emerging-chat.rules #include $RULE_PATH/emerging-icmp_info.rules ##include $RULE_PATH/emerging-shellcode.rules include $RULE_PATH/emerging-web_client.rules include $RULE_PATH/emerging-imap.rules include $RULE_PATH/emerging-web_server.rules #include $RULE_PATH/emerging-current_events.rules ##include $RULE_PATH/emerging-inappropriate.rules include $RULE_PATH/emerging-smtp.rules ##include $RULE_PATH/emerging-web_specific_apps.rules ##include $RULE_PATH/emerging-deleted.rules include $RULE_PATH/emerging-malware.rules include $RULE_PATH/emerging-snmp.rules #include $RULE_PATH/emerging-worm.rules #include $RULE_PATH/emerging-dns.rules #include $RULE_PATH/emerging-misc.rules include $RULE_PATH/emerging-sql.rules #include $RULE_PATH/emerging-dos.rules #include $RULE_PATH/emerging-netbios.rules include $RULE_PATH/emerging-telnet.rules include $RULE_PATH/emerging-exploit.rules #include $RULE_PATH/emerging-p2p.rules #include $RULE_PATH/emerging-tftp.rules include $RULE_PATH/emerging-mobile_malware.rules include $RULE_PATH/emerging-info.rules #include $RULE_PATH/emerging-botcc.rules #include $RULE_PATH/emerging-botcc-BLOCK.rules include $RULE_PATH/emerging-compromised.rules #include $RULE_PATH/emerging-compromised-BLOCK.rules #include $RULE_PATH/emerging-drop.rules #include $RULE_PATH/emerging-drop-BLOCK.rules #include $RULE_PATH/emerging-dshield.rules #include $RULE_PATH/emerging-dshield-BLOCK.rules #include $RULE_PATH/emerging-rbn.rules #include $RULE_PATH/emerging-rbn-malvertisers.rules #include $RULE_PATH/emerging-rbn-BLOCK.rules #include $RULE_PATH/emerging-rbn-malvertisers-BLOCK.rules #include $RULE_PATH/emerging-tor.rules #include $RULE_PATH/emerging-tor-BLOCK.rules #include $RULE_PATH/emerging-ciarmy.rules
:wq
This above rules set up depends upon your server needs.
Now you will go and check your rules (/etc/snort/rules). Here also you will customize the rules depends upon your server needs.
I hope, it will helps...
No comments:
Post a Comment