Snort modify rules

marjani

hi All,

I need to change a Snort rule (GPLv2_community.rules).

I want to change this:

alert udp any 19 <> any 7 (msg:"SERVER-OTHER UDP echo+chargen bomb"; flow:to_server; metadata:ruleset community; reference:cve,1999-0103; reference:cve,1999-0635; classtype:attempted-dos; sid:271; rev:11;)

into this:

alert udp any 19 <> any any (msg:"SERVER-OTHER UDP echo+chargen bomb"; flow:to_server; metadata:ruleset community; reference:cve,1999-0103; reference:cve,1999-0635; classtype:attempted-dos; sid:271; rev:11;)

The Snort rules location on my PFS box seems to be located here:

/usr/pbi/snort-i386/etc/snort/rules/

Does anyone know if it's allowed to modify rules directly without using the PFS Snort GUI?

bmeeks

@marjani:

hi All,

I need to change a Snort rule (GPLv2_community.rules).

I want to change this:

alert udp any 19 <> any 7 (msg:"SERVER-OTHER UDP echo+chargen bomb"; flow:to_server; metadata:ruleset community; reference:cve,1999-0103; reference:cve,1999-0635; classtype:attempted-dos; sid:271; rev:11;)

into this:

alert udp any 19 <> any any (msg:"SERVER-OTHER UDP echo+chargen bomb"; flow:to_server; metadata:ruleset community; reference:cve,1999-0103; reference:cve,1999-0635; classtype:attempted-dos; sid:271; rev:11;)

The Snort rules location on my PFS box seems to be located here:

/usr/pbi/snort-i386/etc/snort/rules/

Does anyone know if it's allowed to modify rules directly without using the PFS Snort GUI?

Your rule changes will be overwritten with the next automatic update if you change it there.  You can make custom rule modifications using the SID MGMT tab and the modifysid.conf file.  Go to that tab and click the checkbox to enable the option and display the tab contents.  Read through the example files there.  Click the e icon beside each sample file to open it in an editor window for viewing.  For your case, the modifysid.conf file is the one you will use.  Some examples are provided in the sample file included on the tab.  The syntax is the same as that for Oinkmaster or PulledPork.  You can find examples on Google showing how to modify rules content using the configuration files on this tab.

Bill

BBcan177

You could also copy that rule and create a new rule in the custom.rules category for the selected Interface(s). This is not modifying the original rule, but creating a new rule.

The Custom.rules category can be accessed for example in the WAN Interface:WAN Rules, and select "custom.rules" in the Categorory drop-down menu at the top of that Tab.

Paste the original rule, and modify it as required.

Change the SID Number into the 9000000 range so that you don't interfere with any of the other (Snort/ET) Rule Sid Numbers.

marjani

thanks a lot guys!

The custom rule solution works perfect for me.