Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Updating Rules Win2K solutions

From: "Scot ~~~" <scotw () hotmail com>
Date: Mon, 02 Jun 2003 15:14:18 -0500
There are two methods I use to update my sensors, depending on the type of traffic being monitored, perhaps one of the solutions below may apply to your environment. If not, then don't apply them.
1. Identify updated rules and add them manually (copy/paste), depending on whether or not you require the current signatures. For example, on the Windows platform you can use fc.exe to compare the old and current rulesets for changes. See example below: 

C:\Snort\rules>fc /L pop3.rules c:\snort\rules\update\pop3.rules
Comparing files pop3.rules and C:\SNORT\RULES\UPDATE\POP3.RULES
***** pop3.rules
***** C:\SNORT\RULES\UPDATE\POP3.RULES
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 EXPLOIT x86 Linux overflow"; flow:to_server,established;content:"|<snip>; classtype:attempted-admin; sid:288; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 EXPLOIT x86 SCO overflow"; flow:to_server,established; content:"|<snip>; classtype:attempted-admin; sid:289; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 EXPLOIT qpopper overflow"; flow:to_server,established; content:"|<snip>; reference:bugtraq,830; reference:cve,CAN-1999-0822; classtype:attempted-admin; sid:290; rev:5;) 
*****
You could then make a decision based on the new rules whether or not you would like to add them to the current pop3.rules file.
2. Use a win32 cmd shell script to grab the current .rules files and automatically overwrite the old ones. I would not recommend this but if it works for you, do it. If it does not work for you, then don't do it.
For those Windows snorters who do not wish to utilize cygwin there is another solution I would present. I threw together the solution below for those interested parties.
1.Get the GNU utilities for Windows at: http://unxutils.sourceforge.net/UnxUtils.zip . This zip file is about 3.2MB total. Although we only require the wget.exe, gzip.exe, and tar.exe files you may find the others useful in the future.
2.Open the UnxUtils.zip file and extract wget.exe, gzip.exe, and tar.exe into your %systemdrive%\snort directory. 

Note: %systemdrive% may be C:, D:, E:, F: etc… you know.
Also, you don’t have to put the files in the snort directory, I just like to keep my eggs in the snort basket. If you don't like the way I do it, then do it differently.
By default the compressed zip file will want to extract the files into the \usr\local\wbin directory. If this is the case you can just copy the extracted files over to %systemdrive%\snort after extracting it. 

3. Create a new file called Snortupdate.bat
4. Edit the snortupdate.bat file, copy and pase the text below into the file. 
5. Save the snortupdate.bat file and run it.

Start copy below this line:


::---------------------------------------------------------------------------------------
:: Snort Rule File Updater for Win32 CMD Shell
:: Created Aug 2001
:: Updated June 2003
:: No Copyright, No Warranty, this is a script file... ahhh, do whatever you want with it. 
:: Thrown together over a Diet Cherry Coke by Scot Wiedenfeld
:: Remember to watch and support Enterprise, it's the only Star Trek we have left. 
::
:: If you want to schedule this to run as a weekly shell script you will want to remove the :: "pause" statement and also the "Set /P" line should be replaced with a static variable. 
::
::
::
:: Remember, always backup any custom rules you have and give your custom .rules file a :: name other than those used by the typical .rules files. You don't want to inadvertantly :: write over any custom blood-en-sweat rules you've created. Also be aware that if you want :: to run the latest and greatest you will also need to maintain your snort.conf file along :: with the binary "snort.exe" build. Remember, if you've tweaked any of your .rules files they 
:: will be copied over when this script is run.
::
:: I would recommend running this script manually and then verifying functionality after the 
:: update.
::
:: If you want to automate everything here are a couple more tips
::
:: Make sure you have snort installed to run as a service, you can use either of the following: 
::
:: /service /install or use instsrv.exe and srvany.exe out of the NT/2K resource kit. 
::
:: You can do a "net stop snort" and "net start snort" before and after the script below executes. 
::
:: Use %errorlevel% EQU to verify that snort restarts without any errors
::
@Echo off
echo.
echo Warning, this script will get the current set of .rules files and
echo write over your present.rules files if they have the same name
echo as the updated .rules files. Please review script prior to executing.
echo.
pause
if exist snortrules-current.tar.gz del snortrules-current.tar.gz
if exist snortrules-current.tar del snortrules-current.tar
if exist snortrules-stable.tar.gz del snortrules-stable.tar.gz
if exist snortrules-stable.tar del snortrules-stable.tar
if NOT exist %systemdrive%\snort\tmp_rules mkdir %systemdrive%\snort\tmp_rules Set /P rulepath=Enter the exact path to your rules directory, e.g. C:\snort\rules: 
wget http://www.snort.org/dl/rules/snortrules-stable.tar.gz
if %errorlevel% EQU 0 goto NEXT (
) else (
wget http://www.snort.org/dl/rules/snortrules-current.tar.gz
if %errorlevel% EQU 0 goto NEXT (
) else (
Echo %time% %date% wget error, check url or inet connectivity>>Wget_Error.log & goto eof 
:NEXT
start /wait gzip -d *.gz
if exist snortrules-current.tar tar -xv --directory=/snort/tmp_rules <snortrules-current.tar if exist snortrules-stable.tar tar -xv --directory=/snort/tmp_rules <snortrules-stable.tar 
if exist snortrules-current.tar del /Q snortrules-current.tar
if exist snortrules-stable.tar del /Q snortrules-stable.tar
Copy /A /V /Y %systemdrive%\snort\tmp_rules\rules\*.rules %rulepath%
if %errorlevel% EQU 0 RD /Q /S %systemdrive%\snort\tmp_rules\ (
) else (
Echo %date% %time% Snort Update Copy Error >>%systemdrive%\snort\Snort_Update_err.log 
set rulepath=
:eof
exit
::------------------------------------------------------------------------------------

End Copy above this line:

Live Long and Prosper
Scot Wiedenfeld








-----------------------------------------------------------
"It's all about the Pentium"
                             -Weird AL
-----------------------------------------------------------

_________________________________________________________________
The new MSN 8: advanced junk mail protection and 2 months FREE* http://join.msn.com/?page=features/junkmail 



-------------------------------------------------------
This SF.net email is sponsored by: eBay
Get office equipment for less on eBay!
http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: