0x00 来源
解压自snortrules-snapshot-2975.tar.gz,来自于<解压目录>/etc/
classification.config
reference.config
sid-msg.map
snort.conf
threshold.conf
unicode.map
将这些.conf和.map文件放在/etc/snort 目录下,具体的请看 CentOS6.6下基于snort+barnyard2+base的入侵检测系统的搭建
0x01 文件内容
reference文件一共就这几行。
# $Id: reference.config,v 1.6 2012/01/06 15:27:28 hcao Exp $
# The following defines URLs for the references found in the rules
#
# config reference: system URL
config reference: bugtraq http://www.securityfocus.com/bid/
config reference: cve http://cve.mitre.org/cgi-bin/cvename.cgi?name=
config reference: arachNIDS http://www.whitehats.com/info/IDS
config reference: osvdb http://osvdb.org/show/osvdb/
# Note, this one needs a suffix as well.... lets add that in a bit.
config reference: McAfee http://vil.nai.com/vil/content/v_
config reference: nessus http://cgi.nessus.org/plugins/dump.php3?id=
config reference: url http://
config reference: msb http://technet.microsoft.com/en-us/security/bulletin/
我们可以看到这都是一些安全网站,漏洞平台的网址,或者是自己可以自定义的url。
0x02 修饰符
reference修饰符,字面意思就是“参考”,我觉得没多大作用,就是联系外部的恶意攻击检测网站中关于此类攻击的页面。
举个例子。
alert tcp any any -> any 21 (msg:"IDS287/ftp-wuftp260-venglin-linux"; flags:AP; content:"|31c031db 31c9b046 cd80 31c031db|"; reference:arachnids,IDS287; reference:bugtraq,1387; reference:cve,CAN-2000-1574;)
上面定义了三个reference,拿一个来讲,reference:cve,CAN-2000-1574
。
我们从reference.config文件中看到关于cve网站的定义
config reference: cve http://cve.mitre.org/cgi-bin/cvename.cgi?name=
这里就相当于构造了这么一个url
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1574
把name后面的具体的ID号给填写上了,形成如下图这种效果:
点击一下,就会跳到对应的网站这个漏洞的页面上去了。
0x03 数据库
与reference有关系的有三个表,
mysql> desc reference_system;
+-----------------+------------------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+-----------------+------------------+------+-----+---------+----------------+
| ref_system_id | int(10) unsigned | NO | PRI | NULL | auto_increment |
| ref_system_name | varchar(20) | YES | | NULL | |
+-----------------+------------------+------+-----+---------+----------------+
2 rows in set (0.00 sec)
mysql> desc reference
-> ;
+---------------+------------------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+---------------+------------------+------+-----+---------+----------------+
| ref_id | int(10) unsigned | NO | PRI | NULL | auto_increment |
| ref_system_id | int(10) unsigned | NO | | NULL | |
| ref_tag | text | NO | | NULL | |
+---------------+------------------+------+-----+---------+----------------+
3 rows in set (0.01 sec)
mysql> desc sig_reference;
+---------+------------------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+---------+------------------+------+-----+---------+-------+
| sig_id | int(10) unsigned | NO | PRI | NULL | |
| ref_seq | int(10) unsigned | NO | PRI | NULL | |
| ref_id | int(10) unsigned | NO | | NULL | |
+---------+------------------+------+-----+---------+-------+
3 rows in set (0.00 sec)
未完待续,但是感觉这部分和入侵检测关系不大。