After a somewhat lengthy break, I’m back again with some new Snort goodness for those that use the nano text editor.
Nano is included with almost every linux distribution around these days so it should not be hard to find or to get this working for you. Basically, in order to get this to work you will need to edit two files as shown below:
- /usr/share/nano/snort.nanorc
- /etc/nanorc or ~/.nanorc if you are not root
Walking through the .nanorc file displayed in full below, we first start with the line
1 | syntax "snort" "\.rules$" |
This means that we want all files that end in .rules to be highlighted by the regular expressions that occur in the lines below it in the .nanorc file.
For example, adding the following line after the previous line will highlight all of the snort rule headers in red.
1 | color red "(alert|log|pass|activate|dynamic|drop|reject|sdrop|tcp|ip|udp|icmp)" |
The below code comprises the complete “snort.nanorc” file and should be placed into either /usr/share/nano/ or ~/.nanorc if you are not root.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 | ##Nano config for snort rules files ## syntax "rules" "\.rules$" ##rule headers color red "(alert|log|pass|activate|dynamic|drop|reject|sdrop|tcp|ip|udp|icmp)" ##rule variables color brightblue "(\$AIM_SERVERS|\$DNS_SERVERS|\$DNS_SERVERS_AD|\$EXTERNAL_NET|\$FILE_DATA_PORTS|\$GTP_PORTS|\$HOME_NET|\$HTTP_PORTS|\$HTTP_SERVERS|\$ORACLE_PORTS|\$SHELLCODE_PORTS|\$SIP_PORTS|\$SIP_SERVERS|\$)" ##Rule options color magenta "(msg|reference|gid|sid|rev|classtype|priority|metadeta|content|uricontent|nocase|threshold|type|limit|track|limit|by_src|by_dst|count|seconds|distance|within|depth|offset|rawbytes|http_client_body|http_cookie|http_raw_cookie|http_header|http_raw_header|http_method|http_uri|http_raw_uri|http_stat_code|http_stat_msg|http_encode|fast_pattern|urilen|isdataat|pcre|pkt_data|file_data|base64_decode|base64_data|byte_test|byte_jump|byte_extract|ftpbounce|asn1|cvs|dce_iface|dce|opnum|dce_stub_data|sip_method|sip_stat_code|sip_header|sip_body|gtp_type|gtp_info|gtp_version|ssl_version|ssl_state|fragoffset|ttl|tos|id|ipopts|fragbits|dsize|flags|flow|flowbits|seq|ack|window|itype|icode|icmp_id|icmp_seq|rpc|ip_proto|sameip|stream_reassemble|stream_size|logto|session|resp|react|tag|activates|activated_by|replace|detection_filter|metadata)" ##delims color brightgreen start=":" end=";" ##digits yo color brightcyan "[0-9]+" ##hexbytes color brightblack ""\|[0-9a-fA-F].*\|"" ##pcre - danger will robinson! color brightred "pcre:"/.*";" ##comments color green "^#.*" |
After adding/modifying the new snort.nanorc file as specified above, you will want to add a couple of “include” lines to the end of /etc/nanorc in order for the syntax highlighting to work.
1 2 | ## Snort rules include "/usr/share/nano/snort.nanorc" |
See the below screenshot to get an idea of what it looks like.
Enjoy!