I have had an influx of people hitting my site, looking for info on preprocessor rules for Snort 2.8.0. In an earlier post, I made mention of them, but never followed up with any real info about how to implement these rules.

There are a few steps that one needs to perform to make use of the preprocessor and decoder rules in Snort, beginning with compiling support for them into the Snort binary.

when you compile (or recompile) the snort binary, you will need to add --enable-decoder-preprocessor-rules in addition to any other options you normally use.

Once you have completed this process, the next step is to edit your snort.conf and add in the appropriate rule path variable.

include $RULE_PATH/preprocessor.rules
include $RULE_PATH/decoder.rules

You will most likely notice that I changed the variable name from $PREPROC_RULE_PATH, not a real big deal. I changed the variable to be $RULE_PATH, because I include these rule sets in my normal rules directory, and this makes thing’s a little easier to maintain.

The last step is to actually get the preprocessor.rules and decoder.rules files, which are included in the snort.2.8.0 tarball. They are located at snort-2.8.0/preproc_rules. All you need to do at this point is copy the two .rules files to where ever your $RULE_PATH variable points, verify permissions on those files (chown if needed) and restart snort.

If everything went as planned you should see the following when you restart snort:

++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains…
6175 Snort rules read
5990 detection rules
53 decoder rules
132 preprocessor rules
6175 Option Chains linked into 291 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++

As always have fun with it and I hope you expand and learn more on your own!