The decoder and preprocessor rules are located in the preproc_rules/ directory in the top level source tree, and have the names decoder.rules and preprocessor.rules respectively. These files are updated as new decoder and preprocessor events are added to Snort. The gen-msg.map under etc directory is also updated with new decoder and preprocessor rules.
To enable these rules in snort.conf, define the path to where the rules are located and uncomment the include lines in snort.conf that reference the rules files.
var PREPROC_RULE_PATH /path/to/preproc_rules
...
include $PREPROC_RULE_PATH/preprocessor.rules
include $PREPROC_RULE_PATH/decoder.rules
To disable any rule, just comment it with a # or remove the rule completely from the file (commenting is recommended).
To change the rule type or action of a decoder/preprocessor rule, just replace alert with the desired rule type. Any one of the following rule types can be used:
alert
log
pass
drop
sdrop
reject
For example one can change:
alert ( msg: "DECODE_NOT_IPV4_DGRAM"; sid: 1; gid: 116; rev: 1; \
metadata: rule-type decode ; classtype:protocol-command-decode;)
to
drop ( msg: "DECODE_NOT_IPV4_DGRAM"; sid: 1; gid: 116; rev: 1; \
metadata: rule-type decode ; classtype:protocol-command-decode;)
to drop (as well as alert on) packets where the Ethernet protocol is IPv4 but version field in IPv4 header has a value other than 4.
See README.decode, README.gre and the various preprocessor READMEs for descriptions of the rules in decoder.rules and preprocessor.rules.
The generator ids ( gid ) for different preprocessors and the decoder are as follows:
| Generator Id | Module |
|---|---|
| 105 | Back Orifice preprocessor |
| 106 | RPC Decode preprocessor |
| 112 | Arpspoof preprocessor |
| 116 | Snort Decoder |
| 119 | HTTP Inspect preprocessor ( Client ) |
| 120 | HTTP Inspect preprocessor ( Server ) |
| 122 | Portscan preprocessor |
| 123 | Frag3 preprocessor |
| 124 | SMTP preprocessor |
| 125 | FTP (FTP) preprocessor |
| 126 | FTP (Telnet) preprocessor |
| 127 | ISAKMP preprocessor |
| 128 | SSH preprocessor |
| 129 | Stream5 preprocessor |
| 131 | DNS preprocessor |
| 132 | Skype preprocessor |
| 133 | DceRpc2 preprocessor |
| 134 | PPM preprocessor |
| 136 | Reputation preprocessor |
| 137 | SSL preprocessor |
| 139 | SDF preprocessor |
| 140 | SIP preprocessor |
| 141 | IMAP preprocessor |
| 142 | POP preprocessor |
| 143 | GTP preprocessor |