I’ve talked about understading the basics of a Snort rule before, now i’m going to create my first rule and add it to Snort.
Before making the rule, i started thinking about what i want and why i want it.
Short scenario – you are a copyright freak and you want to know when somebody on your network (maybe a school network) is trying to download something by accessing The Pirate Bay.
Based on the short scenario i want my rule to send an alert (generate an event) whenever somebody is accessing The Pirate Bay website or a group of related websites. This is definately not the best way to stop people from downloading stuff on your network, but it’s just a simple scenario that will help me create my first rule.
I fired up Wireshark to see how that packet would so that i know what options i can set for my rule. I used my IP and the HTTP protocol as filters so i’ll spot the packet faster.
As we can see, the client (me) is sending a GET request to the host named “thepiratebay.pe” , having the following full request uri – http://thepiratebay.pe/
Rule pseudocode :
If somebody from our network ($HOME_NW) is sending a GET request to the piratebay website, generate an event.
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:”Accessing forbidden torrent websites”; flow:to_server; content:”thepiratebay.pe”; nocase; reference:url,truica-victor.com; classtype:web-access-on-forbidden-addresses; sid:1000005; rev:0; )
- nocase specifies that it’s not case sensitive
How to add a rule or a set of rules to Snort
You can either create a new rules file and add it in the configuration file, or you can add new rules to the local.rules file.
If you want to add a new ruleset file to Snorts configuration just modify snort.conf and add an “include line”.
nano /etc/snort/snort.confinclude /path/to/rule/file
service snort restart