add rules to snort

Dear experts,

I used snort to capture same data to a file.

I am testing some malicious code that have not signatures within the default snort. So, I have to write my own rules.

I found some examples and explanations about writing snort rules such as
alert tcp any any -> 192.168.1.0/24 111 (content:"|00 01 86 a5|"; msg:"mountd access";)

The question: How can I added my own rules to snort and test it ?

I will be grateful for any help.
Thanks in advance.

Regards.
Tree_PROAsked:
Who is Participating?
 
Rich RumbleConnect With a Mentor Security SamuraiCommented:
just add it into the other rule files... look in your snort.conf file to see the file location of your snort rules, on linux it's typically /etc/snort/rules ... your rule looks for mount access, maybe add it to policy rules, or local rules... make sure that rule set is not commented out in your snort.conf file.
-rich
0
 
Tree_PROAuthor Commented:
Dear experts,

When I added the question I thought the question is too easy and I will find more answers and maybe some one will told me you don't need to ask that according to its easy. But the question is a bit hard.

I hope if there is any experts could help me with the question.

I will be glad for answers.
Regards.
0
 
Rich RumbleSecurity SamuraiCommented:
Some rules are easy, some are hard. Unique applications and out of the ordinary traffic is a little easier to write. I wrote the PWDump rules: http://xinn.org/Snort-fgdump.html The rule basically finds the applications name in the packet once the file has copied over. All that logic isn't really in that rule, it just so happens, that when the password dumping tools start to setup their services, they copy themselves over to the host, and when they do, the filename of the service they are going to start is something like "fgdump.svc" So you can see that those characters aren't very likely to trigger a false positive.
Other rules are not so easy...  
Do you have any pcap's you can share?
http://www.emergingthreats.net/index.php/component/content/article/1-latest/160-new-pcap-parser-available.html
http://doc.emergingthreats.net/bin/view/Main/GeneralFAQ
Write the rules, then see if you can catch yourself, that's basically it...
-rich
0
 
Tree_PROAuthor Commented:
Thanks richrumble for your reply.

I have some ideas about snort and I have been tested it a lot before, the rules writing is easy to do, for example this one:
alert tcp any any -> 192.168.1.0/24 111 (content:"|00 01 86 a5|"; msg:"mountd access";)

But the problem or what I do not understand it is that I do not know where can I save these rules in snort. Is there any special file within snort tool that I can insert my rules to ?
0
 
Tree_PROAuthor Commented:
Grate , thanks that what I want :)

Regards.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.