2013
03.07

After a somewhat lengthy break, I’m back again with some new Snort goodness for those that use the nano text editor.

Nano is included with almost every linux distribution around these days so it should not be hard to find or to get this working for you. Basically, in order to get this to work you will need to edit two files as shown below:

  • /usr/share/nano/snort.nanorc
  • /etc/nanorc or ~/.nanorc if you are not root

Walking through the .nanorc file displayed in full below, we first start with the line

1
syntax "snort" "\.rules$"

This means that we want all files that end in .rules to be highlighted by the regular expressions that occur in the lines below it in the .nanorc file.

For example, adding the following line after the previous line will highlight all of the snort rule headers in red.

1
color red "(alert|log|pass|activate|dynamic|drop|reject|sdrop|tcp|ip|udp|icmp)"

The below code comprises the complete “snort.nanorc” file and should be placed into either /usr/share/nano/ or ~/.nanorc if you are not root.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
##Nano config for snort rules files
##
syntax "rules" "\.rules$"

##rule headers
color red "(alert|log|pass|activate|dynamic|drop|reject|sdrop|tcp|ip|udp|icmp)"

##rule variables
color brightblue "(\$AIM_SERVERS|\$DNS_SERVERS|\$DNS_SERVERS_AD|\$EXTERNAL_NET|\$FILE_DATA_PORTS|\$GTP_PORTS|\$HOME_NET|\$HTTP_PORTS|\$HTTP_SERVERS|\$ORACLE_PORTS|\$SHELLCODE_PORTS|\$SIP_PORTS|\$SIP_SERVERS|\$)"

##Rule options
color magenta "(msg|reference|gid|sid|rev|classtype|priority|metadeta|content|uricontent|nocase|threshold|type|limit|track|limit|by_src|by_dst|count|seconds|distance|within|depth|offset|rawbytes|http_client_body|http_cookie|http_raw_cookie|http_header|http_raw_header|http_method|http_uri|http_raw_uri|http_stat_code|http_stat_msg|http_encode|fast_pattern|urilen|isdataat|pcre|pkt_data|file_data|base64_decode|base64_data|byte_test|byte_jump|byte_extract|ftpbounce|asn1|cvs|dce_iface|dce|opnum|dce_stub_data|sip_method|sip_stat_code|sip_header|sip_body|gtp_type|gtp_info|gtp_version|ssl_version|ssl_state|fragoffset|ttl|tos|id|ipopts|fragbits|dsize|flags|flow|flowbits|seq|ack|window|itype|icode|icmp_id|icmp_seq|rpc|ip_proto|sameip|stream_reassemble|stream_size|logto|session|resp|react|tag|activates|activated_by|replace|detection_filter|metadata)"

##delims
color brightgreen start=":" end=";"

##digits yo
color brightcyan "[0-9]+"

##hexbytes
color brightblack ""\|[0-9a-fA-F].*\|""

##pcre - danger will robinson!
color brightred "pcre:"/.*";"

##comments
color green "^#.*"

After adding/modifying the new snort.nanorc file as specified above, you will want to add a couple of “include” lines to the end of /etc/nanorc in order for the syntax highlighting to work.

1
2
## Snort rules
include "/usr/share/nano/snort.nanorc"

See the below screenshot to get an idea of what it looks like.

nano_snortHighlight

Enjoy!

No Comment.

Add Your Comment