If desired, configure the specific ports that services are available on. (Default: var DNS_SERVERS $HOME_NET) If you had a Web server running on 192.168.1.11 and 192.168.1.12, you could tell Snort to only look for HTTP attacks targeting that server by setting the following variable: var HTTP_SERVERS. If you wish to see attacks targeting servers that are not running the affected services, leave the defaults, which are to watch for attacks directed towards any internal servers. For example, by setting HTTP_SERVERS to only specific servers, Snort will only watch for HTTP attacks targeted at those servers.
Next, define what servers are running specific services. The recommendation is to set this to everything except your HOME_NET using the following: var EXTERNAL_NET!$HOME_NET. This is the network you expect attacks to come from. 3.Ĭonfigure the EXTERNAL_NET variable if desired. A common example would be var HOME_NET 192.168.1.0/24 or perhaps var HOME_NET. Setting this to accurately reflect your internal address space will reduce the number of false positive alerts you receive. By default, HOME_NET is set to any network with the var HOME_NET any line in the nf. This is used with the signatures to determine when the internal network is being attacked. The HOME_NET variable defines which networks are the “trusted” internal networks. # is a commend indicator in the Snort configuration file. 2.Ĭonfigure the HOME_NET variable, if desired, by removing the # from the line you need. By default it will be located at /etc/snort/nf. Start by opening the main Snort configuration file. To get Snort working the way you want it to, follow these simple steps. The configuration file is excellently documented and very easy to use.
The next step is to configure the various options that determine how Snort will behave using the Snort configuration file. A sample configuration file is presented later on. This keyword will be discussed later in this chapter.Īlthough the configuration file provided with the distribution works, it's recommended that you modify it for your specific environment. These files are then included inside the main configuration file using the include keyword. Although you can add any rules in the main nf file, the convention is to use separate files for rules. If the predefined action types are not sufficient for your environment, you can define custom action types in the Snort configuration file. Output modules control how Snort data will be logged. You use preprocessors to perform certain actions before a packet is operated by the main Snort detection engine. You also can use these options on the command line. This is where you define different variables that are used in Snort rules as well as for other purposes, such as specifying the location of rule files. The Snort configuration file contains six basic sections: ▪
0 kommentar(er)
