This directory contains some more or less helpful programs and scripts for the various programs.
This is a very useful perl script which is able to fill the database with informations about all signatures, classifications and references.
The normal process is to ask the database if a signature is already
stored in the database. This program can store all possible signature
based alerts in the database. If this has been done and you are
using option DBTrust
with servsock then you can speed up the database
access because you have only to ask if a sig_id to
a given signature id (with the same priority and
revision) exists, there is no need to ask for a given signature
message.
If you additionally enables the use of a cache (-C or DBCache of
servsock you can further increase the
INSERT rate into the database.
The program first checks that the classification and reference are part of the database. The next step is to check if the signatures are already part of the database, if not then they were added. If not, then the new signature is added.
Note: Normally the priority of a signature is only estimated via the classification. Since the priority can be given individually and may have other values on different sensors the priority range can be adjusted.
The file classification.pl is a perl script which is more or less a framework which only updates the classification table in the database.
There are only a few options available:
rules.pl [-h] [-cconfig] [-Cclassification.config ] [-Ppriorityrange] [-Rreference.config] file1.rule file2.rule ...
Some value can be set via the configuration file mentioned by option
-c, the default is rules.pl.conf
in the actual directory. The files classificaion.config
and reference.config are part of the
snort distribution.
If the -P is used then all rules are inserted starting
with priority one up to the given value.
Finally a list of files can be mentioned, they should all contain signatures in the form snort uses them.
There are only a few keywords which can be used by rules.pl, most of them regard the database access.
$dbtype=database;Estimates which type of database should be used, this value can be either mysql or postgres.
$dbname=name;Estimates which database should be used to insert the rules in.
$dbuser=username;Connect as username to the database. This user
must be able to INSERT into the database.
$dbpass=password;This sets the password which is used with the username to access the database.
$dbhost=host;This defines on which host the database is running,
this may be empty. If no name is given then localhost
is used.
$dbport=port;This defines the port which should be used to address the database
running on host.
This may be empty in which case the default for the DBType is used.
$ClassFile=filename;This defines the name and location of the classification.config. This is normally located in the etc/ of the snort source distribution.
$ReferenceFile=filename;This defines the name and location of the reference.config. This is normally located in the etc/ of the snort source distribution.
$PrioRange=value;If value is not set or zero then the normal priority
as defined by the rule is used. Otherwise the whole range from 1 to value is stored in the database.
Note: The last entry in the rules.pl.conf must be 1; since this file is included via do "$conffile";
An example file rules.pl.conf is located in the contrib/ directory.