Automated snort rule updating

Keep your Snort rules up-to-date with Oinkmaster.

If you have only a handful of IDS sensors, keeping your Snort rules up-to-date is a fairly quick and easy process. However, as the number of sensors grows it can become more difficult. Luckily, you automatically update your Snort rules with Oinkmaster (http://oinkmaster.sourceforge.net/news.shtml).

Oinkmaster is a Perl script that does much more than just download new Snort rules. It will also modify the newly downloaded rules according to rules that you specify or selectively disable them, which is useful when you’ve modified the standard Snort rules to fit your environment more closely or have disabled a rule that was reporting too many false positives.

To install Oinkmaster, simply download the source distribution and unpack it. Then copy the oinkmaster.pl file from the directory that it creates to some suitable place on your system. In addition, you’ll need to copy the oinkmaster.conf file to either /etc or /usr/local/etc. The oinkmaster.conf that comes with the source distribution is full of comments explaining all the minute options that you can configure. Oinkmaster is most useful for when you want to update your rules but have a set of rules that you don’t want enabled and that are already commented out in your current Snort rules. To have Oinkmaster automatically disable these rules, use the disablesid directive with the Snort rule ID that you want disabled when your rules are updated.

For instance, you may get a lot of ICMP unreachable datagrams on your network and have determined that you don’t want to receive alerts when Snort detects this type of traffic. So, you decided to comment out the rule in your icmp.rules file:

# alert icmp any any -> any any (msg:”ICMP Destination Unreachable

(Communication Administratively Prohibited)”; itype: 3; icode: 13; sid:485;

classtype:misc-activity; rev:2;)

This is only one rule, so it’s easy to remember to go back and comment it out again after updating your rules, but this can become quite a chore when you’ve done the same thing with several dozen other rules. If you use Oinkmaster, putting the following line in your oinkmaster.conf file will disable the preceding rule after Oinkmaster has updated your rules with the newest ones available from snort.org:

disablesid 485

Then, when you want to update your rules, run oinkmaster.pl and tell it where you’d like the updated rules to be placed:

# oinkmaster.pl -o /etc/snort/rules

Now you won’t have to remember which rules to disable ever again.

Dette indlæg blev udgivet i Knowledge Base, Linux, Old Base. Bogmærk permalinket.

Skriv et svar