Add your own Snort Rules

It is possible to create your own rules for Snort. I'm using an existing rule for IPs block from this emerging-compromised.rules taken and adapted.

1. Add new Rule under /etc/snort/rules:

touch my-own.rule

2. Setting permission:

chown nobody:nobody my-own.rule

3. Edit Rule - for example TCP and UDP from External to Internal Network:

vi /etc/snort/rules/my-own.rule

3. continue with following content:

alert tcp [123.456.789.123] any -> $HOME_NET any (msg:"My own Block"; threshold: type limit, track by_src, seconds 60, count 1; classtype:my-own; flowbits:set,ET.Evil; flowbits:set,ET.CompIP; sid:1000001; rev:3488;)
alert udp [123.456.789.123] any -> $HOME_NET any (msg:"My own Block"; threshold: type limit, track by_src, seconds 60, count 1; classtype:my-own; flowbits:set,ET.Evil; flowbits:set,ET.CompIP; sid:1000002; rev:3488;)

3. continue with Hint at this point, the appropriate classification is, here classtype:my-own and SID sid:100000X** (X = serial number)

4. Edit Classification.config /etc/snort/rules:

...
...
config classification: my-own, My Own, 2
...

5. Edit sid-msg.map under /etc/snort/rules:

1000001 || My Own Rule block IP TCP
1000002 || My Own Rule block IP UDP
....
....

6. Restart Snort and wait it is done!

/etc/init.d/snort restart

7. In the WUI WUI -> Services -> Intrusion Detection System now you can activate your own Rule with attached ruleset.

Now, incoming IP was blocked when you try it to open an example Website with example IP 123.456.789.123.

And you can find logs under IDS-Logfiles, for example:

Date: 01/22 07:36:20        Name: My own Block
Prio: 2                     Typ: My Own
IP-Info: 123.456.789.123:80 -> 192.168.xyz.xyz:52399
Reference: non              SID: 1000001

Additional information

• General Snort configuration
• AddOn Guardian configure
• About VRT Updates from Rulesets - appropriately sorted by date and versions
• This is a little Handbook to Snort for the use of rules and signatures