Thursday, October 22, 2009

Hack 90 Automatically Update Snort's Rules











 < Day Day Up > 





Hack 90 Automatically Update Snort's Rules





Keep your Snort rules up-to-date with

Oinkmaster.





If you have only a handful of IDS

sensors, keeping your Snort rules up-to-date is a fairly quick and

easy process. However, as the number of sensors grows it can become

more difficult. Luckily, you automatically update your Snort rules

with Oinkmaster (http://oinkmaster.sourceforge.net/news.shtml).





Oinkmaster is a Perl script that does much more

than just download new Snort rules. It will also modify the newly

downloaded rules according to rules that you specify or selectively

disable them, which is useful when you've modified

the standard Snort rules to fit your environment more closely or have

disabled a rule that was reporting too many false positives.





To install Oinkmaster, simply download the

source distribution and unpack it. Then copy the

oinkmaster.pl file from the directory that it

creates to some suitable place on your system. In addition,

you'll need to copy the

oinkmaster.conf file to either

/etc or /usr/local/etc. The

oinkmaster.conf that comes with the source

distribution is full of comments explaining all the minute options

that you can configure. Oinkmaster is most

useful for when you want to update your rules but have a set of rules

that you don't want enabled and that are already

commented out in your current Snort rules. To have

Oinkmaster automatically disable these rules,

use the disablesid directive with the Snort rule

ID that you want disabled when your rules are updated.





For instance, you may get a lot of ICMP unreachable datagrams on your

network and have determined that you don't want to

receive alerts when Snort detects this type of traffic. So, you

decided to comment out the rule in your

icmp.rules file:





# alert icmp any any -> any any (msg:"ICMP Destination Unreachable 

(Communication Administratively Prohibited)"; itype: 3; icode: 13; sid:485; 

classtype:misc-activity; rev:2;)




This is only one rule, so it's easy to remember to

go back and comment it out again after updating your rules, but this

can become quite a chore when you've done the same

thing with several dozen other rules. If you use

Oinkmaster, putting the following line in your

oinkmaster.conf file will disable the preceding

rule after Oinkmaster has updated your rules

with the newest ones available from snort.org:





disablesid 485




Then, when you want to update your rules, run

oinkmaster.pl and tell it where

you'd like the updated rules to be placed:





# oinkmaster.pl -o /etc/snort/rules




Now you won't have to remember which rules to

disable ever again.

















     < Day Day Up > 



    Posted by at

    No comments:

    Post a Comment

    Subscribe to: Post Comments (Atom)