Keeping the Rules Up to Date

Problem

In the current Snort build, there are about 3,500 rules. How do I make sure I have the most current rules to protect my network?

Solution

The defacto Snort rule updater is Oinkmaster (http://oinkmaster.sourceforge.net). It allows for scripted and automatic rule updates. This runs as a command-line tool for ease of scripting, but it does have an add-on component for GUI management. The recommended way to use Oinkmaster is to determine when rules have changed, without having it automatically update your rules. If you allow Oinkmaster to update your rules automatically, you open up a big can of trouble for change management and rule management within a security team. However, it's useful if you just want to have a daily comparison between your currently running rules and the rules on www.snort.org.

Download Oinkmaster:

mkdir /opt/oinkmaster 

mkdir /opt/oinkmaster/CURRENT_RULES

mkdir /opt/oinkmaster/NEW

Copy your currently running rules to CURRENT_RULES and compare them with the www.snort.org official rules:

perl oinkmaster.pl -o /opt/oinkmaster/CURRENT_RULES -c -C 

oinkmaster.conf

As you might have noticed, you don't see the results as they scroll by, so from a Bourne shell, try the following:

# sh>perl oinkmaster.pl -o /opt/oinkmaster/CURRENT_RULES  

 -c -C oinkmaster.conf > OINK_Report.txt 2>&1

For those readers who might convert this to a daily report to show any changes in the official rules, the following script should work:

!#/bin/sh

##### 

# Checks daily for changes to the currently running Snort rule set 

# 

# Runs from cron every 24 hours 

# EXAMPLE CRONTAB LOG 

# * 23 * * * /bin/sh /opt/DAILY_SNORT_RULES.sh 

# 

##### 

 

# Variables 

 

# Date of the report 

mydate='date "+%c"' 

 

# Run oinkmaster Capturing all of the output 

perl /opt/oinkmaster -o /opt/oinkmaster/CURRENT_RULES -c 

-C /opt/oinkmaster/oinkmaster.conf > /opt/oinmaster/OINK_Report.txt 

2>&1

 

# Create a function report 

 

echo " Snort Rule Change Report " > /opt/oinkmaster/Daily_report.txt

echo " " >> /opt/oinkmaster/Daily_report.txt

echo " For Date: $mydate " >> /opt/oinkmaster/Daily_report.txt 

echo " " >> /opt/oinkmaster/Daily_report.txt 

cat /opt/oinkmaster/OINK_Report.txt >> 

/opt/oinkmaster/Daily_report.txt 

 

# Use mutt to send our emails 

mutt -s "Daily Snort Changes" IDS_TEAM@organization < /opt/oinkmaster/OINK_Report.txt

 

# FUTURE/ IMPROVEMENTS

# Push to web server for a web portal ?

# Future? 

# Other ideas ? 

 

# Done !! 

 

##### END OF SCRIPT

 

Discussion

You can configure several options in the oinkmaster.conf file to enable OinkMaster to change your rule sets. With the oinkmaster.conf file, you can specify such things as:

  • Push the rules to other hosts via SSH's secure copy (scp) once they're downloaded and updated.
  • Edit the oinkmaster.conf file to compare only your rules files.
# find the line in the conf file 

# titled "update_files = .rules$|.config$|.conf$|.txt$|.map$"

# then change it to 

"update_files = .rules$
  • This then tells Oinkmaster to compare only rules and not other files such as your snort.conf file
  • Edit the oinkmaster.conf file to ignore certain rules files. For example, a good idea is to only add or change rules in the local.rules file, and then leave the official rules alone. If you follow that guideline, you'll find that rule management becomes a whole lot easier.
# find the line in the conf file 

# titled "skipfile=local.rules" 

# If you are following the above statement then uncomment 

# This line by removing the "#"
  • If, however, you are making changes to other files and want to keep them, just make a new line in the config file with a comment as to why you are skipping the rule file. (This is a good habit to start, especially in larger security teams.) Then create a skipfile= line for that ruleset.
  • Edit the oinkmaster.conf file to change, modify, and even enable and disable Snort rules based on SID number. Each Snort rule has a unique number assigned to it. The ones from www.snort.org are numbered up to about 3,500. Custom rules made by individuals and organizations should be numbered above 10,000.

For example, to modify one or more Snort rules, edit the oinkmaster.conf file. You will need to specify the rule number and the change you want to make such as in the following example, which would be a good reference.

# modifysid 1378 "^alert" | "pass"

This changes Snort rule number 1378 from an alerting rule to a pass rule that will ignore the traffic.

If, however, you want to forcibly enable or disable specific rules, that's possible as well. Use the enablesid and disablesid commands in the oinkmaster.conf file.

To enable a specific rule that was disabled in the official www.snort.org distribution, you would use something like the following:

# enablesid 1325

You can also disable a specific rule that was enabled by www.snort.org's distribution. For example, you could disable a rule that, on your network, is quite noisy with false positives with the following:

# disablesid 1325

So as you can see, Oinkmaster offers quite a bit of functionality for an organization's IDS team.

Finally, if you want a functional GUI for Oinkmaster, an oinkgui.pl file comes with the Oinkmaster distribution under the contrib directory. However, to run this under *nix systems, you will need to have Perl/Tk installed.

To install a new Perl module on a system, if you have root access, download Tk from this site, as found in the Oinkmaster documentation.

http://www.cpan.org/authors/id/NI-S/Tk-800.024.tar.gz

Once downloaded, the simplest way to install a new Perl module is to extract and compile the source code into your local Perl library.

# EXAMPLE tk800.024 

perl Makefile.PL 

make 

make test 

make install

If you are on a windows system and want to use the GUI, just download and install the ActivePerl Windows distribution. This build comes with all the components necessary to run the GUI.

# http://www.activestate.com 

# 

# Run the GUI 

perl oinkgui.pl

Once in the GUI, you will need to specify the location of several key components, such as the following:

Path to your Oinkmaster.conf file: 

C:snort22xOinkmasterOinkmaster.conf

Path to your oinkmaster.pl file 

C:snort22xOinkmasteroinkmaster.pl

your output directory 

C:snort22xOinkmasterlogs

For an example of GUI, see Figure 3-1, as you might find it easier to use than editing the config file itself.

Figure 3-1. Oinkmaster GUI examples

 

See Also

http://oinkmaster.sourceforge.net

Oinkmaster mailing list

Basic Rules You Shouldn t Leave Home Without

Installing Snort from Source on Unix

Logging to a File Quickly

How to Build Rules

Detecting Stateless Attacks and Stream Reassembly

Managing Snort Sensors

Generating Statistical Output from Snort Logs

Monitoring Network Performance

Index



Snort Cookbook
Snort Cookbook
ISBN: 0596007914
EAN: 2147483647
Year: 2006
Pages: 167

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net