Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Updating rules...

From: Edin Dizdarevic <edin.dizdarevic () interActive-Systems de>
Date: Tue, 10 Dec 2002 17:01:16 +0100

In order to reduce my network traffic I'll send it to the
mailinglist. There seem to be more people outthere interessted in
this. Please forgive me my bad scripting habbits... ;)

Regards,

Edin_

PS: Please people read the script carefully before using it. Some
things may be done better - I admit that ;). I'ts up to you to do so.
Have fun and do not blame me if something went wrong. My advice is not
to let crond run it for you.

Set all parameter to fit to your system. I was running it on Red Hat
7.3. You'll need wget too. Set up an user and group snort first.



#!/bin/sh

###############################################################################
#
# Das Skript zum Herunterladen und installieren neuer IDS-Signaturen.
#
###############################################################################

MAILTO="admin () mydomain de"
MACHINE="machine1"

#set -x
SIGS_URL1="http://www.snort.org/dl/signatures/snortrules-stable.tar.gz";
MD5_URL1="http://www.snort.org/dl/signatures/snortrules-stable.tar.gz.md5";

WGET="/usr/bin/wget"
#WGET_PARAMS="-N"
WGET_PARAMS="-t 3 -T 5 -N -a /etc/snort/snort.log -P /etc/snort"

# Wget parameters:
#
# -t            : Retries (here 3)
# -N            : Get the file only if newer
# -a            : Append the log messages to the specified file
# -P            : Save the file to the specified directory
# -T            : Timeout

ECHO="/bin/echo"
TAR="/bin/tar"
KILL="/bin/kill"
PIDOF="/sbin/pidof"

SNORT="/usr/local/bin/snort"
SNORTUSER="snort"
SNORTGROUP="snort"
KILLSIG="SIGUSR1"
SERVICE="/sbin/service"

# Where is the Snort configuration dir:
RULESPATH="/etc/snort/snortrules"
SNORTCFGPATH="/etc/snort"

MD5SUM="/usr/bin/md5sum"
MD5SUM_PARAMS=""

# The list of sensor interfacec divided by blanks
IFACES="eth0"

###############################################################################
# F U N C T I O N S # 
###############################################################################


###############################################################################
# Die Funktion, die Snort fuer alle def. Interfaces auf dem System startet # # # # Um sie zu erweitern muss man zwei Dinge tun: # # 1. Die Parameterliste von Interfaces erweitern # # 2. Das Konfigurationsfile unter /etc/snort/snort.conf_ethX anlegen # # # 
###############################################################################

restartsnort() {
# Restarting Snort for all interfaces
for i in $IFACES; do
        "$ECHO" "Setting up Snort for interface "$i""
        $ECHO "Restarting Snort..."
        #/usr/bin/killall snort
        if [ -f /var/run/snort_"$i".pid ]
        then
                PID=$("$PIDOF" "$SNORT")
                if [ -z "$PID" ]
                then
                        "$SERVICE" snort restart
                else
                        #`cat /var/run/snort_"$i".pid`
"$ECHO" "Restarting Snort running with PID "$PID" and reloading the rules..." 
                        "$KILL" -s "$KILLSIG" "$PID"
                fi
        else
"$ECHO" "No PID file for interface "$i" found under /var/run" 
        fi
        "$ECHO" "Starting Snort"
"$SNORT" -a -b -c "$SNORTCFGPATH""/snort.conf_""$i" -I -D -v -i $i -u "$SNORTUSER" -g "$SNORTGROUP" 
        PID=`cat /var/run/snort_"$i".pid`
        "$ECHO" "Snort running now with PID "$PID""
done
}

###############################################################################
# Die Funktion zum ueberpruefen, ob und wie Snort auf dem System laeuft # 
###############################################################################

checksnort() {
SNORTS=$("$PIDOF" "$SNORT" | wc -w | awk '{print $1}')
SNORT_PIDS=$(/usr/bin/find /var/run -name snort\_eth[0-9]\.pid -ls | wc -l | awk '{print $1}') 
"$ECHO" "Snort instances counted:  $SNORTS"
"$ECHO" "Snort PID files found:    $SNORT_PIDS"

# 1. Fall: Snort laeuft nicht oder PID-File nicht da:
if [ "$SNORTS" = "0" -o "$SNORT_PIDS" = "0" ]
then
        "$ECHO" "Snort seems to be down or no PID file there..."
        "$ECHO" "Restarting Snort for all Interfaces..."
        "$SERVICE" snort restart
fi

# 2. Fall: Anzahl der Instanzen ungleich der Anzahl der PID-Files
if [ "$SNORTS" -gt "$SNORT_PIDS" ]
then
        "$ECHO" "More Snort instances than found PID files..."
        "$ECHO" "Something is wrong outthere..."
        "$ECHO" "Stopping all Snort processes..."
#       /usr/bin/killall -9 snort
        "$SERVICE" snort stop
        "$ECHO" "Hold on... Restarting Snort now..."
        "$SERVICE" snort restart
fi
# 3. Fall: Anzahl der Instanzen stimmt mit der Anzahl der PID-files ueberein 

}

###############################################################################
###############################################################################

getrules() {

# Get the rules, since we know that they are newer...
$WGET $WGET_PARAMS $SIGS_URL1
$WGET $WGET_PARAMS $MD5_URL1


"$ECHO" "Readout the checksum..."
# MD5-Summe auslesen
if [ -f /etc/snort/snortrules-stable.tar.gz.md5 ]
then
        MD5SUM1=`grep MD5 \
/etc/snort/snortrules-stable.tar.gz.md5|awk '{print $4}'` 
else
        "$ECHO" "Error! No MD5-file found"
        exit 1
fi

"$ECHO" "Generating our own checksum..."
# MD5-Summe bilden
if [ -f /etc/snort/snortrules-stable.tar.gz ]
then
MD5SUM2=`md5sum /etc/snort/snortrules-stable.tar.gz|awk '{print $1}'` 
else
        "$ECHO" "Error! No rules file found"
        exit 1
fi

if [ "$MD5SUM1" = "$MD5SUM2" ]
then
        "$ECHO" "The MD5-Checksum fits!"
        "$ECHO" "$MD5SUM1"
        "$ECHO" "$MD5SUM2"
        "$ECHO" "$MD5SUM1" >> /etc/snort/snort.log
        "$ECHO" "$MD5SUM2" >> /etc/snort/snort.log
        "$ECHO" "Proceeding..."
#       /bin/sleep 1
else
        "$ECHO" "Error! Wrong checksum! Aborting!"
        "$ECHO" "Install rules manually!"
        "$ECHO" "$MD5SUM1" >> /etc/snort/snort.log
        "$ECHO" "$MD5SUM2" >> /etc/snort/snort.log
        exit 1
fi

# Extract the new rules
if [ -f "/etc/snort/snortrules-stable.tar.gz" ]
then
        "$ECHO" "Extracting Snort rules..."
        "$TAR" -xzvf /etc/snort/snortrules-stable.tar.gz -C /etc/snort
else
        "$ECHO" "Lost the file! Something is wrong!"
        "$ECHO" "Aborting!!"
        exit 1
fi

# Deleting old rules
# Existiert das Verzeichnis ueberhaupt?
if [ -d "$RULESPATH" ]
then
#       /bin/rm "$RULESPATH"/*.rules
        /bin/mv -f /etc/snort/rules/*.rules "$RULESPATH"
        /bin/cp -f /etc/snort/rules/classification.config "$SNORTCFGPATH"
else
        "$ECHO" "Missing rules-directory!"
        "$ECHO" "Aborting!"
        exit 1
fi

# Cleaning up...
/bin/rm -rf /etc/snort/rules
# Give everything to root
/bin/chown root:root ${RULESPATH}/*
}

###############################################################################
# M A I N # 
###############################################################################

# Error handling first
FCHK=$(/usr/bin/wget --spider -N -t 3 -T 5 "$SIGS_URL1" -P /etc/snort 2>&1) 

ERR_MSG=$("$ECHO" "$FCHK" | egrep -oi "failed error")

# Log the error message explicitly
"$ECHO" "$FCHK" >> /etc/snort/snort.log

# If there is a word "failed" or "error" we break..
if [ "$("$ECHO" "$FCHK"| grep -i "failed")" ] || \
   [ "$("$ECHO" "$FCHK"| grep -i "error")" ]
then
"$ECHO" "Error getting the files. The server seems to be not available." 
        "$ECHO" "Error message:"
        "$ECHO" "$FCHK"
        "$ECHO" "Aborting!"
        exit 0
fi

"$ECHO" "Checking/getting files..."
# First extract the wget message
FCHK=$(/usr/bin/wget --spider -N -t 3 -T 5 "$SIGS_URL1" \
-P /etc/snort 2>&1 | grep "not retrieving") 

/bin/date >> /etc/snort/snort.log

"$ECHO" "Wget-output:"
"$ECHO" $FCHK

# Logging what we've done and when
"$ECHO" "$FCHK" >> /etc/snort/snort.log
if [ -z "$FCHK"  ]
then
        "$ECHO" "The files on the server seem to be newer."
        "$ECHO" "We will get them now..."
        getrules
        # Reload rules
        "$SERVICE" snort reload
#       restartsnort
else
# "$ECHO" "The signature files on the server are older or not newer." 
        "$ECHO" "Doing nothing for now..."
        "$ECHO" "Checking if Snort is running...."
        checksnort
        exit 0
fi

# Send Email

"$ECHO" -e "`ls -lA "$RULESPATH"`\n\nSnort running with PID $("$PIDOF"\
           "$SNORT")" | mail -s "Reloaded Snort signatures on $MACHINE"\
           "$MAILTO"


###############################################################################
###############################################################################

exit 0

#EOF





Edin Dizdarevic wrote:


Hello,

Tobias Rice wrote:

[...]


I've heard something about a script that connects to snort.org (I'm
assuming), gets the latest rules, updates your sensor, and gives you a
report.



I've written such shell script, I can email it to you, if you wish.
It gets the signatures from www.snort.org, the MD5-file, generates an
own MD5-sum and compares it with the one extracted from the downloaded
file. After that it installs (overwrite) the signatures, kill snort
with the signal SIGUSR1 and send you an email.

Regards,

Edin



--
Edin Dizdarevic



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: