Snort mailing list archives
Re: Updating rules...
From: Edin Dizdarevic <edin.dizdarevic () interActive-Systems de>
Date: Tue, 10 Dec 2002 17:01:16 +0100
In order to reduce my network traffic I'll send it to the mailinglist. There seem to be more people outthere interessted in this. Please forgive me my bad scripting habbits... ;) Regards, Edin_ PS: Please people read the script carefully before using it. Some things may be done better - I admit that ;). I'ts up to you to do so. Have fun and do not blame me if something went wrong. My advice is not to let crond run it for you. Set all parameter to fit to your system. I was running it on Red Hat 7.3. You'll need wget too. Set up an user and group snort first. #!/bin/sh ############################################################################### # # Das Skript zum Herunterladen und installieren neuer IDS-Signaturen. # ############################################################################### MAILTO="admin () mydomain de" MACHINE="machine1" #set -x SIGS_URL1="http://www.snort.org/dl/signatures/snortrules-stable.tar.gz" MD5_URL1="http://www.snort.org/dl/signatures/snortrules-stable.tar.gz.md5" WGET="/usr/bin/wget" #WGET_PARAMS="-N" WGET_PARAMS="-t 3 -T 5 -N -a /etc/snort/snort.log -P /etc/snort" # Wget parameters: # # -t : Retries (here 3) # -N : Get the file only if newer # -a : Append the log messages to the specified file # -P : Save the file to the specified directory # -T : Timeout ECHO="/bin/echo" TAR="/bin/tar" KILL="/bin/kill" PIDOF="/sbin/pidof" SNORT="/usr/local/bin/snort" SNORTUSER="snort" SNORTGROUP="snort" KILLSIG="SIGUSR1" SERVICE="/sbin/service" # Where is the Snort configuration dir: RULESPATH="/etc/snort/snortrules" SNORTCFGPATH="/etc/snort" MD5SUM="/usr/bin/md5sum" MD5SUM_PARAMS="" # The list of sensor interfacec divided by blanks IFACES="eth0" ################################################################################ F U N C T I O N S #
############################################################################### ################################################################################ Die Funktion, die Snort fuer alle def. Interfaces auf dem System startet # # # # Um sie zu erweitern muss man zwei Dinge tun: # # 1. Die Parameterliste von Interfaces erweitern # # 2. Das Konfigurationsfile unter /etc/snort/snort.conf_ethX anlegen # # #
############################################################################### restartsnort() { # Restarting Snort for all interfaces for i in $IFACES; do "$ECHO" "Setting up Snort for interface "$i"" $ECHO "Restarting Snort..." #/usr/bin/killall snort if [ -f /var/run/snort_"$i".pid ] then PID=$("$PIDOF" "$SNORT") if [ -z "$PID" ] then "$SERVICE" snort restart else #`cat /var/run/snort_"$i".pid`"$ECHO" "Restarting Snort running with PID "$PID" and reloading the rules..."
"$KILL" -s "$KILLSIG" "$PID" fi else"$ECHO" "No PID file for interface "$i" found under /var/run"
fi "$ECHO" "Starting Snort""$SNORT" -a -b -c "$SNORTCFGPATH""/snort.conf_""$i" -I -D -v -i $i -u "$SNORTUSER" -g "$SNORTGROUP"
PID=`cat /var/run/snort_"$i".pid` "$ECHO" "Snort running now with PID "$PID"" done } ################################################################################ Die Funktion zum ueberpruefen, ob und wie Snort auf dem System laeuft #
############################################################################### checksnort() { SNORTS=$("$PIDOF" "$SNORT" | wc -w | awk '{print $1}')SNORT_PIDS=$(/usr/bin/find /var/run -name snort\_eth[0-9]\.pid -ls | wc -l | awk '{print $1}')
"$ECHO" "Snort instances counted: $SNORTS" "$ECHO" "Snort PID files found: $SNORT_PIDS" # 1. Fall: Snort laeuft nicht oder PID-File nicht da: if [ "$SNORTS" = "0" -o "$SNORT_PIDS" = "0" ] then "$ECHO" "Snort seems to be down or no PID file there..." "$ECHO" "Restarting Snort for all Interfaces..." "$SERVICE" snort restart fi # 2. Fall: Anzahl der Instanzen ungleich der Anzahl der PID-Files if [ "$SNORTS" -gt "$SNORT_PIDS" ] then "$ECHO" "More Snort instances than found PID files..." "$ECHO" "Something is wrong outthere..." "$ECHO" "Stopping all Snort processes..." # /usr/bin/killall -9 snort "$SERVICE" snort stop "$ECHO" "Hold on... Restarting Snort now..." "$SERVICE" snort restart fi# 3. Fall: Anzahl der Instanzen stimmt mit der Anzahl der PID-files ueberein
