| Search Site |
| Search Rules |
| Account |
| not registered? |
| can't login? |
| user preferences |
 |
 |
|
|||||||||||||||||||
Next: 3.20 How do you Up: 3 Configuring Snort Previous: 3.18 How do I
3.19 Where does one obtain new/modifed rules? How do you merge them in?
New rules can be downloaded via CVS (see FAQ ![[*]](crossref.png)
) or, alternatively, may be
found at www.snort.org. There is a mailing list dedicated to Snort rules,
called snort-sigs hosted at Sourceforge.
There are some scripts/programs to help you with rule management:
- oinkmaster: A simple Perl script to update the ruleset for you.
http://www.algonet.se/~nitzer/oinkmaster/
- IDS Policy Manager: A win32 application that updates the ruleset
using a GUI, then uploads your rulesets via scp.
http://www.activeworx.org/programs/idspm/index.htm
- snortpp: a program to merge multiple files into one master file sorted by SID.
There is also this script that might be useful:
* []#!/bin/sh
###########################################################################
####
#
# Das Skript zum Herunterladen und installieren neuer IDS-Signaturen.
#
###########################################################################
####
MAILTO="admin@mydomain.de"
MACHINE="machine1"
#set -x
SIGS_URL1="http://www.snort.org/dl/signatures/snortrules-stable.tar.gz"
MD5_URL1="http://www.snort.org/dl/signatures/snortrules-stable.tar.gz.md5"
WGET="/usr/bin/wget"
#WGET_PARAMS="-N"
WGET_PARAMS="-t 3 -T 5 -N -a /etc/snort/snort.log -P /etc/snort"
# Wget parameters:
#
# -t : Retries (here 3)
# -N : Get the file only if newer
# -a : Append the log messages to the specified file
# -P : Save the file to the specified directory
# -T : Timeout
ECHO="/bin/echo"
TAR="/bin/tar"
KILL="/bin/kill"
PIDOF="/sbin/pidof"
SNORT="/usr/local/bin/snort"
SNORTUSER="snort"
SNORTGROUP="snort"
KILLSIG="SIGUSR1"
SERVICE="/sbin/service"
# Where is the Snort configuration dir:
RULESPATH="/etc/snort/snortrules"
SNORTCFGPATH="/etc/snort"
MD5SUM="/usr/bin/md5sum"
MD5SUM_PARAMS=""
# The list of sensor interfacec divided by blanks
IFACES="eth0"
###########################################################################
####
# F U N C T I O N S
#
###########################################################################
####
###########################################################################
####
# Die Funktion, die Snort fuer alle def. Interfaces auf dem System startet
#
#
#
# Um sie zu erweitern muss man zwei Dinge tun:
#
# 1. Die Parameterliste von Interfaces erweitern
#
# 2. Das Konfigurationsfile unter /etc/snort/snort.conf_ethX anlegen #
#
#
###########################################################################
####
restartsnort() {
# Restarting Snort for all interfaces
for i in $IFACES; do
"$ECHO" "Setting up Snort for interface "$i""
$ECHO "Restarting Snort..."
#/usr/bin/killall snort
if [ -f /var/run/snort_"$i".pid ]
then
PID=$("$PIDOF" "$SNORT")
if [ -z "$PID" ]
then
"$SERVICE" snort restart
else
#`cat /var/run/snort_"$i".pid`
"$ECHO" "Restarting Snort running with PID "$PID" and reloading the rules..."
"$KILL" -s "$KILLSIG" "$PID"
fi
else
"$ECHO" "No PID file for interface "$i" found under /var/
run"
fi
"$ECHO" "Starting Snort"
"$SNORT" -a -b -c "$SNORTCFGPATH""/snort.conf_""$i" -I -D -v
-i $i -u "$SNORTUSER" -g "$SNORTGROUP"
PID=`cat /var/run/snort_"$i".pid`
"$ECHO" "Snort running now with PID "$PID""
done
}
###########################################################################
####
# Die Funktion zum ueberpruefen, ob und wie Snort auf dem System laeuft
#
###########################################################################
####
checksnort() {
SNORTS=$("$PIDOF" "$SNORT" | wc -w | awk '{print $1}')
SNORT_PIDS=$(/usr/bin/find /var/run -name snort\_eth[0-9]\.pid -ls |
wc -l | awk '{print $1}')
"$ECHO" "Snort instances counted: $SNORTS"
"$ECHO" "Snort PID files found: $SNORT_PIDS"
# 1. Fall: Snort laeuft nicht oder PID-File nicht da:
if [ "$SNORTS" = "0" -o "$SNORT_PIDS" = "0" ]
then
"$ECHO" "Snort seems to be down or no PID file there..."
"$ECHO" "Restarting Snort for all Interfaces..."
"$SERVICE" snort restart
fi
# 2. Fall: Anzahl der Instanzen ungleich der Anzahl der PID-Files
if [ "$SNORTS" -gt "$SNORT_PIDS" ]
then
"$ECHO" "More Snort instances than found PID files..."
"$ECHO" "Something is wrong outthere..."
"$ECHO" "Stopping all Snort processes..."
# /usr/bin/killall -9 snort
"$SERVICE" snort stop
"$ECHO" "Hold on... Restarting Snort now..."
"$SERVICE" snort restart
fi
# 3. Fall: Anzahl der Instanzen stimmt mit der Anzahl der PID-files ueberein
}
###########################################################################
####
###########################################################################
####
getrules() {
# Get the rules, since we know that they are newer...
$WGET $WGET_PARAMS $SIGS_URL1
$WGET $WGET_PARAMS $MD5_URL1
"$ECHO" "Readout the checksum..."
# MD5-Summe auslesen
if [ -f /etc/snort/snortrules-stable.tar.gz.md5 ]
then
MD5SUM1=`grep MD5 \
/etc/snort/snortrules-stable.tar.gz.md5|awk
'{print $4}'`
else
"$ECHO" "Error! No MD5-file found"
exit 1
fi
"$ECHO" "Generating our own checksum..."
# MD5-Summe bilden
if [ -f /etc/snort/snortrules-stable.tar.gz ]
then
MD5SUM2=`md5sum /etc/snort/snortrules-stable.tar.gz|awk '{print $1}'`
else
"$ECHO" "Error! No rules file found"
exit 1
fi
if [ "$MD5SUM1" = "$MD5SUM2" ]
then
"$ECHO" "The MD5-Checksum fits!"
"$ECHO" "$MD5SUM1"
"$ECHO" "$MD5SUM2"
"$ECHO" "$MD5SUM1" >> /etc/snort/snort.log
"$ECHO" "$MD5SUM2" >> /etc/snort/snort.log
"$ECHO" "Proceeding..."
# /bin/sleep 1
else
"$ECHO" "Error! Wrong checksum! Aborting!"
"$ECHO" "Install rules manually!"
"$ECHO" "$MD5SUM1" >> /etc/snort/snort.log
"$ECHO" "$MD5SUM2" >> /etc/snort/snort.log
exit 1
fi
# Extract the new rules
if [ -f "/etc/snort/snortrules-stable.tar.gz" ]
then
"$ECHO" "Extracting Snort rules..."
"$TAR" -xzvf /etc/snort/snortrules-stable.tar.gz -C /etc/snort
else
"$ECHO" "Lost the file! Something is wrong!"
"$ECHO" "Aborting!!"
exit 1
fi
# Deleting old rules
# Existiert das Verzeichnis ueberhaupt?
if [ -d "$RULESPATH" ]
then
# /bin/rm "$RULESPATH"/*.rules
/bin/mv -f /etc/snort/rules/*.rules "$RULESPATH"
/bin/cp -f /etc/snort/rules/classification.config "$SNORTCFGPATH"
else
"$ECHO" "Missing rules-directory!"
"$ECHO" "Aborting!"
exit 1
fi
# Cleaning up...
/bin/rm -rf /etc/snort/rules
# Give everything to root
/bin/chown root:root ${RULESPATH}/*
}
###########################################################################
####
# M A I N
#
###########################################################################
####
# Error handling first
FCHK=$(/usr/bin/wget -spider -N -t 3 -T 5 "$SIGS_URL1" -P /etc/snort 2>&1)
ERR_MSG=$("$ECHO" "$FCHK" | egrep -oi "failed error")
# Log the error message explicitly
"$ECHO" "$FCHK" >> /etc/snort/snort.log
# If there is a word "failed" or "error" we break..
if [ "$("$ECHO" "$FCHK"| grep -i "failed")" ] || \
[ "$("$ECHO" "$FCHK"| grep -i "error")" ]
then
"$ECHO" "Error getting the files. The server seems to be not available."
"$ECHO" "Error message:"
"$ECHO" "$FCHK"
"$ECHO" "Aborting!"
exit 0
fi
"$ECHO" "Checking/getting files..."
# First extract the wget message
FCHK=$(/usr/bin/wget -spider -N -t 3 -T 5 "$SIGS_URL1" \
-P /etc/snort 2>&1 | grep "not retrieving")
/bin/date >> /etc/snort/snort.log
"$ECHO" "Wget-output:"
"$ECHO" $FCHK
# Logging what we've done and when
"$ECHO" "$FCHK" >> /etc/snort/snort.log
if [ -z "$FCHK" ]
then
"$ECHO" "The files on the server seem to be newer."
"$ECHO" "We will get them now..."
getrules
# Reload rules
"$SERVICE" snort reload
# restartsnort
else
#
"$ECHO" "The signature files on the server are older or not newer."
"$ECHO" "Doing nothing for now..."
"$ECHO" "Checking if Snort is running...."
checksnort
exit 0
fi
# Send Email
"$ECHO" -e "`ls -lA "$RULESPATH"`\n\nSnort running with PID $("$PIDOF"\
"$SNORT")" | mail -s "Reloaded Snort signatures on $MACHINE"\
"$MAILTO"
###########################################################################
####
###########################################################################
####
exit 0
#EOF
| site feedback | Terms of Use | Privacy Policy | forum archives ©2008 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved. |