By taking a look at each, you'll get a basic idea of what you can do with Snort rules.
Really, it's good use of Snort rules that saves you the work of manual packet analysis.
Rather than you spending hours digging into packets, you can set Snort to handle analysis, and have Snort alert you when there are problems; you do this by giving Snort a set of rules.
Listing 8 shows all the rules files you got from the Snort site.
Tell Snort what to do with rules.
With a default set of rules, and the tweaks required for Mac OS X implemented if you're using that platform, you're ready to fire up Snort.
Scroll down to the registered user section, where you can get a set of rules to match the release of Snort you're using; this portion of the Snort site is shown in Figure 1.
向下滚动已注册用户部分,可以找到一组匹配您所使用的Snort版本的规则集;图1显示了这部分 Snort站点。
Then, what you'll need to get Snort running is a set of rules it can load and work from.
Every time a new release of Snort comes out, a new set of "default" rules is made available to go with that release.
While configuration is a more general set of rules about how Snort should operate, rules tell Snort what to do every time a packet comes across a network interface that Snort monitors.
Because the types of intrusions change rapidly, Snort has a set of rules that you can download from the Snort site that details these intrusions and allows Snort to look for them.
So for each potentially intrusive connection, Snort needs a rule (or rules that cover multiple related intrusions).
因此对于每一个可能的入侵连接,Snort 都需要使用一条规则(或涵盖多个相关入侵的规则)。
Snort has several standard rules files, with predetermined names and functions. If you open the snort.conf.
Snort has several standard rules files, with predetermined names and functions. If you open the snort.conf.