Just a quick update .. in case you have not heard, the bleeding edge community site (bleedingthreats.net) is no longer in service. However a new site/group has emerged to take it’s place. For all your bleeding edge snort rules, you will need to update your bookmarks and oinkmaster.conf for the new site, which is http://emergingthreats.net.
I have had an influx of people hitting my site, looking for info on preprocessor rules for Snort 2.8.0. In an earlier post, I made mention of them, but never followed up with any real info about how to implement these rules.
There are a few steps that one needs to perform to make use of the preprocessor and decoder rules in Snort, beginning with compiling support for them into the Snort binary.
when you compile (or recompile) the snort binary, you will need to add
--enable-decoder-preprocessor-rulesin addition to any other options you normally use.
Once you have completed this process, the next step is to edit your snort.conf and add in the appropriate rule path variable.
include $RULE_PATH/preprocessor.rules
include $RULE_PATH/decoder.rules
You will most likely notice that I changed the variable name from $PREPROC_RULE_PATH, not a real big deal. I changed the variable to be $RULE_PATH, because I include these rule sets in my normal rules directory, and this makes thing’s a little easier to maintain.
The last step is to actually get the preprocessor.rules and decoder.rules files, which are included in the snort.2.8.0 tarball. They are located at snort-2.8.0/preproc_rules. All you need to do at this point is copy the two .rules files to where ever your $RULE_PATH variable points, verify permissions on those files (chown if needed) and restart snort.
If everything went as planned you should see the following when you restart snort:
++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains…
6175 Snort rules read
5990 detection rules
53 decoder rules
132 preprocessor rules
6175 Option Chains linked into 291 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++
As always have fun with it and I hope you expand and learn more on your own!
It’s all down there …..
My request for the Sourcefire Snort Certified Professional courses/exam, that I posted about earlier, was finally approved, bathed in red tape and finally completed. I received my login information for the courses and certification exam (through vcampus.com). I nervously logged in expecting to see that the account had been created weeks ago, and that I was not going to get the full sixty days; but to my surprise, it was created today! I decided to setup my profile on the vcampus site first, and to my surprise you can change, every aspect of your account, including user name. Being as the original user name and password were sent to me clear text, being able to change them both securely, rocks.
I have not as of yet dived into the course material; I must admit, I’m a little nervous about it. This is the first certification test, that I feel like I am actually going to have to work for. So I am thankful to be able to get the full sixty day period to access the materials.
Extended personal spewing …
Sourcefire has released snort 2.8.0 as the new stable production release!! So many cool new features. I don’t have time to go into much of them in depth, but I have a little preview for you. If you would like to read the Change Log it is located here.
