Installing Snort

39

present in the /var/rules directory. You can keep all rule files and snort.conf

file in the same directory if you set the value of this variable to ./ instead of ../

rules in the snort.conf file using the following line: 

var RULE_PATH ./

More information about Snort rules is found in the next chapter where you will

learn how to define your own rules as well.

The  classification.config file contains information about Snort rules

classification and more information about this file is found in the next chapter. Note that

/opt/snort 1.9.0 is the directory where all Snort source code files are present. If

you are using a different version of Snort, the directory name will be different.

The  reference.config file lists URLs for different reference web sites

where more information can be found for alerts. These references are used in Snort

rules and you will learn more about references in the next chapter. A typical  refer 

ence.config file is like the following:

# $Id: reference.config,v 1.3 2002/08/28 14:19:15 chrisgreen 

Exp $

# The following defines URLs for the references found in the 

rules

#

# config reference: system URL

config reference: bugtraq   http://www.securityfocus.com/bid/ 

config reference: cve       http://cve.mitre.org/cgi bin/

cvename.cgi?name=

config reference: arachNIDS http://www.whitehats.com/info/IDS

# Note, this one needs a suffix as well.... lets add that in a 

bit.

config reference: McAfee    http://vil.nai.com/vil/content/v_

config reference: nessus    http://cgi.nessus.org/plugins/

dump.php3?id=

config reference: url       http://

Note that both classification.config and reference.config files

are included in the main snort.conf file.

N O T E  If you used the RPM package, all configuration files are already present in

the /etc/snort directory and you don't need to take the above mentioned actions.