Decoder and preprocessor rules allow one to enable and disable decoder and preprocessor events on a rule by rule basis. They also allow one to specify the rule type or action of a decoder or preprocessor event on a rule by rule basis.
Decoder config options will still determine whether or not to generate decoder events. For example, if config disable_decode_alerts is in snort.conf, decoder events will not be generated regardless of whether or not there are corresponding rules for the event. Also note that if the decoder is configured to enable drops, e.g. config enable_decode_drops, these options will take precedence over the event type of the rule. A packet will be dropped if either a decoder config drop option is in snort.conf or the decoder or preprocessor rule type is drop. Of course, the drop cases only apply if Snort is running inline. See doc/README.decode for config options that control decoder events.
The decoder and preprocessor rules are located in the preproc_rules/ directory in the top level source tree, and have the names decoder.rules and preprocessor.rules respectively. These files are updated as new decoder and preprocessor events are added to Snort. The gen-msg.map under etc directory is also updated with new decoder and preprocessor rules.
To enable these rules in snort.conf, define the path to where the rules are located and uncomment the include lines in snort.conf that reference the rules files.
var PREPROC_RULE_PATH /path/to/preproc_rules ... include $PREPROC_RULE_PATH/preprocessor.rules include $PREPROC_RULE_PATH/decoder.rules
To disable any rule, just comment it with a # or remove the rule completely from the file (commenting is recommended).
To change the rule type or action of a decoder/preprocessor rule, just replace alert with the desired rule type. Any one of the following rule types can be used:
alert log pass drop sdrop reject
For example one can change:
alert ( msg: "DECODE_NOT_IPV4_DGRAM"; sid: 1; gid: 116; rev: 1; \ metadata: rule-type decode ; classtype:protocol-command-decode;)
to
drop ( msg: "DECODE_NOT_IPV4_DGRAM"; sid: 1; gid: 116; rev: 1; \ metadata: rule-type decode ; classtype:protocol-command-decode;)
to drop (as well as alert on) packets where the Ethernet protocol is IPv4 but version field in IPv4 header has a value other than 4.
See README.decode, README.gre and the various preprocessor READMEs for descriptions of the rules in decoder.rules and preprocessor.rules.
The generator ids ( gid ) for different preprocessors and the decoder are as follows:
Generator Id | Module |
---|---|
105 | Back Orifice preprocessor |
106 | RPC Decode preprocessor |
112 | Arpspoof preprocessor |
116 | Snort Decoder |
119 | HTTP Inspect preprocessor ( Client ) |
120 | HTTP Inspect preprocessor ( Server ) |
122 | Portscan preprocessor |
123 | Frag3 preprocessor |
124 | SMTP preprocessor |
125 | FTP (FTP) preprocessor |
126 | FTP (Telnet) preprocessor |
127 | ISAKMP preprocessor |
128 | SSH preprocessor |
129 | Stream preprocessor |
131 | DNS preprocessor |
132 | Skype preprocessor |
133 | DceRpc2 preprocessor |
134 | PPM preprocessor |
136 | Reputation preprocessor |
137 | SSL preprocessor |
139 | SDF preprocessor |
140 | SIP preprocessor |
141 | IMAP preprocessor |
142 | POP preprocessor |
143 | GTP preprocessor |
The following config option in snort.conf will make Snort revert to the old behavior:
config autogenerate_preprocessor_decoder_rules
Note that if you want to revert to the old behavior, you also have to remove the decoder and preprocessor rules and any reference to them from snort.conf, otherwise they will be loaded. This option applies to rules not specified and the default behavior is to alert.