I have had an influx of people hitting my site, looking for info on preprocessor rules for Snort 2.8.0. In an earlier post, I made mention of them, but never followed up with any real info about how to implement these rules.

There are a few steps that one needs to perform to make use of the preprocessor and decoder rules in Snort, beginning with compiling support for them into the Snort binary.

when you compile (or recompile) the snort binary, you will need to add --enable-decoder-preprocessor-rules in addition to any other options you normally use.

Once you have completed this process, the next step is to edit your snort.conf and add in the appropriate rule path variable.

include $RULE_PATH/preprocessor.rules
include $RULE_PATH/decoder.rules

You will most likely notice that I changed the variable name from $PREPROC_RULE_PATH, not a real big deal. I changed the variable to be $RULE_PATH, because I include these rule sets in my normal rules directory, and this makes thing’s a little easier to maintain.

The last step is to actually get the preprocessor.rules and decoder.rules files, which are included in the snort.2.8.0 tarball. They are located at snort-2.8.0/preproc_rules. All you need to do at this point is copy the two .rules files to where ever your $RULE_PATH variable points, verify permissions on those files (chown if needed) and restart snort.

If everything went as planned you should see the following when you restart snort:

++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains…
6175 Snort rules read
5990 detection rules
53 decoder rules
132 preprocessor rules
6175 Option Chains linked into 291 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++

As always have fun with it and I hope you expand and learn more on your own!

My wife Karen kicks so much ass. She designed and created my new banner for me. I couldn’t ask for anything cooler if I tried. pheer.

I did a little ebaying today and purchased myself a new switch for the home network. I decided it was time to upgrade to a managed layer 2 switch. I will now be able to setup my monitoring gear properly and can retire the inline hub/tap. So what did I get? I picked up an Allied Telesyn AT8000S/16 for $68 with free shipping. woot.

Specs can be nit-picked over below …

Looking through last months logs, I noticed an entry from a google search that made me giggle like a little school girl.

198.116.xx.xx – - [09/Oct/2007:14:55:56 -0600] “GET /09-17-2007/behind-the-scenes-with-snort-part-2/ HTTP/1.1″ 200 6712 “http://www.google.com/search?q=waldo.file&hl=en&start=20&sa=N” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.7) Gecko/20070914 Firefox/2.0.0.7″

I obfuscated the IP for obvious reasons, but suffice to say a traceroute of the IP, reveals:

14 border.hcn.hq.nasa.gov (198.116.xx.xx) 87.622 ms 84.963 ms 84.978 ms

I know, I know .. who cares right? It’s just a random person at a random place googling for something random. In this specific case however, it’s someone from NASA; searching for specific information about snort/barnyard. I don’t know why it’s important to me, but having someone from an agency that is primarily run by geeks and nerds find my site possibly useful, makes me all warm inside. (hopefully that didn’t make you vomit inside your mouth.)

For those of you who have upgraded to Snort 2.8.0, I have a quick tip for you. If you hadn’t heard yet, Snort no longer supports the use of the dsize directive within snort rules. Thankfully, the existing rules that use this directive, don’t cause Snort to crash. However, as we all know, the fewer rules Snort has to process, the better it performs. So how do you disable all the rules that use dsize?

It’s really more simple then you might think.