Snort mailing list archives
Updating Snort Rules...Made Easy..sort of
From: Dr SuSE <drsuse () drsuse org>
Date: Tue, 9 Oct 2001 21:55:36 GMT
Updating Snort rules the quick and dirty way. The examples given in this document are for updating Snort rules in an environment where multiple Snort sensors are used. I'm going to use my Snort directory structure as an example. Your directory structure is probably different than mine but that's ok, you can still make this method work for you. /etc/snort (snort.conf, classifications.config) /etc/snort/rules (all snort rules are here) /etc/snort/scripts (all of my custom scripts are in here) /etc/snort/tmp (If you cant figure this one out, your hosed) The problem with automatically updating rules is that after time you've probably deleted or commented out some of the rules that either you don't need or those which trigger too many false positives. You may have also written your own custom rules. Ok, let's get to the meat....here's what I did. I first wrote a simple script using wget and cron'd it to run daily at noon. This script simply downloads the snortrules.tar.gz rules from www.snort.org and places it into the snort directory under my htdocs directory. I then added two files to ~/htdocs/snort One is called pass.rules and the other is called global.rules For the rules you do not want, simply add them to the pass.rules file and change them from alert to pass. Use the global.rules file for custom rules you want to distribute to all of your sensors. Next, your going to want to edit your snort.conf file and make sure that the first rule file loaded is the pass.rules file. Also to make this work, you have to remember to run snort with the -o option. Dont forget to add an include statement for your new global.rules file. Now all you have to do is use a scirpt which uses wget to pull the snortrules.tar.gz file from your internal web server, extract the rules to the a tmp directory, remove the local.rules and copy the rest to where you keep your snort rules files on your sensors. Don't forget, you have to restart snort also. Below are the scripts I'm using, nothing special. But first, let me give you a few do's and dont's 1. DO NOT!!! configure all of your sensors to download the snortrules file from snort.org, this will cause unncessary traffic. Remember, all you need a web server inside your network to run the script on and if your running demarc, acid or snarf then you already have this. DO NOT!!!!! 2. Do run snort using the -o option 3. Do add rules you dont want to your pass.rules file on your centralized web server. Make sure that pass.rules is the first rules file your calling in snort.conf 4. Do not run the script on the sensor and the script on the web server at the same time. Run the script on your web server first then run the script on your sensors about 10 minutes later. This is the script which runs on my web server and downloads the snortrules.tar.gz file from snort.org: #! /bin/sh cd /tmp wget http://www.snort.org/downloads/snortrules.tar.gz rm /usr/local/httpd/htdocs/security/snort/snortrules.tar.gz mv /tmp/snortrules.tar.gz /usr/local/httpd/htdocs/security/snort/ This is the script which runs on my snort sensors and downloads the snort rules from my web server: #! /bin/sh cd /etc/snort/tmp wget http://bb/security/snort/snortrules.tar.gz wget http://bb/security/snort/pass.rules wget http://bb/security/snort/global.rules mv /etc/snort/tmp/global.rules /etc/snort/rules mv /etc/snort/tmp/pass.rules /etc/snort/rules tar -xvzf /etc/snort/tmp/snortrules.tar.gz rm /etc/snort/tmp/snortrules.tar.gz rm /etc/snort/tmp/rules/local.rules mv /etc/snort/tmp/rules/*.rules /etc/snort/rules rm -r /etc/snort/tmp/rules /etc/rc.d/snort restart "Flush twice....it's a long way to afghanistan" --------------------------------------------- Microsoft ist nicht installiert. http://www.drsuse.org/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Updating Snort Rules...Made Easy..sort of Dr SuSE (Oct 09)
- PGP Sign snortrules? [was: Re: Updating Snort Rules...Made Easy..sort of] Jason Haar (Oct 11)
- <Possible follow-ups>
- Re: Updating Snort Rules...Made Easy..sort of auto241065 (Oct 10)
- Re: Updating Snort Rules...Made Easy..sort of James Hoagland (Oct 16)