Snort: Difference between revisions

Snort (view source)

Revision as of 10:46, 29 January 2025

1,314 bytes added , 29 January

add rule editor info

Robert

52

edits

@@ Line 37: / Line 37: @@
 It is possible to create new files via the button at the bottom of the file list. Hovering over a file reveals two buttons for deleting a file and reloading a file. Deleting a file will mark it for deletion, but that change will not be committed until "Save" or "Apply" are pressed. Reloading a file causes it to be re-fetched from the multimeter and discards all changes to that file. A file can be renamed by selecting it and pressing F2.
+==== Rules ====
+[[File:Snort config rule editor.png|thumb|The Snort rule editor]]
+Snort needs a set of rules in order to know what malicious network traffic looks like. The [https://docs.snort.org/rules/ Snort documentation] goes into exhaustive detail about how rules are written, and we recommend users who are interested in writing their own rules read it carefully. The multimeter comes pre-equipped with an older version of the community ruleset, which is a file containing a huge list of rules which is not up-to-date, but still provides a good starter set to detect the most common suspicious network activity. Updates to this ruleset are no provided, so users who want to use most recent set of rules need to keep this ruleset updated themselves.
+To start editing the ruleset click the "Edit rules" button. This will bring up a modal displaying a file editor which is functionally identical to the [https://allegro-packets.com/wiki/Snort#Lua_editor Lua editor] . From here it is possible to create new ruleset files as well as editing or deleting existing ones.
+'''Tip: Users who want to stay up-to-date and get access to rulesets containing the most recent exploits and attack vectors may want to consider subscribing to [https://www.snort.org/products#rule_subscriptions Snort's official ruleset].'''