} ############################################################################### ############################################################################### getrules() { # Get the rules, since we know that they are newer... $WGET $WGET_PARAMS $SIGS_URL1 $WGET $WGET_PARAMS $MD5_URL1 "$ECHO" "Readout the checksum..." # MD5-Summe auslesen if [ -f /etc/snort/snortrules-stable.tar.gz.md5 ] then MD5SUM1=`grep MD5 \/etc/snort/snortrules-stable.tar.gz.md5|awk '{print $4}'`
else "$ECHO" "Error! No MD5-file found" exit 1 fi "$ECHO" "Generating our own checksum..." # MD5-Summe bilden if [ -f /etc/snort/snortrules-stable.tar.gz ] thenMD5SUM2=`md5sum /etc/snort/snortrules-stable.tar.gz|awk '{print $1}'`
else "$ECHO" "Error! No rules file found" exit 1 fi if [ "$MD5SUM1" = "$MD5SUM2" ] then "$ECHO" "The MD5-Checksum fits!" "$ECHO" "$MD5SUM1" "$ECHO" "$MD5SUM2" "$ECHO" "$MD5SUM1" >> /etc/snort/snort.log "$ECHO" "$MD5SUM2" >> /etc/snort/snort.log "$ECHO" "Proceeding..." # /bin/sleep 1 else "$ECHO" "Error! Wrong checksum! Aborting!" "$ECHO" "Install rules manually!" "$ECHO" "$MD5SUM1" >> /etc/snort/snort.log "$ECHO" "$MD5SUM2" >> /etc/snort/snort.log exit 1 fi # Extract the new rules if [ -f "/etc/snort/snortrules-stable.tar.gz" ] then "$ECHO" "Extracting Snort rules..." "$TAR" -xzvf /etc/snort/snortrules-stable.tar.gz -C /etc/snort else "$ECHO" "Lost the file! Something is wrong!" "$ECHO" "Aborting!!" exit 1 fi # Deleting old rules # Existiert das Verzeichnis ueberhaupt? if [ -d "$RULESPATH" ] then # /bin/rm "$RULESPATH"/*.rules /bin/mv -f /etc/snort/rules/*.rules "$RULESPATH" /bin/cp -f /etc/snort/rules/classification.config "$SNORTCFGPATH" else "$ECHO" "Missing rules-directory!" "$ECHO" "Aborting!" exit 1 fi # Cleaning up... /bin/rm -rf /etc/snort/rules # Give everything to root /bin/chown root:root ${RULESPATH}/* } ################################################################################ M A I N #
############################################################################### # Error handling firstFCHK=$(/usr/bin/wget --spider -N -t 3 -T 5 "$SIGS_URL1" -P /etc/snort 2>&1)
ERR_MSG=$("$ECHO" "$FCHK" | egrep -oi "failed error") # Log the error message explicitly "$ECHO" "$FCHK" >> /etc/snort/snort.log # If there is a word "failed" or "error" we break.. if [ "$("$ECHO" "$FCHK"| grep -i "failed")" ] || \ [ "$("$ECHO" "$FCHK"| grep -i "error")" ] then"$ECHO" "Error getting the files. The server seems to be not available."
"$ECHO" "Error message:" "$ECHO" "$FCHK" "$ECHO" "Aborting!" exit 0 fi "$ECHO" "Checking/getting files..." # First extract the wget message FCHK=$(/usr/bin/wget --spider -N -t 3 -T 5 "$SIGS_URL1" \-P /etc/snort 2>&1 | grep "not retrieving")
/bin/date >> /etc/snort/snort.log "$ECHO" "Wget-output:" "$ECHO" $FCHK # Logging what we've done and when "$ECHO" "$FCHK" >> /etc/snort/snort.log if [ -z "$FCHK" ] then "$ECHO" "The files on the server seem to be newer." "$ECHO" "We will get them now..." getrules # Reload rules "$SERVICE" snort reload # restartsnort else# "$ECHO" "The signature files on the server are older or not newer."
"$ECHO" "Doing nothing for now..." "$ECHO" "Checking if Snort is running...." checksnort exit 0 fi # Send Email "$ECHO" -e "`ls -lA "$RULESPATH"`\n\nSnort running with PID $("$PIDOF"\ "$SNORT")" | mail -s "Reloaded Snort signatures on $MACHINE"\ "$MAILTO" ############################################################################### ############################################################################### exit 0 #EOF Edin Dizdarevic wrote:
Hello, Tobias Rice wrote: [...]I've heard something about a script that connects to snort.org (I'm assuming), gets the latest rules, updates your sensor, and gives you a report.I've written such shell script, I can email it to you, if you wish. It gets the signatures from www.snort.org, the MD5-file, generates an own MD5-sum and compares it with the one extracted from the downloaded file. After that it installs (overwrite) the signatures, kill snort with the signal SIGUSR1 and send you an email. Regards, Edin
-- Edin Dizdarevic ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Updating rules... Tobias Rice (Dec 09)
- Re: Updating rules... Adrian Peters (Dec 09)
- Re: Updating rules... Edin Dizdarevic (Dec 10)
- Re: Updating rules... Edin Dizdarevic (Dec 10)