Snort Tweaks and Scripts

Tweaks

Snort also provides the ability to add additional tunings to configurations with the --tweaks option. This can be used, for example, to employ one of Snort's various policy files that tweak Snort's detection engine to favor either more performance or more security.

Snort 3 comes with four policy tweak files by default: max_detect, security, balanced and connectivity. The max_detect policy provides the most security whereas the connectivity policy prioritizes performance and uptime at the expense of security.

These tweaks are more-or-less just configuration extensions; the snort.lua and snort_defaults.lua files provide a base policy, and then the tweaks allow for a particular set of targeted changes.

To use a tweak, simply specify the --tweaks option followed by the name of the tweak file to use. For example, to use the max_detect policy, one would run Snort like so:

$ snort -c $my_path/lua/snort.lua -R local.rules --tweaks max_detect

There also exists a talos tweaks option that configures Snort to the way Talos analysts will initially test their own rules:

$ snort -c $my_path/lua/snort.lua -R local.rules --tweaks talos

You can check out each of these tweaks in the lua/ directory to see what kinds of changes each one makes.

Scripts

Snort 3 is extensible in that it offers the ability for users to create custom LuaJIT scripts to extend its functionality. Scripts are passed to Snort 3 on the command line with the --script-path <scripts_path> argument, and they are then called in Snort rules by specifying the script "name" (declared in the .lua file) as a rule option.

One script we commonly work with is hexdump.lua, which prints out packet data at the detection cursor's current location. This is incredibly useful when creating rules because it helps rule writers determine if and what data is present in a specific buffer or at the current cursor location.

For example, if we were to invoke this hexdump script right after an http_uri; buffer declaration, Snort will print out all the bytes in the http_uri buffer:

$ ls scripts/
hexdump.lua

$ cat local.rules
alert http ( \
    msg:"GET request"; \
    http_uri;
    hexdump;
    classtype:web-application-attack; \
    sid:1000000; \
)

$ snort --talos --script-path scripts/ -q -r get.pcap -R local.rules
[http_uri] (6 bytes)
00000000  2F 68 65 6C 6C 6F                                /hello

Because this particular script is relative to the previous content match, adding a content:"/h"; match to the rule after http_uri; would result in the following change:

$ cat local.rules
alert http (
    msg:"GET request";
    http_uri;
    content:"/h";
    hexdump;
    classtype:web-application-attack;
    sid:1000000;
)

$ snort --talos --script-path scripts/ -q -r get.pcap -R local.rules
[http_uri] (4 bytes)
00000000  65 6C 6C 6F                                      ello