Snort Tweaks and Scripts
Snort also provides the ability to add additional tunings to configurations with the
--tweaks option. This can be used, for example, to employ one of Snort's various policy files that tweak Snort's detection engine to favor either more performance or more security.
Snort 3 comes with four policy tweak files by default:
max_detect policy provides the most security whereas the
connectivity policy prioritizes performance and uptime at the expense of security.
These tweaks are more-or-less just configuration extensions; the
snort_defaults.lua files provide a base policy, and then the
tweaks allow for a particular set of targeted changes.
To use a tweak, simply specify the
--tweaks option followed by the name of the tweak file to use. For example, to use the
max_detect policy, one would run Snort like so:
$ snort -c $my_path/lua/snort.lua -R local.rules --tweaks max_detect
There also exists a
talos tweaks option that configures Snort to the way Talos analysts will initially test their own rules:
$ snort -c $my_path/lua/snort.lua -R local.rules --tweaks talos
You can check out each of these tweaks in the
lua/ directory to see what kinds of changes each one makes.
Snort 3 is extensible in that it offers the ability for users to create custom LuaJIT scripts to extend its functionality. Scripts are passed to Snort 3 on the command line with the
--script-path <scripts_path> argument, and they are then called in Snort rules by specifying the script "name" (declared in the .lua file) as a rule option.
One script we commonly work with is
hexdump.lua, which prints out packet data at the detection cursor's current location. This is incredibly useful when creating rules because it helps rule writers determine if and what data is present in a specific buffer or at the current cursor location.
For example, if we were to invoke this
hexdump script right after an
http_uri; buffer declaration, Snort will print out all the bytes in the
$ ls scripts/ hexdump.lua $ cat local.rules alert http ( \ msg:"GET request"; \ http_uri; hexdump; classtype:web-application-attack; \ sid:1000000; \ ) $ snort --talos --script-path scripts/ -q -r get.pcap -R local.rules [http_uri] (6 bytes) 00000000 2F 68 65 6C 6C 6F /hello
Because this particular script is relative to the previous content match, adding a
content:"/h"; match to the rule after
http_uri; would result in the following change:
$ cat local.rules alert http ( msg:"GET request"; http_uri; content:"/h"; hexdump; classtype:web-application-attack; sid:1000000; ) $ snort --talos --script-path scripts/ -q -r get.pcap -R local.rules [http_uri] (4 bytes) 00000000 65 6C 6C 6F ello